Your Biggest Data Breach Risk Isn’t a Hacker, It’s a Paper Run Sheet

Published on June 12, 2026

Written by Road XS

  • Reading Time: 5 minutes

Around 75% of data breaches reported to the ICO involve human error, not cyberattacks, with lost paperwork consistently among the most common. For community transport schemes using printed run sheets, this is a pressing risk. Those sheets carry special category data under UK GDPR, and when something goes missing, the charity is legally liable, not the volunteer.

In This Article

Around 75% of the data breaches reported to the ICO come down to human error, not cyberattacks, and lost paperwork is one of the categories that appears every quarter. For community transport schemes running on printed run sheets, that is a live risk, not a distant one. Those sheets carry special category data under UK GDPR, and when one goes missing the charity is liable, not the volunteer.

Key Takeaways

  • Britain's most common data breaches are not hacks. Around 75% of the incidents reported to the ICO come down to human error, and lost or mislaid paperwork is one of the categories that appears every quarter.
  • Your run sheets carry special category data: health conditions, addresses, mobility notes. Under UK GDPR, that is the most protected information there is.
  • When a sheet goes missing, the charity is liable, not the volunteer. The ICO asks what controls the organisation had in place, and where the loss risks people's rights and freedoms, the breach must be reported within 72 hours.
  • The fix is not banning paper overnight. It is moving to a system that shows its working, who saw what and when, and easing volunteers in at their own pace.

When charity trustees picture a data breach, they picture hackers. Hooded figures, ransomware, headlines about stolen databases. It feels like a problem for banks and big technology firms, not for a community transport scheme running a dozen volunteer drivers from a church hall office.

The ICO's own incident data tells a different story.

Around three quarters of the data security incidents reported to the Information Commissioner's Office are not cyber attacks at all. They are non-cyber incidents: everyday human error. And within that category, one type appears year after year, among the most commonly reported breaches in the country. Loss or theft of paperwork, or data left somewhere insecure.

Not malware. Not phishing. Paper.

The ICO notes that its own split between cyber and non-cyber incidents is currently under review, so the exact proportions move around from quarter to quarter. The pattern underneath does not. Most breaches are human, not technical, and a great many of them are made of paper.

Look at how your scheme runs

If your community transport service still works from printed run sheets, walk through a normal morning.

A coordinator prints a run sheet for each driver, and on it will likely be:

  • passenger names,
  • home addresses,
  • pickup times,
  • destinations.

Often more information too, such as:

  • "uses a walker,"
  • "has dementia, do not leave unattended,"
  • an emergency contact,
  • a note about medication.

The driver collects the sheet, puts it on the passenger seat or the dashboard, and sets off for the journey.

Recommended:
Streamlined Transport Software Support

At the end of the day, that sheet goes... somewhere.

Back to the office, sometimes. Into a glovebox, often. Onto a kitchen table, into a drawer, into the household recycling. Occasionally it gets photographed "to have it on the phone," and it might even join a WhatsApp group or an email chain.

Every step of that routine creates the exact conditions for the kind of incident the ICO records again and again.

A paper based run sheet process does not just risk one of the country's most common breaches. It manufactures the conditions for it, every single morning, and then relies on luck.

This data is not ordinary data

It matters what is on those sheets. A journey to a dialysis unit, a memory clinic or a mental health service reveals health information. Mobility notes describe disability. Under UK GDPR these are special category data, the most protected class there is.

Processing them lawfully needs two layers: an Article 6 lawful basis and a separate Article 9 condition. Most schemes have never documented either for a sheet that spends its afternoon in a glovebox.

A lost sheet is a safeguarding risk, not just a data one

There is a safeguarding dimension that rarely makes it onto the risk register. Repeated journey records show when a vulnerable person leaves their home, where they go, and when they come back.

A single lost sheet showing a weekly hospital run is not just personal data. It is a map of someone's absence from their own house. For a passenger fleeing domestic abuse, or living alone with dementia, that map is the danger, long before the ICO is ever involved. This is the part of the risk that a data protection conversation framed purely around fines tends to miss.

"But our volunteers are trustworthy"

Nobody is questioning the volunteers. People who have driven passengers to hospital appointments for twenty years are the best of their communities, and most schemes use paper precisely because some volunteers, particularly older ones, are more comfortable with it than with smartphones.

Here is the uncomfortable reframe. A process built around what the workforce finds comfortable is a data protection policy built around the workforce, not around the passengers whose sensitive information is being handled.

