New Zealand’s Accident Compensation Corporation (ACC) lacks a “privacy mindset”, according to a report on a privacy breach in which 6748 claimants’ personal details were mistakenly sent to a client in dispute with the corporation.

A report for the Privacy Commissioner says the ACC’s systems do not support a culture that values personal information, and criticises its attitude to handling clients’ personal details.

Privacy Commissioner Marie Shroff says ACC clients and their advocates told of “an almost cavalier” attitude towards clients and the protection of their private information.

She calls for cultural change “starting at the top”, adding: “This sort of data is a major business asset with associated risks that have to be
managed.”

The ACC says it will implement all the recommendations of the independent review, which was commissioned by the Privacy Commissioner and ACC board following an uproar when the breach was revealed in March.

The 106-page report says the breach occurred when a manager writing an email to client Bronwyn Pullar inadvertently attached an unrelated email containing the other clients’ details.

The controversy has caused the chairman, other directors and the CEO to leave the ACC.

The review by KPMG and Information Integrity Solutions recommends stronger board governance of personal information management, stronger privacy leadership and strategy and work to strengthen the organisational culture and accountability for privacy.

It says the ACC “needs to put in place clear policies that create a positive privacy mindset as part of rebuilding customer trust and establishing a ‘firm but also seen as fair’ image in the minds of the public”.

The report says the breach was a human error that was more likely to occur because of systemic weaknesses within ACC’s culture, systems and processes.

It says the nature of ACC’s operations and the number of complex and long-term claims, combined with the manual nature of many of its processes and technology systems, “has resulted in ACC having a history of privacy breaches and complaints”.