24 Aug 2012

ACC breach not reported due to 'culture of fear'

2:00 pm on 24 August 2012

ACC Minister Judith Collins says a culture of fear at the Accident Compensation Corporation prevented senior staff from reporting a breach of thousands of clients' details.

An investigation into the privacy breach has found it was genuine human error, but happened because of weaknesses in the corporation's culture and systems.

The Office of the Privacy Commissioner instigated an independent review of ACC's security after claimant Bronwyn Pullar was mistakenly sent the information of 6748 clients in August 2011.

The review was carried out by audit firm KPMG and data protection company Information Integrity Solutions and confirms that ACC staff knew of the breach four months before it came out in the media.

Privacy Commissioner Marie Shroff said on Thursday the review highlights a culture that has at times an almost cavalier attitude to its clients and their information, and change is needed.

"ACC has been asked in very short summary to get leadership right and hold their people accountable, to get the culture pointed towards respect for individuals and their information, and to fix their processes and systems on personal information handling."

The review makes seven recommendations to strengthen ACC's privacy policies and rebuild customer trust. ACC interim chairperson Paula Rebstock says the recommendations will be fully implemented.

ACC Minister Judith Collins told Radio New Zealand's Checkpoint programme on Thursday that senior managers did not refer the privacy breach to the chief executive or the board out of fear.

"There was a culture of fear and that's the sort of behaviours that happen when you don't have a culture that's open and you can't feel you can tell the board or the chief executive what's going on."

Letter of expectations in place

Ms Collins said that culture starts with the board, and staff have been let down by the approach to client privacy. She said the report shows what ACC must do, but in the meantime she has put in place a letter of expectations and a service and purchase agreement with the corporation's board.

Ms Collins said when the public gives personal and private information to ACC, it should be able to expect it to be treated with care and respect. "There was something of a bit of a patchwork approach to privacy, so that blame for that must come at the highest levels, frankly."

The minister said mechanisms for checking on privacy breaches were still not in place. She said she does not blame ACC staff, because they never had the framework or the tools to deal with privacy breaches since electronic files were introduced in 2009.

"It's very expensive to fix it at this stage and a huge amount of work will have to go into getting it fixed. The report from the independent reviewers makes it very clear this will not be fixed overnight, but there is a plan and timetable that needs to be addressed and kept to to get it in place."

The minister said the public can be reassured the mechanisms will be fixed, but it would take time.

Meanwhile, the Privacy Commissioner says another investigation into the leaking of Bronwyn Pullar's name - which is the subject of defamation action being taken by Judith Collins against two Labour Party MPs - is continuing.

Pullar didn't get special treatment - Auditor-General

Another report by the Auditor-General into board practices at ACC has found that claimant Bronwyn Pullar received no extra benefit from having met with the corporation's deputy chairman at the time, John McCliskie.

The inquiry was instigated after Ms Pullar revealed a massive privacy breach and made allegations of illegal behaviour and fraud.

The Auditor-General found that, though Ms Pullar did met the senior board member, she was not given any special treatment with regard to resolving problems she had raised relating to her ACC claim.

The report also found that ACC failed to recognise that the wider allegations made by Ms Pullar posed a serious risk to the organisation.

Judith Collins said that was simply unacceptable. "The focus as the report says was very much on Ms Pullar's individual matters - not on the potential risk to the corporation of the allegations of systemic failings."

ACC interim chair Paula Rebstock said the Auditor-General's conclusion that the board failed to appreciate the risks of the illegality and fraud allegations is her biggest concern.

"It's clearly something that any board must get right. We must be concerned when there are any allegations of improper conduct and we must have processes in place that ensure the board is aware of those allegations and is confident that they're being dealt with in appropriate manner."

The report found a letter from the then minister, Nick Smith, did not influence the way she was treated by ACC. Dr Smith lost his portfolios for writing the letter, which attested to Ms Pullar's state of health before the accident for which she was claiming.