Report: ACC needs culture change

An independent report into the massive ACC privacy breach which saw information about 6700 claimants emailed to disgruntled claimant Bronwyn Pullar has put the affair down to "human error" exacerbated by "systemic weaknesses" at the corporation.

Privacy Commissioner Marie Shroff, who commissioned the report by KPMG and former Australian Privacy Commissioner Malcolm Crompton says "a culture change starting at the top" is required by the corporation to prevent further breaches.

The breach occurred when a spreadsheet containing details about 6748 clients whose cases had gone to review was inadvertently attached to an email sent to Ms Pullar by an ACC manager in August last year.

In its report, the review team concluded that that the breach was down to "a genuine human error, but that such an error was more likely to occur because of systemic weaknesses within ACC's culture, systems and processes".

The report also found ACC's subsequent response process could have been better "if appropriate policies, practices, escalation protocols and the right culture were in place to allow for transparency of breach handling at the appropriate levels in an appropriate manner".

The report largely confirmed ACC's version of events - that it was not aware of the breach until Ms Pullar met with its executives in December last year.

However the report found that ACC could have done more to try and get the information back and inform affected clients than it did.

"While in hindsight an error of judgement, ACC did not appreciate the significance of the Breach until it was made public in March 2012 but the Independent Review team found that ACC could have done more to follow through on the information provided by the Client on 1 December 2011."

The review team said that the breach and 44 other alleged breaches "should have been escalated to the Privacy Officer and/or the Office of the Complaints Investigator soon after the 1 December meeting".

"ACC should also have made a more concerted effort to have the Breach information returned and undertaken a more extensive internal investigation into how the information was sent to the Client."

The systemic issues identified included the use of dual monitor screens by managers, the extensive use of spreadsheets for management reporting, a variable culture in regards to the importance of dealing carefully with personal information and a lack of clear accountability for addressing privacy issues.

The review found ACC's current arrangements needed to be strengthened if they were to deliver "a sustainable approach to protecting personal information".

The review recommended a series of improvements to privacy handling starting the board and reaching down to the operational level including additional resources "to clear backlogs on privacy related processes including access requests and complaints".

Acting ACC chairwoman Paula Rebstock said the corporation would be implementing the reviews recommendations in full.

Ms Shroff said she accepted the breach was the result of a genuine error but indicated her concern at the systemic weaknesses revealed in the report.

It highlighted what one stakeholder had told reviewers was "an almost cavalier" attitude towards clients.

The report showed ACC lacked a comprehensive strategy for protecting and managing its client information.

"The review shows that information stewardship is low level and defensive and focuses on breaches and complaints rather than taking strong leadership that emphasises respect for clients and their information."

She said the recommendations were strong and she would closely monitor ACC's progress as it implemented them.

- New Zealand Herald