ACC to send mountain of apologies

ACC will telephone or mail an apology to 6748 clients whose privacy had been breached and deal with compensation claims case by case.

The corporation was deluged with complaints yesterday after revelations that a staff member sent a spreadsheet containing the names and nature of at least 9000 claims, including some by those who say they have been the victims of sexual abuse and violent crimes.

The details  some featuring well-known people  were emailed to a person who should not have received them, in what may be one of New Zealand's worst privacy breaches.

The revelations led to "please explain" calls to the corporation from ACC Minister Judith Collins and Privacy Commissioner Marie Shroff.

ACC chief executive Ralph Stewart apologised yesterday and said "frankly" the breach had been poorly handled. "Clearly we must review our internal processes to ensure this type of event doesn't happen again."

An ACC spokeswoman later said it wished it had done more to investigate.

Senior management were told three months ago that they had possibly made the biggest privacy breach in New Zealand history but, apart from asking for the information back, no further investigation was done.

The details revealed included full names, the nature of each claim and dispute, and individual claim numbers, as well as personal information on nearly 250 claims from ACC's most secure unit, the sensitive claims unit.

The recipient of the information spoke to The Dominion Post after repeatedly raising issues of systemic privacy failures by ACC in handling how it collected, used and disclosed claimants' information.

"This was only one example," the recipient said yesterday. "Many ACC claimants have received numerous letters of apology from ACC in relation to breaches of their privacy only for further breaches to occur.

"These issues of systemic failure were raised at the highest level within ACC, along with a request for these matters to be investigated.

"The ACC management's team response to the ACC board was that there was no validity to the prior privacy issues raised.

"It is now up to appropriate authorities to investigate."

The information provided to the recipient has now been destroyed.

The breach led to multiple calls from politicians and advocacy groups for an independent inquiry into how it occurred and into ACC's privacy practices.

There were also calls for ACC to compensate those involved but the corporation may have dodged a bullet on that issue because the recipient did not publish the details on the internet.

Privacy lawyer John Edwards said it would be difficult for claimants to prove distress or humiliation had been suffered as a result of the file being sent to one member of the public.

However, it was significant and of considerable concern that details about ACC sensitive claims unit clients were being distributed outside the unit, Mr Edwards said.

The fact that the unit existed should mean "extra special care" should be taken about the privacy of those clients but ACC had failed to protect those clients' privacy, he said.

ACC yesterday invited clients seeking a settlement or compensation to write to the corporation's privacy officer and said the issue would be dealt with on a case by case basis.


A man who was paid $12,000 by ACC for breaching his privacy was later sent sensitive information by the corporation relating to fraud investigations.

Even after being ordered by the privacy commissioner to pay Bruce Van Essen $12,000, ACC then sent him a document identifying six people, and their case details, who were under investigation.

Mr Van Essen said the privacy breach last year was yet another example of a sloppy culture of privacy protection at ACC.

"Regardless if they are under investigation for fraud or not these people still have privacy rights yet ACC couldn't care less."

The fraud details were wrongly sent to him last year and he said it took three phone calls to ACC over several days before a member of ACC's fraud unit finally contacted him. ACC asked him to return the information and Mr Van Essen agreed, on the condition that the corporation tell the six people their privacy had been breached.

Mr Van Essen, who lives in Dunedin, said ACC has repeatedly flouted his privacy.

"Just before Christmas ACC paid me $12,000 for a privacy breach that the privacy commissioner upheld in 2007."

He said it had taken him nearly five years to settle that breach and he has also had several other privacy breaches upheld by ACC.

The Dominion Post was also provided with an edited document yesterday containing another nine privacy breaches of ACC clients' details.

The details included names, occupations, diagnosis of injuries and duration of compensation to the clients.

The details were sent to an ACC client who should not have received them.

The Dominion Post