Disclosing information Policy v5.0
Summary
4.0 Disclosing information by post
a You can use post to send client information to a verified
Objective
address if it's NOT a substantial enclosure, or it's on a
When disclosing any information, we must ensure that it is cov-
password protected CD.
ered under either the Official Information Act (OIA) 1982 or the
Privacy Act 1993. We must also take care to protect the privacy
You can send substantial enclosures by post instead of
of individuals at all times (see Privacy check before disclosing
Track & Trace Courier, however, you must:
information).
• obtain the client’s agreement for it to be posted, ESPE-
There are a number of methods we can use to disclose infor-
CIALLY if it contains sensitive information. Ensure you
mation. For each method there are rules you need to follow and
have explained the nature of the material in the enclosure
the processes for each are documented on CHIPS. They are
outlined and linked below.
• ensure your conversation, and the client's agreement to
send by post, is clearly recorded in EOS (e.g. Contact
note)
Owner
9(2)(a)
• check with the client before sending each enclosure.
Expert
9(2)(a)
If the client has any concerns about the material being
Policy
posted then you must use an alternative delivery method,
such as a courier.
1.0 Disclosing information using email
a If you're using email to send or receive client information
You must carefully check the items that you place in the
ensure you:
envelope to make sure:
• remember the "one email, one client" rule. Each email
you send, with or without attachments, must only refer to
• they relate to the right client, the right claim(s) and the
a single client or recipient
right request
• send your email and attachments to a verified email ad-
• multi-page items are stapled and there are no missing
dress
pages or extra pages attached.
• complete a privacy check
• check all email threads and delete any information that
Ensure the envelope is securely sealed before sending.
is not relevant to the client
• ask another staff member to double check attachments
if you have any doubts about sending the information
5.0 Disclosing information by courier
• never use a Multi-Functional Device (MFD) to send
a You can only use a courier to provide information to a
documents outside of ACC
client, client advocate or client lawyer if you have the
• use the 'SmartGate' email notification to check all
client's consent to do so. This consent must come after
attachments before sending your email.
you've made them aware of all the risks involved with
sending their information by courier (see the ACC6181
Receiving personal information by courier information
2.0 Processes
sheet).
Send an email from Eos
http://thesauce/team-spaces/eos-online-help/contact/
All courier packages should be sent using ACC’s pre-
email-toolset/send-an-email-from-eos/index.htm
ferred supplier NZ Couriers, with exceptions applying for:
•urgent deliveries – use Sub60
Verify an email address in Eos
•PO Box or Private Bag deliveries – use Courier Post (NZ
http://thesauce/team-spaces/eos-online-help/contact/
Post).
email-toolset/verify-an-email-address-in-eos/
index.htm
Before providing any information by courier, you must:
•check the recipient's address is "Verified" and "Valid"
• confirm the recipient's authority to receive the infor-
3.0 More information:
mation
• place the information in a clearly addressed envelope or
Communication using email
package before you put it in the courier bag.
http://thesauce/team-spaces/chips/clients/
communication/policy/email-/communication-using-
If you want to send sensitive or confidential information
email/index.htm
by courier you must use the 'pre-alert' method.
Risks associated with email communication
http://thesauce/team-spaces/chips/clients/
communication/policy/email-/email-risks/index.htm
6.0 Processes
What to include in emails to clients, providers and
Preparing and sending a courier package
employers
http://thesauce/team-spaces/chips/clients/
http://thesauce/team-spaces/chips/clients/
information-disclosure-and-requests/process/
communication/policy/email-/what-to-include-in-
preparing-and-sending-a-courier-package/index.htm
emails-to-clients-providers--employers/index.htm
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Disclosing information Policy
Uncontrolled Copy Only : Version 5.0 : Last Edited Thursday, October 1, 2020 3:40 PM : Printed Monday, October 5, 2020 9:56 AM
Page 1 of 2
Sending confidential information by courier using
pre-alert
http://thesauce/team-spaces/chips/clients/
information-disclosure-and-requests/process/
sending-confidential-information-by-courier-using-
pre-alert/index.htm
7.0 Disclosing information by fax
a Faxing information is to be used as a LAST resort for dis-
closing information. The other options above should be
looked into first.
8.0 Process
Sending information by fax
http://thesauce/team-spaces/chips/clients/
communication/process/sending-information-by-fax/
index.htm
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Disclosing information Policy
Uncontrolled Copy Only : Version 5.0 : Last Edited Thursday, October 1, 2020 3:40 PM : Printed Monday, October 5, 2020 9:56 AM
Page 2 of 2
Disclosure of clients’ health information to employers
Policy v4.0
Summary
4.0 What you can’t disclose
Objective
a Employers may need to know what recommendations are
This page sets out the rules around what client health infor-
contained in a client’s rehabilitation plan, but they do not
mation ACC can disclose to employers. We can only disclose
need to see the plan in its entirety. It is important that we
clients’ health information when doing so is consistent with the
only give employers information that meets the above cri-
purposes for which it was collected. ACC is a health agency for
teria.
the purposes of the Health Information Privacy Code 1994 and,
therefore, is responsible for the actions of its agents under the
If an employer asks for information about non-work inju-
Privacy Act 1993.
ries or for information not covered by '2.0 What you can
disclose', say we are unable to provide this information
Not all information on a client’s file can be made available to an
and suggest that they should ask the client. If they keep
employer – even for a work-related injury. If you are unsure, dis-
asking, escalate the request to your team manager.
cuss any requests with your team manager or Privacy Team.
