Today, the NZ Herald reported:
ACC data leak turned out to contain nothing personal.
Among the Christmas cards I get at work there is always one from the Privacy Commissioner, Marie Shroff. Invariably it contains a good visual gag.
This year's features a Slane cartoon of a boy stuck with his head and upper body in a Dutch dyke and a passer-by explains to another, "The leak was worse than first thought".
I hope the irony was intended, because it's time to acknowledge that the biggest leak of the year, the one that the news kept calling a "massive privacy breach" which the commissioner had to investigate, turned out not to be very big at all.
John Roughan seems to be questioning whether ACC leaking the names and details of 7000 claimants, including 250 sensitive-claims clients who were victims of sexual abuse and violent crimes, was a big deal... What an idiot!
If leaking thousands of people's personal information isn't a 'massive privacy breach' I don't know what is?
It sounded serious when it was first reported that the personal details of thousands of ACC claimants had been accidentally emailed to one unnamed claimant. Among them were said to be victims of sexual offences.
Said to be victims of sexual offences? Trying to dismiss this as a none event is bad enough, especially when Roughan is doing his best to ignore the facts of the matter, but providing disinformation of this magnitude in New Zealands main newspaper is entirely unacceptable.
One of the undeniable facts that Roughan has ignored is that the leaked information did contain the addresses, names and other private details of victims of sexual abuse and violent crimes. Instead of acknowledging the seriousness of the problem, Roughan decides to belittle those that do understand the magnitude and scope of the privacy breach.
Meanwhile, Labour and the Greens made a sustained attack on ACC's "culture", not just its carelessness with email but its determination to check all claims rigorously and get the injured back to work quickly.
The story took on so many dimensions and ran for so long that the Privacy Commissioner's investigation of the original data leak became little more than a footnote.
Actually the Greens and Labour were raising concerns that the Privacy Commissioner, Marie Shroff, also concluded were serious problems within ACC. Roughan is trying to rewrite history here, and doing a pretty lousy job of it.
By the time they presented the Privacy Commissioner with their report, the country was sick of the subject and hardly anybody read it.
How on earth would Roughan know that? He obviously doesn't have access to the download statistics of the Privacy Commissioners report (PDF), and is therefore lying like the fool he is.
It ran to 102 pages. You had to read to page 99 to discover exactly what sort of confidential client information had escaped.
But finally, in the fifth appendix, there it was: a sample of the fabled spreadsheet of "personal" data. It consisted of four tables listing claimants' names (removed for the report), their claim numbers, review numbers, branch, lodgement dates, issue codes, decision dates and the like.
That was it. That is all there was.
There was nothing that could be of the slightest use or interest to anyone outside ACC. No personal details alongside the names, no injury information, nothing.
What a load of turgid rubbish! Firstly the leaked information contained addresses, which would be of interest to more than just ACC staff. The victims of violent or sexual crimes would not want their addresses known by their abusers and many of those abusers would be interested in where their victims lived. Only a complete fool would think that such information wasn't important.
The other fact that Roughan is ignoring is that sensitive claims are identified at registration through their injury code and these codes were included in the leaked information. Therefore the leaked information directly identified people who were the victims of sexual and violent crimes. The codes within the leaked information also outline exactly what injuries were inflicted.
Saying that the victims of violent and sexual crimes weren't directly identified in the leaked information when they were is a particularly disgusting part of Roughan's propaganda. Either through sheer ignorance or contemptible blatant disinformation Roughan is displaying a complete lack of journalistic integrity. The deluded old hack then has the gall to question reports that deal in facts.
That is what all the fuss had been about.
The thing that disappointed me was that so many people had known all along that the "massive privacy breach" amounted to nothing more than this. Investigative reporters, the Privacy Commissioner, her Independent Review Team, all would have discovered the contents of the spreadsheet very quickly.
None blew the whistle. No reports that I saw looked critically at the facts at the heart of a story that kept on growing and giving. The Privacy Commissioner did not say something to restore a sense of proportion. The review team, no doubt well paid, went about its investigation as though there was a serious problem.
Roughan is correct that nobody else worth mentioning is dismissing the massive privacy breach at ACC or the Privacy Commissioners report... That's simply because they shouldn't be brushed under the carpet like the ignoramus Roughan is trying to do.
The sense of proportion for Roughan seems to be that he wasn't directly affected and so he doesn't care. But what's even worse is that he's actively lying to try and dismiss the problems inherent in the way ACC operates, with the Independent Review Team concluding that:
The Breach that occurred was a genuine error but that errors are able to happen because of systemic weaknesses within ACC’s culture, systems and processes. The subsequent “response process” could also have been better if appropriate policies, practices, escalation protocols and the “right culture” were in place to allow for transparency of breach handling at the appropriate levels, in an appropriate manner. A similar incident is much more likely to happen again in the current environment if the issues identified in this Independent Review are not addressed systematically and systemically.
Perhaps the NZ Herald might like to report on any progress that ACC is making to address the issues identified by the Independent Review Team... Such an article would be worth reading, which is more than can be said for Roughan's tripe!
An accident had happened. An ACC rehabilitation officer had a monthly sheet of case reviews on his screen when he decided to respond to an email. He dragged the data aside, clicked a wrong button and unwittingly attached it to the return email.
Computers are a minefield for privacy. Accidents will happen, despite all the procedures the commissioner's expert team has laid down. It happened to Social Welfare kiosks a short time later.
Despite these privacy breaches both being a result of incompetence and a lack of proper procedures, they're different types of privacy breaches that cannot really be compared. Being that this fact like many others has entirely escaped John Roughan's awareness just goes to confirm that he's an idiot of the highest order. Let's hope he takes more than just a couple of weeks off over Christmas.