Thomas told the Lords Constitution Committee that those who knowingly or recklessly flout data protection rules should be prosecuted and fined up to £5,000.
"If a doctor or hospital [employee] leaves a laptop containing patient records in his car and it is stolen, it is hard to see that as anything but gross negligence," Thomas told the Lords.
"The Commission can currently issue enforcement notices, but these do not impose any element of punishment for wrongdoing."
Thomas suggested that one-off cases should not be prosecuted, but that systematic abuse needs greater censure.
He also proposed that companies should be inspected without warning for data security, rather than the current system which relies on consent.
Jamie Cowper, director of European marketing at PGP Corporation, said: "Given the recent spate of data breaches at NHS trusts, perhaps Thomas's approach is the only way to get the medical establishment to take this problem seriously.
"However, by placing the emphasis on protecting the device (specifically laptops) rather than the confidential data itself, he could be accused of treating the symptoms rather than providing a cure.
"It is not fair to expect doctors to be data security experts. The NHS should respond to the proposed legislation with a programme of data security education and a systematic roll-out of data protection technology such as encryption."
Increasing use of mobile devices by government and industry is creating a major problem with data leakage. A recent survey of local councils found that barely half use data encryption, even though over a third had lost a laptop.
Information Commissioner gets tough on data security
By Iain Thomson on Nov 19, 2007 12:09PM
UK Information Commissioner Richard Thomas has argued for much tighter data protection laws in Britain, insisting that those who lose data should end up in court.
Got a news tip for our journalists? Share it with us anonymously here.