Breach details
| What | Personal and sensitive (health) personal data. |
| How much | An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details. |
| When | Not specified. |
| Why | During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem. |
BW Comments
| If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle |
| When | 30 November 2012 |
| Details | The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data. |
BW Observations
| It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty. |
Links
| View PDF of the Leeds City Council Undertaking (Breach Watch Archive) |
| View PDF of the Leeds City Council Undertaking (Via ICO Website) |
Follow Up
| The ICO conducted a follow up assessment on 20 May 2013 |
| View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive) |
| View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website) |