Independent Team Issues Review of ACC Privacy and Security
The Office of the Privacy Commissioner has issued yesterday a review of the privacy and security of information at the Accident Compensation Corporation (ACC) following a comprehensive review by an independent team.
The team, comprising KPMG and Information Integrity Solutions Pty Limited, examined how a major data breach that compromised personal details of 6,748 ACC clients took place, and the appropriateness and effectiveness of ACC’s privacy and security policies and practices.
“Information is arguably the most critical asset in any organisation today. The challenge of protecting personal information has never been greater.” says Malcolm Crompton, former Australian Privacy Commissioner and Managing Director of Information Integrity Solutions Pty Limited. “While ACC has suffered a significant data breach, other organisations, both public and private, could face the same.”
The review cited genuine human error as the culprit. But the review team added that such an error was more likely to occur because of systemic weaknesses within ACC’s culture, systems and processes.
“ACC’s subsequent response process could also have been better if appropriate policies, practices, escalation protocols and the right culture were in place to allow for transparency of breach handling atthe appropriate levels, in an appropriate manner,” KPMG said.
The recommendations of the review team are as follows:
ACC needs to put in place clear policies that create a positive privacy mindset as part of rebuilding customer trust and establishing a ‘firm but also seen as fair’ image in the minds of the public.
Strengthen Board governance of personal information management.
Strengthen privacy leadership and strategy.
Enhance its privacy programme.
Strengthen the organisational culture.
Strengthen privacy accountability.
Review and update business processes and systems.
Provide additional resources to clear backlogs on privacy related processes.
KPMG Partner Souella Cumming said: “An organisation’s data needs to be protected by thorough and effective risk mitigation strategies to the same or higher levels as other vital assets. Without these strategies in place, the organisation is at risk of significant reputational damage.”
Malcolm Crompton and Souella Cumming commented: “We emphasise the significance of a culture and environment where personal information is valued. This must be supported by an approach to compliance with the privacy principles that is embedded within governance, leadership, business processes and systems.”