Independent Review of ACC’s Privacy and Security of Information 22 August 2012 KPMG Centre Level 3 10 Customhouse Quay 53 Balfour Street P.O. Box 996 Chippendale NSW Wellington PO Box 978 New Zealand Strawberry Hills NSW 2012 Telephone: +64 4 816 4500 Australia www.kpmg.co.nz Telephone: +61 2 8303 2438 www.iispartners.com Privacy Commissioner Interim Chairperson Office of the Privacy Commissioner Accident Compensation Corporation 109-111 Featherston Street PO Box 242 Wellington 6143 Wellington 6140 22 August 2012 Independent Review of ACC’s Privacy and Security of Information We have completed our work in relation to the Independent Review of Accident Compensation Corporation’s Privacy and Security of Information in accordance with the Terms of Reference dated 23 March 2012. We appreciate the commitment and co-operation from Accident Compensation Corporation staff and management. We would also like to thank the external stakeholders and other organisations that contributed to the Independent Review. We would be happy to answer questions relating to our report, or provide more information about our Independent Review, at your convenience. Yours sincerely Souella Cumming Malcolm Crompton Partner Managing Director KPMG Information Integrity Solutions Pty Ltd © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. Contents 1 Executive summary 3 1.1 ACC in the 21st Century 3 1.2 Context to the Independent Review 3 1.3 Objectives of the Independent Review 4 1.4 Overall assessment 4 1.5 Auckland Privacy Breach – findings 5 1.6 Privacy and Security Practices Assessment – findings 8 1.7 Recommendations 9 2 Review Recommendations 11 3 Introduction and Review objectives 21 3.1 Introduction 21 3.2 Review objectives and scope 22 3.3 Approach to the Independent Review 23 3.4 Privacy management good practice framework 26 4 Auckland Privacy Breach – findings 28 4.1 Investigation of the unauthorised release of information 28 4.2 What happened 28 4.3 ACC response to the Breach 32 4.4 Appropriateness of response 34 4.5 Systemic issues arising from the Breach 35 5 Overview of ACC’s approach to privacy 36 5.1 ACC’s privacy management approach 36 5.2 Privacy and security policies and procedures 39 5.3 ACC’s current collection and handling of personal information 40 6 Stakeholder input 44 6.1 Internal stakeholders 44 6.2 External stakeholders 44 7 Comparison with other organisations 47 8 Privacy and security practices review – findings and recommendations 49 8.1 Board governance 50 8.2 Leadership including privacy strategy 52 8.3 Privacy programme 54 8.4 Culture 63 8.5 Accountability 65 8.6 Business processes and systems 66 © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 1 8.7 Backlogs and establishment of the new Business as Usual 67 8.8 Compliance with the IPPs and the HIPRs 68 Appendix 1 – Review Terms of Reference 78 Appendix 2 – About ACC 86 Appendix 3 – Interviews conducted for the review 93 Appendix 4 – Chronology of events relating to the Breach 96 Appendix 5 – The Breach information 98 Appendix 6 – Organisational chart (extract) 100 Glossary 101 Disclaimers Our report was prepared solely in accordance with the specific terms of reference set out in the engagement letter agreed between ourselves, the Office of the Privacy Commissioner (“OPC”) and the Accident Compensation Corporation (“ACC”) Board, and for no other purpose. Other than our responsibility to the OPC and the ACC Board, neither KPMG, Information Integrity Solutions (“IIS”) nor any member or employee of KPMG or IIS undertakes responsibility arising in any way from reliance placed by a third party on this report. Any reliance placed is that party’s sole responsibility. KPMG and IIS expressly disclaim any and all liability for any loss or damage of whatever kind to any person acting on information contained in this report, other than the OPC and the ACC Board. The report is based upon qualitative information provided by ACC. KPMG and IIS have considered and relied upon this information. KPMG and IIS believe that the information provided was reliable, complete and not misleading and has no reason to believe that any material facts have been withheld. The information provided has been evaluated through analysis, enquiry and review for the purposes of this report. However, KPMG and IIS does not warrant that these enquiries have identified or verified all of the matters which an audit, extensive examination or due diligence investigation might disclose. The statements and opinions expressed in this report have been made in good faith and on the basis that all relevant information for the purposes of preparing this report has been provided by ACC and that all such information is true and accurate in all material aspects and not misleading by reason of omission or otherwise. Accordingly, neither KPMG, IIS nor their partners, directors, employees or agents, accept any responsibility or liability for any such information being inaccurate, incomplete, unreliable or not soundly based, or for any errors in the analysis, statements and opinions provided in this report resulting directly or indirectly from any such circumstances or from any assumptions upon which this report is based proving unjustified. The report dated 22 August 2012 was prepared based on the information available at the time. KPMG and IIS have no obligation to update our report or revise the information contained