A health science focused university notified the DPC of a breach arising from inappropriate disposal of materials containing personal data. An employee worked from home on a recruitment project. The employee worked on printed copies of a number of job applications and accompanying CVs. The organisation had instructed employees working from home to minimise printing and to destroy documents before disposal. However, the employee placed the recruitment documents intact into a domestic recycling bin. High winds caused contents of the bin, including the recruitment documents, to be dispersed.

In concluding its examination of the breach, the DPC made a number of recommendations . These focused not just on the work practices of employees, but most importantly on the technical and organisational measures of the controller. While it is important for staff to understand and implement good data protection practices, it is the responsibility of the controller to ensure that they do so and have the means — including, where appropriate, devices such as shredders — of delivering the required standard of protection .

.