Flintshire Council issues statement following “major data breach” after personal details of residents were exposed on its website

Flintshire Council has issued a statement following what one Member of the Welsh Parliament has described as a “major data breach.”

The incident happened on Wednesday when the personal details of people who responded to a consultation were uploaded to the Local Development Plan (LDP) section on the council’s website and left exposed to the public.

The LDP, a key housing blueprint for Flintshire sets out locations where up to 7,000 new homes could be built in the county over the next decade whilst protecting key green spaces and parks from development.

Councillors agreed to put the LDP out to consultation in July last year.

Since then the council’s Planning Policy Service has been working remotely due to the coronavirus outbreak which has delayed the progress of the LDP.

Without an LDP in place, the community loses some protection against development.

The council said the names and addresses of individuals who have made responses to the LDP consultation were contained in a document and uploaded on Wednesday.

Those personal details “could be accessed for a period of several hours” following publication, the council has admitted. 

The statement said that personal details were “hidden from public view when the document was created, and could only have been uncovered with a conscious effort to remove that protection.”

The council said the software used to protect the details “was not adequate” and once the risk was known the documents were taken down.

“They have since been protected with different software.” The council said.

The statement goes onto to say: “Having checked our website visitor records we can see that only a few people accessed the document in this short period. Once we became aware of the problem we acted swiftly to correct the document and to prevent further access to the personal data.”

The council says it takes the issue of the security of personal information “extremely seriously” and has launched an investigation to find out how the personal details in the document were able to be accessed.

It hasn’t revealed how many names were left exposed on its website. 

Flintshire Council will now consider whether to refer itself to the Information Commissioner’s Office.

“The individuals whose details were included in the document will be contacted, and we are considering whether this matter needs to be reported to the Information Commissioner’s Office, with whom we maintain a positive and trusting working relationship.” The council said.

Welsh Conservative Shadow Minister for Local Government, Housing and Communities, Mark Isherwood MS, described the incident as a “major data breach”

“This GDPR breach is just the latest event in a saga that is Flintshire’s LDP.”