The New Zealand victim of alleged sexual assault by a Korean diplomat says ACC call centre staff divulged information about his sensitive claim to someone claiming to represent the Korean embassy, and he lives in constant fear it could happen again.
The man, whose case made headlines in 2020 and sparked an extradition debate, decided to speak out after RNZ exposed privacy breaches by ACC call centre staff and concerns about inappropriate access to sensitive claim files.
He was worried ACC had learned nothing from his experience when call centre staff, on two separate occasions in 2019, gave out information about his sensitive claim to a man claiming to be lawyer representing the Korean embassy, where he worked at the time of the alleged assaults.
In both calls the call centre staff also failed to ask the lawyer's name, verify his identity or ask for a password that was in place to protect the man's files. ACC later admitted to the man that it still did not know who the caller was.
Given the nature of the incident and the potential political implications, the man had requested ACC take extra steps to protect his privacy. "I warned them that I was worried about the information getting into the wrong hands."
"I still have nightmares about it today. It's horrible to be sexually assaulted but what is worse is when your dignity through the recovery from that is not respected."
The man, who cannot be named for legal reasons, claimed he was assaulted three times by the Korean embassy's deputy ambassador Hongkon Kim in Wellington in 2017.
He went to police in 2019 after an internal investigation by the embassy resulted in no action. Police charged Kim, who had already returned to Korea, with three counts of indecent assault in early 2020. Police later decided they would not seek his extradition back to New Zealand, despite the Korean government requesting New Zealand do so.
The man, who continues to suffer from post-traumatic stress disorder as a result of the attacks, sought help from a psychologist, who recommended he open a sensitive claim with ACC, which he did in March 2019.
The following month, on two separate occasions, a man claiming to be a lawyer representing the Korean embassy called ACC to ask about the man's claim.
In recordings heard by RNZ, call centre staff failed to ask the man's name, verify his credentials or ask for the password for the claim file. The caller said the embassy had received a letter about an ACC claim from the man but it "doesn't give that much information".
The man said at the time, the embassy only knew he had an ACC claim and had taken time off work. It did not know the claim was a sensitive claim, which relates to sexual abuse.
Despite having a password on his claim for added security, the call centre workers failed to ask the caller for the password on the man's file and told the caller the claim had been approved for "early planning" which meant he could now see a therapist. Early planning is a term ACC uses to describe the process that sensitive claimants go through with their therapist to decide how their treatment should progress.
The man only discovered this information had been given out after receiving a letter from his employer stating they had discussed his claim with ACC.
"My concern here is that a person claiming to be a lawyer contacted ACC and he was able to obtain information that he was not entitled to receive.
"The call centre staff should not have shared any information over the phone with this person. They did not even attempt to verify the information that the person had. They should have also checked the identity of the person they were talking to, but they didn't," the man said.
ACC apologised for the errors in June 2019. In a letter seen by RNZ, ACC's then head of privacy Arran Jones wrote: "I would like to apologise for the staff not using the password you provided and for having confirmed that your claim had been approved for early planning, and that you could see a therapist. This information should not have been provided without seeking your permission first."
At the time of receiving the letter, the man understood ACC was apologising for breaching his privacy and failing to follow security protocols. But in a response to RNZ, ACC said it did not consider what had happened a privacy breach.
"ACC did not breach the privacy of the client. During a conversation with the client's employer's lawyer, information was discussed that the client had previously shared with their employer."
This was incorrect, the man said.
"I had provided information in a redacted letter that confirmed I had a claim lodged with ACC and that ACC was providing support to me with that."
The embassy did not know the man's claim was a sensitive claim until the call centre staff alluded to it and he was dismayed that ACC now insisted there had been no privacy breach.
"It's extremely invalidating."
ACC refused to answer several other questions on the basis there had not been a privacy breach.
"ACC will make no further comment about this client," it said in a statement.
The man's lawyer, Chris Boys, said he was in no doubt his client's privacy had been breached.
"They've shared information without checking who it was they were sharing it with to begin with, and then after that, they've not looked at what was agreed by the client in terms of what he's comfortable with them sharing."
These errors often came down to a matter of training for staff, which was concerning given ACC's history of privacy breaches, Boys said.
"You would have thought that the level of training and the level of knowledge of the staff should be incredibly high when it comes to these sorts of issues."
Lawyer John Miller, who had no connection to the case and regularly acts for ACC claimants, also believed a privacy breach had occurred.
"It's very worrying if you know that your information is not secure and that it is being given out to someone who is potentially against your interest. I think that heightens the fact that it's an offensive invasion of privacy."
The man said the fact 14 ACC call centre staff had been stood down pending an investigation into inappropriate sharing of client information, as revealed by RNZ, confirmed his fears that training was still inadequate.
"ACC don't seem to have learned, and I live in fear every day that the same thing may just happen again tomorrow, because these issues just keep coming up at ACC.
"That's why I'm talking to you now, because if I don't talk to you, nothing's going to change," the man said.
He had some comfort that ACC now treated his file as VIP, a measure normally reserved for high-profile clients such as politicians, which meant he had the highest level of security. He was also managed by a separate unit that dealt with complex or difficult claims.
"I choose to remain in that unit because it's a place where no one from ACC has any access to any information other than the few staff who work in that unit. I fear however that changes in ACC sensitive claim management may erode these increased protections."
He felt, however, it was wrong that only a few claimants were given the high levels of security he had. "Why is the prime minister of New Zealand entitled to greater security, personal privacy protections than any victim of sexual crime in New Zealand? Everyone should be treated with this same exceptionally high level of privacy."
He hoped the independent review into how ACC deals with client information recently announced in the wake of inappropriate information sharing among staff, would include the views of sensitive claimants.
"ACC has to speak to sensitive claimants and hear directly from them. They will never create an improved system that can protect people unless they actually hear about the impact that this has on people.
"I strongly urge anyone who has concerns about ACC privacy to come forward and I hope that ACC will provide a way to enable this and ensure that our concerns are taken seriously."