Media release - 23 August 2012
The Independent Review of ACC Privacy and Security of Information
A review of the Privacy and Security of Information at the Accident Compensation Corporation was released by the Office of the Privacy Commissioner and ACC’s Board today following a comprehensive review by an Independent Review Team comprising KPMG and Information Integrity Solutions Pty Limited.
The review examined the circumstances relating to a major data breach involving the inadvertent release of personal details of 6,748 ACC clients, and the appropriateness and effectiveness of ACC’s privacy and security policies and practices.
“Information is arguably the most critical asset in any organisation today. The challenge of protecting personal information has never been greater.” says Malcolm Crompton, former Australian Privacy Commissioner and Managing Director of Information Integrity Solutions Pty Limited. “While ACC has suffered a significant data breach, other organisations, both public and private, could face the same.”
The Independent Review Team concluded that the breach that occurred was a genuine human error, but that such an error was more likely to occur because of systemic weaknesses within ACC’s culture, systems and processes. ACC’s subsequent response process could also have been better if appropriate policies, practices, escalation protocols and the right culture were in place to allow for transparency of breach handling atthe appropriate levels, in an appropriate manner.
The Recommendations of the Review Team are comprehensive:
- ACC needs to put in place clear policies that create a positive privacy mindset as part of rebuilding customer trust and establishing a ‘firm but also seen as fair’ image in the minds of the public.
- Strengthen Board governance of personal information management.
- Strengthen privacy leadership and strategy.
- Enhance its privacy programme.
- Strengthen the organisational culture.
- Strengthen privacy accountability.
- Review and update business processes and systems.
- Provide additional resources to clear backlogs on privacy related processes.
KPMG Partner Souella Cumming commented that “An organisation’s data needs to be protected by thorough and effective risk mitigation strategies to the same or higher levels as other vital assets. Without these strategies in place, the organisation is at risk of significant reputational damage.”
Malcolm Crompton and Souella Cumming noted “We emphasise the significance of a culture and environment where personal information is valued. This must be supported by an approach to compliance with the privacy principles that is embedded within governance, leadership, business processes and systems.”
This forms the basis of the recommendations in the report of the Independent Review Team.
For media inquiries please contact:
+64 9 367 5977
+64 21 335 740