ACC apologises over privacy breach

02:40, Mar 13 2012

An ACC sensitive claims client was "horrified" to hear that personal details of 250 clients of the unit had been sent nationwide and to a member of the public.

The details were among more than 9000 ACC claims - some featuring well-known people - that were emailed to a person who should not have received them, in what is being described as one of the worst privacy breaches in New Zealand history.

The sensitive claims unit deals with the cases of rape and sexual abuse victims.

The details revealed included full names, the nature of each claim and dispute, and individual claim numbers.

The recipient of the information said some of the names were public figures, and others were victims of violent and sexual crimes.

The sensitive claims client - who did not want to be named but was not the recipient of the privacy breach - said it was "chilling" the details also appeared to have been sent to about 50 ACC managers who she understood had no business seeing private details of the unit's clients.


The woman was relieved when she emailed ACC today to be told her details were not in the files but said ACC had a slap-dash approach to privacy issues.

"ACC has already had to pay me $10,000 in compensation for a previous serious breach of my privacy so what the hell have they learned?

"Not only that, when I informed them of yet another breach of another of their clients' privacy, not mine, they demanded I give the information back to them," she said.

"I told them they must give me a written guarantee they would inform the person whose privacy had been breached.

They refused so I refused to give them the document.

"I still have it and even though they know that, they seem to have lost interest. Wonder why? Was it because they hoped to get the details back and just keep it quiet?"


ACC has apologised for failing to act on the mass privacy.

Chief executive Ralph Stewart confirmed that senior ACC managers were warned three months ago and although attempts were made to try to find the files, "frankly we should have done more."

ACC had now found how it made the privacy breach and was in the process of recovering the information.

Stewart said he apologised for ACC sending private information out to someone it should not have been sent to.

The privacy breach could lead to claims for compensation, said the Green Party.

The party called for an independent investigation into the breach.

The party's ACC spokesman, Kevin Hague, said claimants who had their details passed on would need support and "possibly compensation depending on the nature of the breaches".

"It appears the ACC board and the minister have known about the privacy breaches for some time but have done nothing about them.

"We need to know what the board knew, what the minister knew, and why they have not acted. Only an independent investigation can achieve that."

Before the warning to ACC management, ACC's board and former ACC minister Nick Smith were told about systemic failures of the corporation's processes for respecting the privacy rights of claimants.

The board was given an example of a branch medical adviser who covertly communicated with an ACC assessor providing false information to manipulate a medical report in ACC's favour.

A board member was sufficiently alarmed by the allegations to raise the matters at a higher board level, which resulted in a meeting between the recipient of the information and ACC management in December.

At the meeting, the recipient and their advocate told ACC's national manager of recovery independence services, Philip Murch, that ACC had potentially caused the biggest privacy breach in New Zealand's history.

Hague said there seemed to be a "lax" privacy culture at ACC which undermined the trust New Zealanders had in the scheme, he said.

"In addition to privacy breaches, it appears ACC staff are covertly communicating with advisers to manipulate medical reports in ACC's favour.

"Such behaviour is probably unlawful, and is miles away from the premise of a no-fault public scheme."

Hague said the Government's push to cut costs could behind the "negative behaviour" at the Corporation.


ACC was told that its own staff emailed the recipient sensitive details of thousands of claims, which could result in thousands of complaints because of incompetent privacy management practices. ACC was told it would be horrified to know what material it had fired off.

But in spite of the general warning to the board and the explicit disclosures in December – including a formal written complaint – ACC management have not investigated the privacy breach with the recipient.

The same details also appear to have been sent to more than 50 ACC managers, most of them not from the sensitive claims unit, raising questions about the security of information supplied to the unit.

Personal information held by the unit is not supposed to be divulged to anyone outside the unit without the permission of the client.

The recipient, an ACC client, did not want to be named because they feared being swamped by telephone calls from other ACC clients concerned their details have been distributed nationwide.

The recipient blacked out all personal details of claimants when providing documents to The Dominion Post.

Privacy Commissioner Marie Shroff said if the emailed data involved personal details of thousands of people the breach was likely to be one of New Zealand's most serious.

She expected government agencies to adhere to her office's notification guidelines, which include contacting those whose privacy has been breached, getting the information back, minimising harm and making sure it did not happen again.

New Zealand laws are behind other jurisdictions in not providing for mandatory reporting of data privacy breaches and her office is developing a view on the need for there to be consequences for data breaches.

In 2010, ACC apologised after it admitted sending up to 2000 companies private information about workers' accidents that should have gone to other employers.

The information included names, descriptions of accidents, injuries, treatment and ACC payments.

A Petone business owner blew the whistle after she was sent private details about a Whanganui man she did not know, who had suffered a fall.

The Dominion Post