The City of York breached the Data Protection Act by accidentally disclosing personal data to a third party following a printer document mix-up, the Information Commissioner's Office has found.
The breach was first reported to the ICO by the council on 10 February, after information containing "sensitive" personal data was incorrectly sent out with other documentation to an unrelated third party.
The information was only included after being mistakenly collected from a shared printer, before being copied and posted by an employee who failed to check whether the papers were relevant to their case.
While the ICO found that the council had "robust" policies and procedures in place covering the handling of personal data, the case highlighted "a lack of quality control, personal ownership and management supervision within the council", said the ICO.
Sally-Anne Poole, ICO acting head of enforcement, said: "This case highlights the need for employees to take responsibility and ownership of tasks that involve handling personal data. If the documents had not been left unattended by the printer and had been carefully checked before they were sent out then this situation could easily have been avoided."
She added: "City of York Council has introduced new security measures governing the use of its printers, and staff will now be required to carry out appropriate quality control checks to avoid information being incorrectly disclosed in this manner."
The council said new procedures will prevent documentation containing any form of personal data from being printed where there is no business need to do so.
The council will bring in control checks on all the information it handles prior to distribution, as well as extending it clear desk policy to include printer trays, post trays and other pending work trays. The council has agreed with the ICO that all measures will be in place within the next four months.