ACC data leak turned out to contain nothing personal.© 2012 APN Holdings NZ Ltd
Among the Christmas cards I get at work there is always one from the Privacy Commissioner, Marie Shroff. Invariably it contains a good visual gag. This year's features a Slane cartoon of a boy stuck with his head and upper body in a Dutch dyke and a passer-by explains to another, "The leak was worse than first thought".
I hope the irony was intended, because it's time to acknowledge that the biggest leak of the year, the one that the news kept calling a "massive privacy breach" which the commissioner had to investigate, turned out not to be very big at all.
It sounded serious when it was first reported that the personal details of thousands of ACC claimants had been accidentally emailed to one unnamed claimant.Among them were said to be victims of sexual offences.
Then someone on the side of ACC leaked back, naming the recipient and letting it be known she had turned up with a supporter, none other than National insider Michelle Boag, for a meeting where it was pointedly mentioned to her claim handlers that she was holding information she shouldn't have.
After that, the story took off in all directions, not all of them connected to the email accident. Nick Smith had to resign, there was palace intrigue over who leaked a memo from Boag to ACC minister, Judith Collins, who sued two MPs for suggesting it was her.
Grimly, she replaced ACC's chairman, deputy chairman, four board members and the chief executive.
Meanwhile, Labour and the Greens made a sustained attack on ACC's "culture", not just its carelessness with email but its determination to check all claims rigorously and get the injured back to work quickly. The story took on so many dimensions and ran for so long that the Privacy Commissioner's investigation of the original data leak became little more than a footnote.
But there was nothing minimal about her investigation. She appointed an independent review team of KPMG business consultants and a Melbourne company, Information Integrity Solutions Ltd, who together really went to town. From April to August they travelled the country, conducting by their own account more than 150 interviews at ACC's head office, its sensitive claims unit, six branch offices and two service centres.
They went far beyond "client facing" staff to talk to the myriad sections of the corporation that have to see claimants' confidential information: researchers, lawyers, risk assessors, injury prevention officers, assurance services, business intelligence, actuarial people, plus the complaints investigation team.
They talked to "external stakeholders": claimants, their advocates and associates, holding a workshop with some of them. They performed "walk-throughs" of the corporation's email handling habits, compared its information security practices with those of some other organisations, and much, much more.
By the time they presented the Privacy Commissioner with their report, the country was sick of the subject and hardly anybody read it.
It ran to 102 pages. You had to read to page 99 to discover exactly what sort of confidential client information had escaped.
But finally, in the fifth appendix, there it was: a sample of the fabled spreadsheet of "personal" data. It consisted of four tables listing claimants' names (removed for the report), their claim numbers, review numbers, branch, lodgement dates, issue codes, decision dates and the like.
That was it. That is all there was.
There was nothing that could be of the slightest use or interest to anyone outside ACC. No personal details alongside the names, no injury information, nothing.
That is what all the fuss had been about.
The thing that disappointed me was that so many people had known all along that the "massive privacy breach" amounted to nothing more than this. Investigative reporters, the Privacy Commissioner, her Independent Review Team, all would have discovered the contents of the spreadsheet very quickly.
None blew the whistle. No reports that I saw looked critically at the facts at the heart of a story that kept on growing and giving. The Privacy Commissioner did not say something to restore a sense of proportion. The review team, no doubt well paid, went about its investigation as though there was a serious problem.
An accident had happened. An ACC rehabilitation officer had a monthly sheet of case reviews on his screen when he decided to respond to an email. He dragged the data aside, clicked a wrong button and unwittingly attached it to the return email.
Computers are a minefield for privacy. Accidents will happen, despite all the procedures the commissioner's expert team has laid down. It happened to Social Welfare kiosks a short time later. If the data is as indecipherable as that ACC released, it won't matter in the slightest. It was the trivial story of the year.