The Information Commissioner's Office (ICO) has reported that City of York Council has breached the Data Protection Act by accidentally disclosing personal data to a third party.
The incident occurred when personal data was incorrectly sent out with other documentation to an unrelated third party. The information was only included after being mistakenly collected from a shared printer, before being copied and posted by an employee who failed to check whether the papers were relevant to their case.
The ICO found that the council had robust policies and procedures in place covering the handling of personal data, but declared that this highlighted a lack of quality control, personal ownership and management supervision within the council and amongst its staff.
Kersten England, chief executive of the City of York Council, has signed an undertaking to ensure that new procedures are put in place to prevent documentation containing any form of personal data from being printed where there is no business need to do so.
The council will also bring in new quality control checks on all the information they handle prior to distribution, as well as extending their clear desk policy to include printer trays, post trays and other pending work trays. The council has agreed that all of the measures outlined in the undertaking will be in place within the next four months.
Sally-Anne Poole, acting head of enforcement at the ICO, said: “This case highlights the need for employees to take responsibility and ownership of tasks that involve handling personal data. If the documents had not been left unattended by the printer and had been carefully checked before they were sent out then this situation could easily have been avoided.
“We are pleased that the City of York Council has introduced new security measures governing the use of its printers and that staff will now be required to carry out appropriate quality control checks to avoid information being incorrectly disclosed in this manner.”