therein due to events and transactions occurring subsequent to the date of the report. © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 2 1 Executive summary 1.1 ACC in the 21st Century Historically, the assets of a company could easily be quantified by numbers on a balance sheet, or physical assets. In the information age, this is no longer the case. Information is arguably the most critical asset in any organisation. Keeping it safe and preserving its value is one of the most difficult challenges. Personal information makes the challenge more complex with rising community expectations and legal and regulatory factors impacting on an organisations’ activities. The value and risks involved in handling personal information are now changing very rapidly. In the words of a report to the World Economic Forum, “the explosive growth in the quantity and quality of personal data has created a significant opportunity to create new forms of economic and social value.” By the same token “individual perceptions of harm and powerlessness versus organisational feelings of control and ownership” have meant that individuals “are beginning to lose trust in how organisations and governments are using data about them…”1. One significant implication of these developments is the emergence of data breaches as a fact of life globally. Some of the breaches have been massive. In 2007, the UK Department of Revenue and Customs lost a CD containing personal details of virtually every child in the UK. In 2006, a laptop belonging to the US Department of Veterans’ Affairs was stolen containing the names, dates of birth and social security numbers of about 26.5 million active duty troops and veterans. Data breaches in the private sector have compromised personal information of more than 100 million individuals at a time. The lesson for all organisations, large and small; government or business is to be on their guard and manage a rapidly increasing risk, both to minimise the possibility of data breaches and have sound response strategies when they do occur. The Accident Compensation Corporation (“ACC”) is a large organisation which provides New Zealanders with personal accident insurance cover. It deals with a range of short and long term claims some of which are very complex in nature, requiring a substantial amount of health related and personal information to be collected and assessed. Personal information is one of the most significant assets ACC has to manage. In agencies such as ACC, whose interaction with people and personal information is critical and central to their function, effective privacy management and a culture of respecting personal information must be a clear priority and given appropriate strategic importance. The impact of the information revolution on ACC means that the value of the personal data in its custody is increasing rapidly, with a commensurate impact on the risk exposure of ACC both in regards to data breach and the respectful management of personal data. Both point to the need for a renewed emphasis on governance of personal data including its risk management. 1.2 Context to the Independent Review The Office of the Privacy Commissioner (“OPC”) in conjunction with the ACC Board requested an independent review of ACC’s practices in relation to privacy and security of information as a result of a significant data security breach that occurred on 5 August 2011 and that became public in March 2012 (“Auckland Privacy Breach” or “the Breach”). The Breach involved the unauthorised disclosure of details of 6,748 clients. 1 See the World Economic Forum Report Rethinking Personal Data: Strengthening Trust and the related report Personal Data: The Emergence of a New Asset Class which are available at www.weforum.org/issues/rethinking-personal-data/ © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 3 KPMG and Information Integrity Solutions Pty Limited (“IIS”), led by former Australian Privacy Commissioner Malcolm Crompton, were appointed as the Independent Review Team to conduct the Independent Review. The Independent Review was conducted in the context of ACC dealing with the consequences of the Breach, both for its affected clients and for its own management and practices. As the seriousness of the Breach became apparent ACC’s Board, Chief Executive and Executive Management commenced a number of internal reviews and ACC has already made a number of changes in its privacy management approach and structures. 1.3 Objectives of the Independent Review The Independent Review was constituted and guided by the Terms of Reference which is set out in Appendix 1. The Terms of Reference require the Independent Review to make an independent assessment of ACC’s Privacy and Security of Information and to specifically report back on: ■ The circumstances of the Breach including the cause(s) and ACC’s response. ■ The appropriateness of policies and practices (including comparability with private sector practices, consistency with good practice in the public sector and the health sector, appropriateness in terms of the risk related to the nature of the client data/information maintained by ACC). ■ The effectiveness of policies and practices (in the context of addressing staff and clients need for access to information, maintaining confidentiality and privacy, communication, compliance, monitoring and culture of the organisation). ■ Recommendations to the OPC and the ACC Board to restore and increase public confidence in ACC’s current and future client information handling policies and processes. The Independent Review Team has made its assessment based on information at the time of the Independent Review (April to August 2012). The Independent Review Team sought input from a range of internal and external stakeholders. Comparative analysis was completed with a number of other organisations on their approach to, and delivery of, privacy programmes from the perspective of risk management, compliance and accountability. The scope and approach to the Independent Review is set out more fully in Section 3. 