Privacy Commissioner urges ACC culture change
The Privacy Commissioner says a culture change starting at the top of ACC is vital if further data security breaches are to be prevented.
Marie Shroff is commenting on the findings and recommendations of the Independent Review of ACC Privacy and Security of Information that were released today.
The report was commissioned jointly by the Office of the Privacy Commissioner (OPC) and the ACC Board following the unauthorized disclosure of details of 6,748 clients.
"The review has found the breach was a genuine error and I accept that. But it also shows the error happened because of systemic weaknesses within ACC's culture, systems and processes," says Ms Shroff.
"The reviewers noted a good level of privacy awareness especially at branch level. But the review also highlights a culture that, according to stakeholder feedback to the reviewers, has at times "an almost cavalier" attitude towards its clients and to the protection of their private information.
"The review shows that information stewardship is low level and defensive and focuses on breaches and complaints rather than taking strong leadership that emphasises respect for clients and their information.
"That is not good enough particularly in this digital age. Personal information is the lifeblood of ACC and it is vital that ACC treats that information with respect - the trust of its clients and, in many respects, the success of its operations depends on it."
Ms Shroff says the report shows that ACC lacks a comprehensive strategy for protecting and managing its client information.
"This sort of data is a major business asset with associated risks that have to be managed.
"While ACC has elements of privacy protection and security, these are not up to the standard expected of a responsible public sector agency that holds highly sensitive information on a large number of people.
"Changing that is essential. And the changes, which must include a culture change, have to start right at the top."
The review recommends that an independent audit of how ACC has implemented the changes is undertaken every two years and provided to the Privacy Commissioner.
Marie Shroff welcomes the recommendation.
"It's evident from the report that a lot needs to change before public confidence in ACC can be restored. I believe it can be done, but only if ACC takes the review's findings and recommendations seriously and gives its many good and committed staff the support they need to implement the necessary changes.
"The review provides a strong set of proposals. I will closely monitor ACC's progress as it implements these changes."
Ms Shroff says the data security breach at ACC has provided a timely warning to both public and private sector organisations.
"Agencies that hold large amounts of personal information should be taking note of what has happened at ACC and learn from its mistakes. Many organisations will recognise it could just as easily be them in the headlines."
View the Independent Review of ACC Privacy and Security of Information.