Cavalier attitude lead to NZ's biggest privacy breach
Systemic weaknesses at ACC and an "almost cavalier" attitude towards claimants and their personal details led to one of New Zealand's biggest privacy breaches, the Privacy Commissioner has found.
Culture change starting at the top of the Corporation is vital to prevent any further breaches, Marie Shroff says.
The Commissioner has released her report, commissioned by her office and the ACC board it was revealed in The Dominion Post that the Corporation inadvertently emailed the private details of more than 6700 clients, including 250 sexual abuse cases, to claimant Bronwyn Pullar.
The breach, which also forced investigations by the Police and the Auditor-General, led to the resignation of Cabinet minister Nick Smith and the departures of board chair John Judge and three other board members. Chief executive Ralph Stewart has also announced his resignation.
The report found the breach, which occurred in August 2011, was a genuine error but occurred because of systemic weaknesses within ACC's culture, systems and processes.
The management of information at ACC was "low level and defensive". It focused on breaches and complaints rather than emphasising respect for claimants and their details.
"That is not good enough, particularly in this digital age," Shroff said.
"Personal information is the lifeblood of ACC and it is vital that ACC treats that information with respect - the trust of its clients, and it many respects, the success of its operations depend on it."
While privacy awareness at branch level was good, there was a culture within ACC that had at times an "almost cavalier" attitude towards its clients and the protection of their private information.
Shroff, who interviewed 150 ACC staff for her report, also found ACC lacked a comprehensive strategy for protecting and managing claimants' information.
ACC had "elements" of privacy protection but they were not up to standards expected of a responsible public sector agency which held highly sensitive information about a large number of people.
Much change was needed to restore public confidence in ACC, Shroff said.
The commissioner's recommendations to ACC include: clear privacy policies be established, the organisational culture and privacy accountability be strengthened, its business processes and systems be reviewed and updated, and extra resources be provided to clear backlogs of privacy related processes.
Pullar said she was ''delighted that the various investigations have highlighted the deficiencies with the way the ACC was being run.''
''It gives me great heart to hear that the Minister is going to accept all the recommendations. ''
She added: ''I believe this outcome will provide much better and fairer processes for all New Zealanders who have dealings with ACC.''
ACC's interim chair Paula Rebstock says the Corporation will be implementing the recommendations in full.
"The events over the last six months have raised profound questions about our management of information."
ACC had to show its customers and stakeholders that change was occurring quickly, she said.
"We need processes that help minimise errors with safeguards to provide checks and back-ups. If something does go wrong, we must have systems to respond quickly and appropriately, and just as importantly, we need to find out what went wrong so we can try to prevent it happening again."
The Dominion Post