Sensitive data collected on Denver residents through the city’s 311 help line was visible to unauthorized eyes, according to the Office of the Denver Auditor.

An auditor from the office who had been looking into another matter discovered that unauthorized city employees had access to personally identifiable information, or PII, on residents who used the city’s 311 system. That unexpected find prompted an audit whose findings were released just this week.

Personally identifiable information can include such data as social security numbers. The city clarified in a statement that its 311 help line doesn’t typically collect social security numbers when residents call, though there are cases when the information is exchanged.

As Denverite’s Erica Meltzer noted, residents use the 311 system to call in about barking dogs or questions about trash and recycling, so it was surprising when an auditor found unprotected data like social security numbers in the 311 system. The news outlet noted 25 city employees had unauthorized access to the date.

“But in certain kinds of interactions, specifically with the Department of Human Services and the Payroll Division, such information was collected,” the auditor’s office said in a press statement Thursday. “The fact that it could be viewed by other city employees who have access to the 311 database gave rise to this audit.”

Denver auditors have once before discovered that confidential data maintained by the city was left unprotected.

Following the recent discovery, Denver Auditor Timothy O’Brien notified the mayor’s office, the city’s Technology Services Department and the city’s private vendors, Salesforce, which took steps to protect the information.

O’Brien said in the press release that while the issue was resolved in the short term, it will take continual monitoring to ensure personally identifiable information remains protected.

Denver Technology Services says it plans to take steps, recommended in the audit findings, to increase security of the 311 system by March 2018. The steps include altering language on the 311 website, and other city webpages, to discourage residents from submitting sensitive data when navigating the system and documenting Salesforce applications and security requirements.

“We’ve asked the (Technology Services) department to review vulnerability scans and penetration testing to ensure that salesforce provides secure services as required by its contract,” O’Brien said in the press statement.