|Personal and sensitive (health) personal data.
|An unknown number of records contained in seven Excel spreadsheets, including name, address, date of birth and disability details.
|During migration of the Leeds Initiative website from one server to another, a private area was accessible to members of the public because a data processor failed to configure the new server identically to the old server. The site was then not sufficiently tested to identify the problem.
|If there’s public and non-public information on any web server there’s always an increased risk of data loss, so any changes to internet-facing infrastructure should always be fully tested. Organisations that know the locations and classification of their data are less likely to suffer this type of breach.
|Undertaking to comply with the seventh data protection principle
|30 November 2012
|The data controller is to ensure that clear contractual arrangements are in place with a data processor; that data processors are monitored for compliance with the seventh principle; that technically proficient staff are included at all stages of procurement; and that appropriate security measures are in place to protect personal data.
|It looks like Leeds Council are following what appears to be a trend in reporting a breach, and also reporting sensible remedial action at the same time. It is interesting that the same council was also subject to a recent monetary penalty.
|View PDF of the Leeds City Council Undertaking (Breach Watch Archive)
|View PDF of the Leeds City Council Undertaking (Via ICO Website)
|The ICO conducted a follow up assessment on 20 May 2013
|View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive)
|View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website)