Damning ACC report 'heartening' - whistleblower
The woman who was emailed the details of thousands of ACC clients is pleased improvements will be made after a scathing report.
The Privacy Commissioner has come out swinging today, saying systemic weaknesses in the organisation and an "almost cavalier" attitude towards claimants and their details led to what was one of New Zealand's biggest privacy breaches.
Privacy Commissioner Marie Shroff has released her report, commissioned by her office and the ACC board after the Corporation inadvertently emailed the private details of more than 6700 clients, including 250 sexual abuse cases, to claimant Bronwyn Pullar.
Culture change starting at the top of the corporation was vital to prevent any further breaches, Shroff said.
ACC Minister Judith Collins said she completely agreed with the auditor-general's report.
Pullar said she was delighted the various investigations had highlighted the deficiencies with the way ACC was being managed.
''It gives me great heart to hear that the minister is going to accept all the recommendations," she said.
''I believe this outcome will provide much better and fairer processes for all New Zealanders who have dealings with ACC.''
Green party MP Kevin Hague said two reports provide 'the most compelling evidence yet that the Government's focus on saving a buck'' caused ACC to lose sight of its role in helping injured clients.
The reports show that ACC was prepared to sustain human casualties in its drive to achieve the Government’s goal, he said.
The breach, which also forced investigations by the police and the auditor-general, led to the resignation of Cabinet minister Nick Smith and the departures of board chair John Judge and three other board members. Chief executive Ralph Stewart has also announced his resignation.
The report found the breach, which occurred in August 2011, was a genuine error but occurred because of systemic weaknesses within ACC's culture, systems and processes.
The management of information at ACC was "low level and defensive". It focused on breaches and complaints rather than emphasising respect for claimants and their details.
"That is not good enough, particularly in this digital age," Shroff said. "Personal information is the lifeblood of ACC and it is vital that ACC treats that information with respect - the trust of its clients, and in many respects, the success of its operations depend on it."
While privacy awareness at branch level was good, there was a culture within ACC that had at times an "almost cavalier" attitude towards its clients and the protection of their private information.
An independent review team, which carried out the report and interviewed 150 ACC staff, found ACC lacked a comprehensive strategy for protecting and managing claimants' information.
ACC had "elements" of privacy protection but they were not up to the standards expected of a responsible public sector agency which held highly sensitive information about a large number of people.
Much change was needed to restore public confidence in ACC, Shroff said.
The review team's recommendations included:
* Clear privacy policies be established,
* The organisational culture and privacy accountability be strengthened,
* Its business processes and systems be reviewed and updated
* Extra resources to be provided to clear backlogs of privacy-related processes.
ACC's interim chair Paula Rebstock says the corporation would be implementing the recommendations in full.
"The events over the last six months have raised profound questions about our management of information."
ACC had to show its customers and stakeholders that change was occurring quickly, she said.
"We need processes that help minimise errors with safeguards to provide checks and back-ups. If something does go wrong, we must have systems to respond quickly and appropriately, and just as importantly, we need to find out what went wrong so we can try to prevent it happening again."
MINISTER: 'PATCHWORK APPROACH TO PRIVACY'
Issues of governance had already been addressed, with the departure of board members, but the need for culture change remained, Collins said.
The Government was "a long way along" appointing a new chair for the ACC board and interviews had already begun.
The independent report conducted for the Privacy Commission showed clear issues within ACC, Collins said.
"The processes around privacy in the organisation we're clearly not up to 21st century mark and what we would expect."
Culture changes were also clearly needed, she said.
"I'm sorry to say that it's not surprising... I've made it perfectly clear the whole way along that I have not been at all satisfied with the level of information privacy and security for people's very personal information."
ACC's staff had been let down by the culture, Collins said.
There were those who understood the importance of privacy but there was a "patchwork" approach to it.
The blame for that must lay at the highest levels of board governance, she said.
The privacy report set out a timetable of what changes needed to be made and when which would be useful for measuring improvements with ACC, she said.
The Dominion Post