19 May 2012

Privacy breaches may indicate systemic security flaw

6:05 am on 19 May 2012

Further privacy breaches at the Government's accident compensation arm, ACC, suggests the corporation may have systemic security problems, says a lawyer who specialises in privacy cases, Kathryn Dalzeil.

ACC has admitted another breach after levy notices of more than 100 business clients were sent to the wrong person last week.

Investigations by the police, the auditor general and the Privacy Commissioner are already underway into other breaches by ACC involving information of thousands of clients being mistakenly sent to another client.

Another report says a Christchurch man was sent a document by Inland Revenue containing the personal details of another IRD client.

Ms Dalzeil says ACC needs to launch an urgent audit of their systems in conjunction with the Privacy Commissioner.

She says until the investigations are completed it won't be known if there are serious systematic problems with the corporation, but the breaches mean there are some urgent changes that need to be put in place.

Privacy Commissioner, Marie Shroff says private businesses seem to value their clients' privacy more than government departments.

Ms Shroff says businesses realise that if they are careless with their customers information, they could lose customer trust and retention.

Agencies sometimes require people's personal information, but they need to earn the public's trust they will protect that information, says Ms Shroff.

A specialist in computer security says organisations such as the Accident Compensation Corporation and the Inland Revenue need external audits into computer privacy procedures to try to stem privacy breaches.

Associate Professor Henry Wolfe of Otago University says such breaches can most likely be blamed on human carelessness rather than problems with computer systems.

He says an independent investigation would catch security problems and provide an opportunity to correct the flaws. "You make more progress by fixing the problem than fixing the blame," he said.

ACC says it is disappointed in the latest breach of client privacy - the information about more than 100 business clients sent to the wrong people - and a complete review of its security systems is being undertaken.

ACC chief executive Ralph Stewart says the 118 outstanding employer and self-employed levy notices were sent to the wrong person because of a problem with a mail-merger, where computer software automatically aligns addresses with a letter's content.

ACC Minister Judith Collins says ACC still has work to do to get its policies and practices right.