Bronwyn Pullar, the woman at the centre of a massive privacy scandal at ACC is "delighted" with an independent report into the affair that identified "systemic weakness" in the way the corporation handled private client data.
The report by former Australian Privacy Commissioner Malcolm and accountancy firm KPMG released this afternoon examined what led to a spreadsheet containing details about 6748 clients being emailed to Ms Pullar last year, and ACC's response when it learned of the breach.
It concluded that that the breach was down to "a genuine human error, but that such an error was more likely to occur because of systemic weaknesses within ACC's culture, systems and processes".
The report also found ACC's subsequent response process could have been better "if appropriate policies, practices, escalation protocols and the right culture were in place to allow for transparency of breach handling at the appropriate levels in an appropriate manner".
"I'm delighted that the various investigations have highlighted the deficiencies with the way the ACC was being run," Ms Pullar said in a statement this afternoon.
"It gives me great heart to hear that the Minister is going to accept all the recommendations."
"I believe this outcome will provide much better and fairer processes for all New Zealanders who have dealings with ACC."
Also released this afternoon, a report by Auditor General Lyn Provost into whether Ms Pullar gained any advantage in the way her claim was treated because of her connections with board member John McCliskie, found no evidence that was the case.
That report, also released this afternoon did raise concerns that Mr McCliskie and then-chairman John Judge failed to recognise wider allegations of illegality and fraud at the corporation brought to their attention by Ms Pullar late last year.
"It seems that the board and ACC management were so focused on the appropriate separation of governance and operational matters that they did not recognise these issues as possible symptoms of systemic failure," said Ms Provost.
Meanwhile, Privacy Commissioner Marie Shroff, who commissioned the report by KPMG and Mr Crompton, said "a culture change starting at the top" was required by the corporation to prevent further privacy breaches.
In its report, the review team concluded that that the breach was down to "a genuine human error, but that such an error was more likely to occur because of systemic weaknesses within ACC's culture, systems and processes".
ACC's response to the breach could have been better with appropriate, policies, practices, escalation protocols and "the right culture".
The report largely confirmed ACC's version of events "that it was not aware of the breach until Ms Pullar met with its executives in December last year".
However, the report found that ACC could have done more to try and get the information back and inform affected clients than it did.
"While in hindsight an error of judgement, ACC did not appreciate the significance of the Breach until it was made public in March 2012 but the Independent Review team found that ACC could have done more to follow through on the information provided by the Client on 1 December 2011."
The review team said that the breach and 44 other alleged breaches "should have been escalated to the Privacy Officer and/or the Office of the Complaints Investigator soon after the 1 December meeting".
The review found ACC's current arrangements needed to be strengthened if they were to deliver "a sustainable approach to protecting personal information".
The review recommended a series of improvements to privacy handling starting the board and reaching down to the operational level including additional resources "to clear backlogs on privacy related processes including access requests and complaints".
Acting ACC chairwoman Paula Rebstock said the corporation would be implementing the reviews recommendations in full.
Ms Shroff said she accepted the breach was the result of a genuine error but indicated her concern at the systemic weaknesses revealed in the report.
It highlighted what one stakeholder had told reviewers was "an almost cavalier" attitude towards clients.
The report showed ACC lacked a comprehensive strategy for protecting and managing its client information.
"The review shows that information stewardship is low level and defensive and focuses on breaches and complaints rather than taking strong leadership that emphasises respect for clients and their information."
She said the recommendations were strong and she would closely monitor ACC's progress as it implemented them.
Labour Party ACC spokesman Andrew Little said the Privacy Commissioner's report into the ACC leaks is a litany of leadership gone wrong.
Mr Little said the public will know if the Government has taken the reports of the Privacy Commissioner and the Auditor-General seriously when it "appoints a minister who can win public confidence".
"The Commissioner says it is 'vital' for a change starting at the top.
"So let's start with Judith Collins. This whole fiasco is a direct consequence of the Government clearing out experienced board members, putting in their own, overseeing strategies aimed at cost cutting rather than treatment and rehabilitation.
It was not good enough to name and blame others, Mr Little said.
"The Cabinet that Ms Collins is part of has driven the agenda on this and she must take responsibility for the fallout.
"It's not enough for ACC to be a clip-on to a senior Minister's other roles."
Mr Little said if the Government was serious about change from the top then it should start by having a dedicated minister in the role who could work closely with the board and senior management to bring about the necessary changes.
The Green Party says the Auditor-General and independent inquiries into the Bronwyn Pullar matter reveal the corporation is in desperate need of a culture change.
Greens' ACC spokesman Kevin Hague said the reports provide compelling evidence that any changes should start from with the senior management, and be led by ACC Minister Judith Collins.
"The reports into ACC provide the most compelling evidence yet that the Government's focus on saving a buck has caused ACC to lose sight of its role in helping injured and vulnerable New Zealanders.
"These are two of the most damning reports on a government entity I've ever read," said Mr Hague.
"The reports reveal a corporation bumbling along with archaic ideas about communication and responsibility, which meant it failed both to treat claimants with decency and to recognise enormous risks to the organisation even when they hit it in the face," said Mr Hague.
He said the Privacy Commissioner highlighted 'an almost cavalier attitude towards its clients and to the protection of their private information'.
"It is clear that if board chairman John Judge had not already resigned, he would have been sacked today," said Mr Hague.
He said given the seriousness of the findings, Ms Collins should request the Auditor General bring forward her review into claims management at ACC.
"Most of the serious claims Ms Pullar made appear not to have been considered by the board.
"What's now needed is for visionary leadership to turn this organisation around and focus on the original principals on which it was founded,'' said Mr Hague.
"The Minister must ensure that future appointments to the board are up to this task.''