1.4 Overall assessment Data is pervasive throughout all levels of business from the initial contact with the customer, through to the information and reports that the Board and Chief Executive rely on to make decisions. An organisation’s data needs to be protected by thorough and effective risk mitigation strategies to the same (or higher) levels as other vital assets. Without these strategies in place, the organisation is at risk of significant reputational damage. The nature of ACC’s operations, the number of complex and long-term claims, combined with the manual nature of many of its processes and technology systems, has resulted in ACC having a history of privacy breaches and complaints. The Independent Review Team concluded that the Breach that occurred was a genuine error but that errors are able to happen because of systemic weaknesses within ACC’s culture, systems and processes. The subsequent “response process” could also have been better if appropriate policies, practices, escalation protocols and the “right culture” were in place to allow for transparency of breach handling at the appropriate levels, in an appropriate manner. A similar incident is much more likely to happen again in the current environment if the issues identified in this Independent Review are not addressed systematically and systemically. © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 4 The Independent Review Team found that there are critically important areas of privacy management and better privacy practice which, if adopted, should strengthen ACC’s ability to meet its compliance obligations, to better protect its clients’ privacy and improve customer service. The recommendations in this report will support delivery of ACC’s 2012-2015 Business Plan objectives which place a renewed emphasis on customer service and privacy. The recommendations are also consistent with the Government’s priorities as outlined in the Service and Purchase Agreement 2012- 2015. 1.5 Auckland Privacy Breach – findings The sequence of events leading up to and arising from the Auckland Privacy Breach is set out in some detail below, in light of the considerable public interest in the Breach. The Independent Review Team bases this chronology on the evidence of the materials available to it and interviews it conducted. These developments are considered in more detail in Section 4 of this report while Appendix 4 sets out a more detailed chronology of events. On 5 August 2011 the manager of the Northern Region Recover Independence Services Team (the “RIS Manager”) was drafting an email response in reply to one received four days earlier from an Auckland based ACC client (the “Client”). In the course of drafting, the RIS Manager inadvertently clicked and dragged an unrelated email so that it became an attachment to the email being drafted. The unrelated email included a spreadsheet containing information about 6,748 ACC clients including the Client. The information related to the status of clients’ reviews with Dispute Resolution Services Limited (“DRSL”). DRSL is an independent company, which manages facilitation, mediation and review hearings for ACC clients who are unhappy with a decision or outcome relating to their claim. The DRSL information is included in a monthly management report distributed by the National Manager RIS to the regional RIS managers. The Independent Review Team ascertained from interviews that the RIS Manager, rather than the Client’s normal case manager, was involved in responding to the Client in this particular circumstance because the Client was requesting a response to a complaint previously made by the Client regarding a medical advisor. The RIS Manager had been reviewing the monthly management report containing the DRSL information around the same time as responding to the Client although it was not directly relevant to the response. This could be viewed as a hazard of multi-tasking in this instance. The Independent Review Team has ascertained from interviews that ACC has informal guidance discouraging working on more than one client file at a time. The Client was one of the 6,748 ACC clients included on the spreadsheet. The Client informed the Independent Review Team that it was not until 26 October 2011 that the Client became aware of the extent of personal detail about other ACC clients included in the 5 August 2011 email response from the RIS Manager. The Independent Review Team ascertained the following from the information reviewed, interviews with the Client and the Senior Advisor, Integrity at the State Services Commission (“SSC”): ■ On 26 October 2011, the Client forwarded the 5 August 2011 email to the SSC. This email included the original attachments because most email