14 Jun 2022

ACC review finds privacy policies outdated, poorly understood by staff

4:13 pm on 14 June 2022

A damning independent review has found ACC's privacy policies are outdated, have gaps and are poorly understood by staff.

ACC Building in Wellington

ACC's privacy policies were based on outdated legislation, and staff understanding of what constituted a privacy breach was too "narrow", the review found. Photo: RNZ / Angus Dreaver

The review, carried out by lawyer Linda Clark and released today, was commissioned by ACC's board after RNZ revealed a group of call centre staff had shared, and laughed at, client information in a private Snapchat group, while another client discovered his old sensitive claim had been viewed more than 350 times by 92 staff.

ACC should treat client information as "taonga", something to be respected and protected, but this was not always the case, the review found.

"ACC's overall privacy culture is not strong and there is work to be done before all staff fully understand what is required to be protectors of client information," Clark wrote in her report.

"We identified gaps, both in the systems ACC depends on and in the organisation's overall culture."

ACC's privacy policies were based on outdated leislation, were "reactive, rather than proactive" and staff understanding of what constituted a privacy breach was too "narrow", the review found.

Thanks to work undertaken by ACC following a major privacy breach in 2011, staff understood the implications of wrongly sending client information to an outside third party, but they did not have the same understanding of information shared internally, the report said

ACC also did not have adequate oversight of staff access to client information so it was impossible "to say with confidence" that employee browsing did not occur.

"Instead, managers rely on a certain belief that staff are too busy to browse," the review said.

"While we accept this at face value, it is nonetheless interesting that when asked about browsing no staff member responded that browsing would be a breach of privacy."

In the case of the Snapchat incident, the 12 call centre workers who shared information were new to ACC, most were under 30 years of age and some had not received privacy training.

Most of the image sharing occurred while working from home as a way to keep in touch with co-workers during the national alert level 4 lockdown in 2021 and as a way to deal with stressful work situations.

"For instance, if a Snapchat group member experienced a difficult or stressful client call, they might share that experience with the Snapchat group by videoing themselves speaking about the call and how it made them feel."

Introducing working from home and social media policies for staff was one of the 30 recommendations made by Clark to remedy privacy failures at the agency. But she also wanted ACC to do more to help call centre staff deal with the stress of their work.

"Frontline staff do need to decompress after some calls and there is an onus on ACC to ensure there are safe ways of doing so without breaching privacy or running counter to clients' expectations."

The fact the Snapchat whistleblower alerted the media rather than raising the incident internally highlighted that ACC's integrity policy "is not fit for purpose and not widely used or understood".

Some of these risks were highlighted by an internal review of ACC's new case management system but were not taken seriously, the review found.

The privacy impact assessment of the Next Generation Case Management system, undertaken as it was rolled out, raised concerns an influx of new and temporary staff unfamiliar with the ramifications of the major 2012 privacy breach and a move to manage clients in teams of case managers, rather than individually, could lead to a "less rigourous approach to information management".

While clients had benefited from the new case management system, it also meant "more eyes potentially accessing each file", including sensitive claims, which related to sexual abuse.

Referring to the case of Matthew*, whose old sensitive claim was viewed hundreds of times by ACC staff, the review said: "In our view, irrespective of whether access is authorised or unauthorised, it is reasonable for clients and advocates to feel a degree of anxiety when faced with the knowledge that any file (let alone a file containing information of great sensitivity to a client) has been accessed over 300 times by 92 ACC personnel."

Following reporting by RNZ, an independent review found an ACC investigator breached the privacy of Matthew's wife after he looked at her sensitive claim while investigating Matthew. ACC is still investigating Matthew's privacy breach complaint.

In her report, Clark said the couple's experience highlighted some "concerning issues" about which staff have access to information, poor auditing of that access, the high trust default model that ACC appeared to rely on that put "more weight on supporting the organisation than protecting client personal information".

"The default position should be that all personal information must be protected."

ACC had since significantly reduced the number of staff with access to sensitive claims and was making changes to its systems to further restrict, and monitor, who had access to sensitive client information.

ACC chief executive Megan Main, who joined ACC in December, said the organisation accepted the review findings and would implement all of the recommendations.

"We have work to do to ensure it is not just about avoiding the release of information to the wrong person outside ACC, attaching the right file to the right email, but how we treat our clients' information internally, between ourselves, as well."

Joint Head of Managed Isolation Megan Main at the Covid-19 briefing on 14.7.2021.

ACC chief executive Megan Main. Photo: RNZ / Samuel Rillstone

Changes being made included updating policies, adding more checks and balances to ACC systems, limiting and auditing access to people's files, and planning more training opportunities for employees, she said.

So far six of the 30 recommendations had been implemented but the remainder of the work would not be completed until the end of 2023.

In the meantime, clients could have confidence that their information was safe, she told RNZ.

"We handle almost 10,000 new claims every day, you know, 2 million claims per annum. I take every privacy incident seriously, but this was our first significant privacy incident in a decade.

She said ACC was putting things in place, including additional monitoring to give "assurance to give New Zealanders confidence that we are protecting their personal information".

The review recommended ACC provide updates on the implementation of the recommendations to the Office of the Privacy Commissioner every two months for the next year.

Acting Privacy Commissioner Liz MacPherson said the commission was pleased ACC was learning from the Snapchat incident.

"We are happy ACC is taking comprehensive action to ensure that it is taking good care of the often sensitive, personal information that New Zealanders entrust it with. We look forward to being assured that the underlying issues are being resolved as this work programme progresses."

Get the RNZ app

for ad-free news and current affairs