The ACC Blunder-Bus
Ooops! An inadvertent click and drag by an ACC manager attaches a file of the names of 6,748 claimants to an email to a claimant who had been complaining about the behaviour of a medical adviser.
It appears that the claimant doesn't realise what she's been sent for some time to come, but, in the meanwhile, she in turn inadvertently forwards the attachment as part of a further set of complaints about ACC to the State Services Commission.
In her battle with the ACC, the claimant looks up an old acquaintance, who is now ACC's deputy chairperson. She raises concerns about the Corporation's compliance with its own code of claimants' rights and about its so-called 'independent' medical assessors. The chair and deputy chair agree that they can kick the matter downstairs to management, thinking it's a purely operational issue. According to the Report put out by the Auditor-General, the directors should have recognised that some of the issues raised by the claimant were more than merely operational ones concerning her particular claim - but rather they implied reputational risks to the Corporation that the Board should have taken a more direct responsibility for. At least the report clears them all of any suggestion that the contact with the claimant led to any material advantage for her regarding her claim.
Once the claimant meets with the managers tasked with sweeping things under the carpet, however, it's revealed only then that there's been a massive privacy breach. ACC ask her to return the file of private information and to delete it from her computer, but they fail to make sure that this has been done until after the whole affair gets blown up in the media a few months later. Clearly ACC have some work to do on their privacy policies - and let's not forget that they do keep files on most of us, arising from one thing or another, including some very sensitive personal matters.
I would say that the rest is history, if it weren't for the fact that there are more revelations to come.
At least the Privacy Commission's report on 'the story so far' is independent, thorough and apparently robust. The Minister seems determined to implement the many recommendations. But we have yet to find out who leaked the identity of the claimant to the media...
And we have yet to find out about a few other things too: Like how the ACC plans to ensure that its medical assessors are genuinely independent (rather than deeply in the Corporation's pocket), and how the Corporation plans to avoid turning rehabilitation into a battle with claimants (as compared with a collaborative client-centred process).
And there's a question too for Ms Pullar: Exactly when did she become aware that the file of personal information had been sent to her?
4 Comments:
OAG and Privacy Report confirm 26 October
Thanks, I must have missed that detail.
I read the State Services Commissioner received in the same file October and they never knew that had the mass privacy breach file at all in an entire 6 months.
From all accounts the information was imbedded and seemed hard to detect.
Seems like ACC's story about Pullar was all was all bullshit and spin.
The true story is now clear. Pullar didn't know she had it for almost 3 months, and when she did know she dealt with it professional by informing ACC at a meeting - hoping ACC would properly managed the situation properly. ACC clearly wanted to bury it, but Pullar wouldn't let them. She exposed ACC for their incompetency, then ACC ridiculed Pullar by exposing her name. Then ACC lied to Police in the hope Pullar might rot in jail for exposing the secret of the breach and incomptenices in handling the situation.
That's one he'll of a sick vindictive culture.
We don't yet know if it was anyone from ACC who leaked Pullar's identity. That's still under investigation. ACC had reason not to leak her identity, as they had nothing to gain (and a lot to lose, as it turns out) from her going public with her complaints.
ACC did lay a complaint against her, but I'm not sure if you can claim that they 'lied', even though the Police decided not to lay charges.
However, it's fair to say that the whole affair has exposed ACC's shortcomings in their dealings with long-term claimants.
But, if Ms Pullar knew about the leak on 26 October, why did it take her till 1 December to alert ACC of the privacy breach?
And, once Ms Pullar had revealed it to ACC at the 1 December meeting (along with the long list of other matters) she should immediately after have returned and deleted the file. She should not have hung onto it as if it were a form of leverage. ACC failed to follow up until the matter went public in March, that's true, but she too had some responsibility there.
So, I'm not convinced that Ms Pullar's actions were completely 'professional'. All the same, I have to lay most of the blame on ACC's doorstep, as one of their people made the big error to start with, and they failed to deal with it properly.
Post a Comment
<< Home