And when something goes wrong, the volunteer does not carry the legal responsibility. The charity does, as data controller. The ICO's question will not be which driver lost the sheet. It will be what controls the organisation had in place to prevent it. "We have always done it this way" is a description of the problem, not a defence.

Recommended:
The Cost of Congestion: The Impact of Transport Problems

There is a clock running too. Where a breach is likely to put the people affected at risk, it must be reported to the ICO within 72 hours of the organisation becoming aware of it. With paper, many schemes could not even establish what was lost inside 72 hours, let alone report it.

The fix is not banning paper overnight

The good news is that the ICO's approach with smaller charities leans towards advice rather than punishment, and most reported breaches result in no further action. What protects an organisation is being able to show its working: what data existed, who could see it, and what happened to it.

That is exactly what paper cannot do, and exactly what a system built for the job does automatically. The Road XS driver portal gives volunteers only the journey information they need, expires it when the journey is done, logs every access, keeps messaging inside the platform instead of WhatsApp, and removes a leaver's access centrally in one click. Nothing printed, nothing to lose, photograph or shred.

Because the obstacle is volunteer confidence, not volunteer willingness, the change works best gradually. Tighten the paper process now (print less, return and shred, no WhatsApp), pilot with your most willing drivers, and let them bring the rest along at their own pace. Most "I won't use technology" objections are really "I am scared of letting someone down," and that is solved by patience and good design, not ultimatums.

Frequently asked questions

What is the most common type of data breach in the UK?

Most data security incidents reported to the ICO are non-cyber. Around three quarters come down to human error rather than hacking. The single largest category is data sent to the wrong recipient, usually by email, with loss or theft of paperwork among the categories that appear every quarter. Cyber attacks such as phishing and ransomware make up the smaller share.

Is a lost run sheet a reportable data breach?

It can be. A run sheet usually contains special category data such as health conditions and home addresses. Where the loss is likely to result in a risk to the rights and freedoms of the people named, the organisation must report it to the ICO within 72 hours of becoming aware. Where there is no real risk it may not need reporting, but the decision and the reasoning behind it should still be recorded.

Who is liable when a volunteer driver loses a run sheet, the charity or the driver?

The charity. As data controller, the organisation carries the legal responsibility for how personal data is handled. The ICO looks at what controls the organisation had in place, not at which individual made the mistake. That is why "a trusted volunteer lost it" is not a defence.

Recommended:
Are You Falling Short on GDPR? 5 Everyday Risks in Community Transport

What counts as special category data on a run sheet?

Information about health, disability or mobility needs is special category data under Article 9 of the UK GDPR. A note such as "has dementia, do not leave unattended" or a journey to a dialysis unit both reveal health data. Processing it lawfully needs both an Article 6 lawful basis and a separate Article 9 condition.

Does the ICO fine small charities for paperwork breaches?

Not usually as a first step. The ICO's approach with smaller organisations leans towards guidance and support, and most reported incidents result in no further action. What matters is being able to show that reasonable controls were in place before anything went wrong.

What does the 72 hour breach reporting rule actually require?

The 72 hour clock applies only where a breach is likely to result in a risk to people's rights and freedoms, and it runs from when the organisation becomes aware of the breach. Not every lost sheet triggers it, but every organisation should be able to establish quickly what was actually lost. With paper alone, that is often the hardest part.

How can community transport schemes reduce paper based data breaches?

Start by printing less, keeping messaging off WhatsApp, and returning and shredding sheets at the end of each run. The stronger fix is a purpose built system like Road XS, that gives drivers only the journey information they need, expires it when the journey ends, logs every access, and removes a leaver's access centrally, so there is nothing left in a glovebox to lose.

The question for your next board meeting

If a passenger's name, address and medical condition appeared in the local paper tomorrow because a run sheet went missing, could your charity show the ICO it had done everything reasonably possible to prevent it?

If the honest answer is no, one of the most common breaches in Britain is already on your risk register, whether it is written there or not.


This article is for educational purposes and is not legal advice. UK GDPR has been amended in part by the Data (Use and Access) Act 2025. Charities should check current ICO guidance and seek independent advice on their specific obligations.

New Guide

Paper Run Sheets & Data Compliance

This plain English guide explains the UK GDPR risks hiding in paper run sheets, helping trustees and transport managers understand what the law demands in 2026 and how to keep their transport schemes compliant.

Send this to a friend