@ Matt Hawkins
the 'lock down all ports' comments were being made in a generic fashion relating to all users. That is simply not realistic. Even councils do need to pass data to people in unencrypted formats - tender documents to vendors etc.
Yes this person should NOT have copied the data. No question. The solution though is not a knee-jerk 'lock down all ports on all machines for everyone' - but to look at why they worked around what was in place and make the process fit in a way that they can use (and is simpler to follow than to avoid).
eg app that recognises the confidentiality level of the data and will only write it to appropriate media: unrestricted to clear usb, confidential to encrypted, secret blocked... - but that is dependant on useable rating system beyond the control of the user (or everything becomes unrestricted...).
Sooo many of us loose sight of the fact that ultimately IT systems are not an end in themselves - they are only there to support the business process. The modern version of paper shufflers who see their forms as being more important than the process that the forms are meant to assist..
If the systems are not supporting that business process (rather than being a process themselves) then they need work.