23 August 2012
The Privacy Commissioner says a culture change starting at the top of ACC is vital if
further data security breaches are to be prevented.
Marie Shroff is commenting on the findings and recommendations of the Independent
Review of ACC Privacy and Security of Information that were released today.
The report was commissioned jointly by the Office of the Privacy Commissioner (OPC)
and the ACC Board following the unauthorized disclosure of details of 6,748 clients.
'The review has found the breach was a genuine error and I accept that. But it also
shows the error happened because of systemic weaknesses within ACC's culture,
systems and processes,' says Ms Shroff.
'The reviewers noted a good level of privacy awareness especially at branch level. But
the review also highlights a culture that, according to stakeholder feedback to the
reviewers, has at times 'an almost cavalier' attitude towards its clients and to the
protection of their private information.
'The review shows that information stewardship is low level and defensive and focuses
on breaches and complaints rather than taking strong leadership that emphasises
respect for clients and their information.
'That is not good enough particularly in this digital age. Personal information is the
lifeblood of ACC and it is vital that ACC treats that information with respect - the trust of
its clients and, in many respects, the success of its operations depends on it.'
Ms Shroff says the report shows that ACC lacks a comprehensive strategy for
protecting and managing its client information.
'This sort of data is a major business asset with associated risks that have to be
'While ACC has elements of privacy protection and security, these are not up to the
standard expected of a responsible public sector agency that holds highly sensitive
information on a large number of people.
'Changing that is essential. And the changes, which must include a culture change,
have to start right at the top.'
The review recommends that an independent audit of how ACC has implemented the
changes is undertaken every two years and provided to the Privacy Commissioner.
Marie Shroff welcomes the recommendation.
'It's evident from the report that a lot needs to change before public confidence in ACC
can be restored. I believe it can be done, but only if ACC takes the review's findings and
recommendations seriously and gives its many good and committed staff the support
they need to implement the necessary changes.
'The review provides a strong set of proposals. I will closely monitor ACC's progress as
it implements these changes.'
Ms Shroff says the data security breach at ACC has provided a timely warning to both
public and private sector organisations.
'Agencies that hold large amounts of personal information should be taking note of what
has happened at ACC and learn from its mistakes. Many organisations will recognise it
could just as easily be them in the headlines.'
View the Independent Review of ACC Privacy and Security of Information.
For further information please contact:
Katrine Evans, Office of the Privacy Commissioner, 021 509 735.