systems, by default, will include any attachments when forwarding email as opposed to replying. The purpose of the email was to inform the SSC about the circumstances surrounding the Client’s claim with ACC. The Client did not inform the SSC about the Breach at that time. The Client informed the Independent Review Team that it was only after sending the 26 October 2011 email to the SSC that the Client looked in detail at the spreadsheet containing the personal information about other ACC clients. The SSC was not aware that it had received the spreadsheets containing the personal information until 23 March 2012, shortly after the Breach became public. The Senior Advisor, Integrity informed the Independent Review Team that “This email was one of 18 emails containing 65 attachments sent [from the Client to the SSC] within a 90 minute period”. © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 5 By December 2011 the Client had been a client of ACC for nearly nine years and has had a number of interactions with ACC that do not form part of this Independent Review. The events that the Independent Review Team consider most relevant between 5 August 2011 and 1 December 2011, began with the Client contacting a member of ACC’s Board. That initial contact, which resulted in a meeting between the Client and an ACC Board member, set off a series of events leading up to the 1 December 2011 meeting in which the Breach was discussed. ■ On 1 September 2011 the Client contacted a member of ACC’s Board by email to arrange a meeting to discuss ”… a number of issues regarding ACC – compliance and personal”. The Client met that Board member on 14 September 2011 to discuss the Client’s concerns with the way ACC was handling claims and managing personal information and specifically the Client’s claim. The Client did not mention anything about the Breach at this meeting, as the Client informs the Independent Review Team the Client was unaware of it at that time. Later that same day the Board member sent an email to the Chair of the Board about the meeting with the Client and the issues raised by the Client. This led to ACC setting up a meeting with the Client, which was arranged for 1 December 2011. ACC understood that the purpose of the 1 December 2011 meeting was to listen to the Client’s concerns regarding the Client’s rehabilitation with the view to agreeing a way forward. ACC was first notified of the Breach on 1 December 2011 during the course of a meeting between two ACC Managers and the Client. The Client made a voice recording of the meeting without the knowledge of the ACC Managers. While the Independent Review Team was not given a copy of this recording, four members of the team were given permission and listened to the recording of the 1 December meeting on 28 June 2012 and again on 9 August 2012. The following was ascertained: ■ Those present at the meeting included the Client, the Client’s support person, the Northern Area Manager and the National Manager RIS. A list of 45 alleged breaches by ACC of legislation, guidelines and codes was prepared by the Client prior to the meeting on 1 December 2011. The list, which included reference to the Breach as one of the 45 alleged breaches, was referred to several times during the meeting; however, the ACC Managers did not receive the list until the end of the meeting. This was because it was not the intention of the Client to address each and every alleged breach on the list at the meeting, but to discuss a proposal for a way forward with regard to the Client’s own claim. ■ During the course of the meeting, the ACC Managers were informed that the Client had received an email sent in “error by one of your staff”. The email “contained thousands of elements of highly sensitive health information”. One of the ACC Managers asked if the Client “still had the email” and if it had been deleted. The Client confirmed “I’ve got every email since the day my claim started”, that the email included personal information about the Client “plus about six and a half thousand other claimants, and names and claim numbers and conditions and details". ■ When the Breach came to the attention of the ACC Managers at the meeting, the Northern Area Manager asked “Are we aware of that [the Breach]?”. The ACC Managers were told by the Client “No”. The National Manager RIS stated, “if there’s a privacy breach that has originated from ACC, then absolutely we should be aware of it. Because if it relates to other people, then we need to make them aware that there has been a privacy breach”. Later the National Manager RIS stated, “one of the things we clearly want is to get hold of that”. The Client’s support person agreed to this stipulation and stated “that it’s never going to be used.” Neither ACC Manager explicitly requested at the meeting that the information related to the Breach be returned. The Independent Review Team did not find any evidence that ACC was aware of the Breach prior to the 1 December 2011 meeting. As a consequence of not being aware of the Breach until this date, ACC did not take any action on or after 5 August 2011, the date the Breach actually occurred. © 2012 KPMG, a New Zealand partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in New Zealand. © Copyright 2012 Information Integrity Solutions Pty Ltd a company incorporated in the State of Victoria Australia. All rights reserved. 6
Description: