The Information Commissioner’s Office (ICO) has told businesses that their employees need “to take responsibility and ownership of tasks that involve handling personal data,” and that employers should also take responsibility for their employee’s awareness of the risks associated with handling personal data. The statement comes after an accidental disclosure at York City Council.


York Council breached the Data Protection Act by accidentally disclosing personal data to an unrelated third party when the data was mistakenly picked up from a shared printer and sent out without the employee checking that they had the correct papers.

The ICO found that the Council had robust policies and procedures in place covering the handling of personal data. The incident was instead a case of a lack of quality control, personal ownership and management supervision within the council and amongst their staff.  

The ICO said “if the documents had not been left unattended by the printer and had been carefully checked before they were sent out then this situation could easily have been avoided.”  


The Council has now signed undertakings to ensure that new procedures are put in place to prevent documentation containing any form of personal data from being printed where there is no business need to do so. The Council will also be bringing in new quality control checks on all the information it handles prior to distribution, as well as extending its clear desk policy to include printer trays, post trays and other pending work trays. The Council has also undertaken to ensure that personal data is processed in accordance with the Seventh Data Protection Principle. The Council has undertaken to implement “other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.”  


The undertakings given by York Council in this instance serve as examples of the types of internal processes the ICO expects employers to put in place to ensure the maintenance of standards of data security. By implementing such processes, businesses are more likely to avert a serious breach of the Seventh Data Protection Principle and avoid any consequential penalty from the ICO.