ACC has 'an almost cavalier attitude' to clients – privacy commissioner
Strengthening board governance of personal information management.
Stengthening privacy leadership and strategy.
Enhancing ACC's privacy programme.
Strengthening the organisational structure.
Strengthening privacy accountability.
Reviewing and updating business processes and systems.
Providing additional resources to clear backlogs on privacy related processes.
Among some of the changes, the board will be required to include the word "privacy" in its terms of reference for committees responsible for privacy monitoring.
The recommendations also call for better staff training and "day-to-day" leadership of ACC's privacy programme.
There is also a recommendation to treat security as a business issue, rather than an IT issue and establish a clear process for managing "near-misses" and privacy breaches
ACC will also be required to shift its culture to include privacy, while encouraging staff to immediately report issues and near-misses.
Earlier this year, then-ACC chief executive Ralph Stewart admitted a staff member mistakenly sent out details of more than 6000 claimants by email to Ms Pullar in August last year.
He said a spreadsheet with records of the name of the client, their claim number and local ACC branch were attached to the email.
Two hundred and fifty people with sensitive claims could be identified. Those claims are made when sexual abuse or assault results in a mental injury.
The Pullar affair subsequently led to former ACC minister Nick Smith resigning his portfolios, ACC board chairman John Judge’s departure, along with Mr Stewart, deputy chairman John McCliskie, director Rob Campbell and then board member Murray Hilder.
ACC interim chairwoman Paula Rebstock has welcomed the recommendations and says ACC will be implementing them in full.
She acknowledges the events of the past six months have raised serious questions about the insurer's management systems and its privacy.
"If something goes wrong, we must have systems to respond quickly and appropriately, and just as importantly, we need to find out what went wrong so we can try to prevent it happening again."
Meanwhile, Ms Provost's report will be tabled in parliament later today.
She launched her investigation in April.
At the time, she said her investigation would cover aspects of ACC’s governance not being examined elsewhere, including:
- Policies and practices at ACC for managing risks relating to conflicts of interest, legal compliance, and communications between board members and clients and staff.
- Policies and practices that apply when claimants personally contact board members.
- How any matters relating to Ms Pullar that came to the attention of the board or individual board members were dealt with on any other matters that the auditor-general considers it desirable to report on.
ACC has since apologised to those claimants whose details were leaked.