Originally Posted by navylad

In the UK, Serious breaches should be reported to the ICO.Indiividuals may also report the breach to the ICO. The ICO has the power to investigate and then act accordingly

'The ICO\s options are:

serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
conduct consensual assessments (audits) to check organisations are complying;
serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice;
issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010
prosecute those who commit criminal offences under the Act; and
report to Parliament on issues of concern.'

Incidentally, the DPA doesn't posses the the ability to think, it provides a legal framework for the ICO to act accordingly and it is for the ICO to think whether this would be considered a) is this a serious breach and b) what is the most appropriate form of action. I suspect if a was satisfied, b would be to require BA to improve it's practices, for example, asking them to remove unnecessary information from emails (why do I need to be told my own billing address in an email for example).