The Information Commissioner's Office has published a code of practice for the collection of personal data online.
It follows a succession of high profile date losses by public sector and Government departments.
The Information Commissioner, Christopher Graham, said action would be taken against those breaching the Data Protection Act.
But privacy campaigner Simon Davies said firms were not taking the rules seriously enough.
In June 2010, the Information Commissioner's Office (ICO) said it remained "highly concerned" about the level of data loss in the NHS, which accounted for a quarter of all cases of Data Protection Act breaches reported to the body.
"Everyone makes mistakes, but regrettably there are far too many within the NHS," said Mick Gorrill, head of enforcement at the ICO.
"Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information," he added.
An e-book, published by the ICO, outlines advice for businesses, departments, and charities who collect information that can identify an individual.
The guide also says that using the word "mandatory" on an online form can be a breach of the Data Protection Act if the information requested is, in reality, non-essential.
"Organisations must be transparent, so that consumers can make online privacy choices and see how their information will be used," said Mr Graham.
"Get privacy right and you retain the trust and confidence of your customers and users; mislead consumers or collect information you don't need and you are likely to diminish customer trust and face enforcement action from the ICO."
Mr Davies, who heads up the human rights watchdog group Privacy International, said that the principles offered by the guide were "sound and logical", but that firms needed to act on them.
"These guidelines must be adopted across all continents before they will start to create meaningful protections," he told BBC News.
Mr Davies also criticised the ICO for not taking tough action against big multinational companies when they breach privacy laws.
"The office has failed to understand the implications of the internet and has traditionally let the big companies off the hook," he said.
"The guide has some gems of common sense, but I'd condense it into ten words of advice to the Commissioner: "Show some guts and stand up to the big boys."