New Zealand: Accident Compensation Corporation to be audited every two years

An independent review into to the privacy breach by the Accident Compensation Corporation (ACC) says that while the breach was a result of a genuine error, it happened due to systematic weaknesses within ACC’s culture, systems and processes. A similar breach is much more likely to happen again unless the organisation addresses these weaknesses.

The breach that occurred in August 2011, and came to light in March 2012, involved unauthorised disclosure of personal details of 6,748 ACC clients, and resulted in more than 100 complaints from the affected individuals.

The New Zealand Privacy Commissioner, Marie Shroff, and the ACC Board commissioned an independent inquiry to look into the initial incident, and systemic issues regarding the way ACC handles personal information. 

The review, published on 23 August, recommends that an independent audit of how ACC has implemented the changes is undertaken every two years and provided to the Privacy Commissioner.

The Privacy Commissioner welcomes the recommendation: “It’s evident from the report that a lot needs to change before public confidence in ACC can be restored. I believe it can be done, but only if ACC takes the review’s findings and recommendations seriously and gives its many good and committed staff the support they need to implement the necessary changes.”

“The review provides a strong set of proposals. I will closely monitor ACC’s progress as it implements these changes.”

ACC established a dedicated 0800 number at the time of the breach, as well as a team of specialist staff to respond to questions.