Just quickly, in terms of what public bodies should be doing, I'm not a data security expert. You have security people who will tell you the areas you need to improve. The main thing that I would say is data minimization.
You can do what you can to try to make yourself as secure as possible, but the most important thing is that you can also make sure you manage your information, such that if and when there is a breach, you don't open up all this information that you should have deleted years ago.