Obviously the preferred solution is to cease collecting and purge stored metadata to remove temptation and capability for abuses.
What does anybody think of a fall-back position requiring each and every access to the above data store be logged and published in real time, with no recourse to deferred publication. May as well play the "pain and shame cuts both ways" card?
A small addendum: we're now up to six breach cases per The Guardian. Cue evil laugh yet?