Independent Review of ACC Privacy and Information Security
Media Release 23rd August 2012
The Independent Review of ACC Privacy and Security of Information
Independent Review Team
A review of the Privacy and Security of Information at the Accident Compensation Corporation was released by the Office of the Privacy Commissioner and ACC’s Board today following a comprehensive review by an Independent Review Team comprising KPMG and Information Integrity Solutions Pty Limited.
The review examined the circumstances relating to a major data breach involving the inadvertent release of personal details of 6,748 ACC clients, and the appropriateness and effectiveness of ACC’s privacy and security policies and practices.
“Information is arguably the most critical asset in any organisation today. The challenge of protecting personal information has never been greater.” says Malcolm Crompton, former Australian Privacy Commissioner and Managing Director of Information Integrity Solutions Pty Limited. “While ACC has suffered a significant data breach, other organisations, both public and private, could face the same.”
The Independent Review Team concluded that the breach that occurred was a genuine human error, but that such an error was more likely to occur because of systemic weaknesses within ACC’s culture, systems and processes. ACC’s subsequent response process could also have been better if appropriate policies, practices, escalation protocols and the right culture were in place to allow for transparency of breach handling at the appropriate levels, in an appropriate manner.
The Recommendations of the Review Team are comprehensive:
• ACC needs to put in place clear policies that create a positive privacy mindset as part of rebuilding customer trust and establishing a ‘firm but also seen as fair’ image in the minds of the public.
• Strengthen Board governance of personal information management.
• Strengthen privacy leadership and strategy.
• Enhance its privacy programme.
• Strengthen the organisational culture.
• Strengthen privacy accountability.
• Review and update business processes and systems.
• Provide additional resources to clear backlogs on privacy related processes.
KPMG Partner Souella Cumming commented that “An organisation’s data needs to be protected by thorough and effective risk mitigation strategies to the same or higher levels as other vital assets. Without these strategies in place, the organisation is at risk of significant reputational damage.”
Malcolm Crompton and Souella Cumming noted “We emphasise the significance of a culture and environment where personal information is valued. This must be supported by an approach to compliance with the privacy principles that is embedded within governance, leadership, business processes and systems.”
This forms the basis of the recommendations in the report of the Independent Review Team.
KPMG is a global network of professional firms providing Audit, Tax and Advisory services. We operate in 146 countries and have 140,000 people working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.
Information Integrity Solutions (IIS) is a global consultancy providing services in data protection and information privacy. It is the largest privacy consultancy company in the Asia Pacific region. Malcolm Crompton is Managing Director of IIS and was Privacy Commissioner of Australia between 1999 and 2004.