ACC has suspended another two employees due to alleged inappropriate sharing of client information.
One of the images shared by ACC employees on Snapchat. Photo: RNZ/Vinay Ranchhod
Twelve employees were stood down on Tuesday after RNZ revealed call centre staff were sharing details of people's injuries in a private Snapchat group.
Acting chief executive Mike Tully said during the investigation this week, ACC became aware of a further incident in Dunedin involving colleagues inappropriately discussing client names.
"On Thursday we took the step of suspending a further two people while we carry out an investigation," he said.
"This is totally unacceptable behaviour and I am appalled. We have a team of 4000 who work hard every day to support people to recover from injury and they are absolutely gutted about the actions of the people involved."
On Wednesday the ACC board announced plans for an independent review into the management of ACC data and client information, including sensitive claims.
The ACC Board is now working with Treasury, the monitoring agency of ACC, to confirm the terms of reference and appoint a person to lead this review.
Meanwhile, all front-line employees have begun refresher training on ACC's code of conduct, Tully said.
It was "likely" the investigation would reveal more instances of this activity, but he had made it extremely clear to staff that such behaviour would not be tolerated.
"We know this situation is impacting our clients, we have heard concerns from a number of them. We understand, are deeply sorry and apologise for the distress that has been caused."
Following an independent review of ACC's information security in 2012, the corporation agreed to carry out a privacy audit every two years.
However, Privacy Foundation chairperson Gehan Gunasekara said the last one appeared to be in 2014 - seven years ago.
"This is a significant privacy breach and should not occur in any organisation if there is a proper culture of privacy. It is deeply concerning that it has taken a whistle-blower to get some action."
Given recent revelations over inappropriate access to sensitive claims information, there were clearly systemic problems at ACC, he said.
"The recommendations of the independent review of ACC's Privacy and Security of Information appear not to have been sustained.
"It is important that this new review is thorough and gets to the bottom of what has gone wrong at ACC. The findings and recommendations of the review must be published with a timetabled programme to implement the recommendations.
"All ACC claimants, and especially those making sensitive claims, must have confidence that ACC will protect their personal and health information. ACC has work to do restore trust in its organisation and processes."
An ACC spokesperson said the corporation worked closely with the Office of the Privacy Commissioner and the Government Chief Privacy Officer.
There had been a range of ongoing internal and external risk and assurance across ACC including privacy on an ongoing basis, the spokesperson said. KPMG carried out privacy reviews in 2012, 2014, 2016 and 2018 as part of annual internal audit programmes.