Even if a client gives ACC consent to release information,
This policy does not apply to pre-employment checks of clients’
eg a Stay at Work report, we can only release those parts
claims histories. That information is found on the Pre-emply-
of the report that meet the criteria under '2.0 What you
ment checks policy page.
can disclose'. Check with your team manager or the Pri-
vacy Team if you are unsure.
Owner
9(2)(a)
If a client says that they are happy for their employer to
see information but the information does not meet the cri-
Expert
9(2)(a)
teria in '2.0 What you can disclose', suggest that the
client review the information before making a decision, or
Policy
give the information to the employer themselves.
1.0 Rules
Co-morbidities such as drug use, diabetes etc, should not
a ACC and its agents can only give a client’s health infor-
be disclosed to the employer.
mation to their employer if the information:
Sometimes employees may be obliged to disclose health
• will clearly help speed up or improve their rehabilitation
information to their employer under the Health and Safety
• is needed to assess their entitlement to cover and
in Employment Act 1992, however, ACC is not obliged to
compensation
disclose information to employers to help them meet their
• is needed to help us apply the Accident Compensation
obligations under this Act.
(Experience Rating) Regulations 2011.
These are the purposes for which we collect clients’
5.0 Public safety exception
health information.
a There may occasionally be situations where ACC must
decide whether to disclose a client’s health information
because doing so would prevent or lessen a serious
2.0 What you can disclose
threat to public health and safety or to the life or health of
a To help a client’s rehabilitation you may give the following
an individual. See – Privacy Principle 11(f).
information to a client’s employer:
You should not consider releasing information under this
• what tasks the client can do now
exception without very good reason. You must consult
• steps a client can safely take towards resuming their
the Privacy Team before releasing information under this
previous duties
exception.
• timeframes for return to work duties
• what help the employee will need in the workplace.
These criteria apply to both work and non-work injuries.
6.0 Client withholds consent
a If a client says they do not want information to be dis-
closed to their employer, you will need to discuss this
3.0 Work injury claims
with the client, particularly if the information meets the cri-
a In addition to the above information, we must also tell
teria under '2.0 What you can disclose'.
employers what the claim cover decision is for work inju-
ries. This will include the reasons included in the cover
decision letter. (See AC Act 2001, Section 64).
Because work injury claims affect an employer’s expe-
rience rating, they may apply to ACC for a review of a
decision about whether a client’s injury is related to their
employment with that employer, or whether the injury oc-
curred in the workplace. If this happens, we need to pro-
vide information relating to whether the injury happened
at work. Other irrelevant information such as treatment
provided or non-injury related health information should
not be provided.
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Disclosure of clients’ health
information to employers Policy
Uncontrolled Copy Only : Version 4.0 : Last Edited Tuesday, July 14, 2020 4:45 PM : Printed Monday, October 5, 2020 9:57 AM
Page 1 of 1
Limits on using and disclosing information Policy v3.0
Summary
3.0 Disclosing information to employers
Objective
a There are limits to what information we can disclose
We must have very good reasons to release information about
about a client to their employer. In general, we may only
a client to any other person or organisation. Principles 10 and
disclose information about work-related injuries to em-
11 of the Privacy Act 1993 (Privacy Act) set out how we can use
ployers.
and disclose the client information that we've collected.
• You may only disclose client information to their em-
As of 1 December the Privacy Act 1993 will be the Privacy Act
ployer if it’s about a specific work-related injury
2020. Please contact the Privacy Team if this page has not
been updated by December 2020.
• Do not disclose information about a non-work injury to
an employer, unless you have the client’s consent to do
Owner
9(2)(a)
so
Expert
9(2)(a)
• Encourage the client to provide any relevant information
to the employer themselves.
Policy
Please see "Disclosure of clients' health information to
1.0 Rules
employers Policy" for more information.
a We may only use or disclose information for the purposes
Disclosure of clients' health information to employers
that we collected it for. Once we’ve obtained personal
Policy
information for one purpose we cannot use or disclose it
https://go.promapp.com/accnz/
for another purpose.
Process/9841edd8-7ca6-4ca0-a5ab-b143d455971c
The branch or unit manager must decide whether to dis-
close information outside of the normal purpose (i.e.
claims management), after consulting with the Privacy
4.0 ACC45 Injury claim form
team if needed.
a You must take particular care when the employer infor-
mation provided on an ACC45 is incomplete or confusing.
We are able to disclose client health information to par-
ents or guardians of clients under the age of 16 where a
If the employer is a 'franchise' employer’, you must make
duty of care exists. Once a client is over the age of 16 we
sure you have the correct employer location. If needed,
must not disclose information to their parents or guar-
seek further clarification from the client.
dians unless an Authority to Act is obtained. Please see
"Disclosure may be contrary to the interest of a person
under 16 Policy" for more information.
NOTE Example
McDonald's Wellington could mean any McDo-
Screen captures of Eos information or from other internal
nald's outlet in the Wellington city area, not just
systems, taken with the Snipping Tool, are useful for pur-
the central city location.
poses such as training material or raising queries to
Helpdesk. Use the Snipping Tool to grab only the infor-
mation you need to copy, then paste it into a new docu-
ment or email. For further advice, particularly if you wish
5.0 Work-related injury notifications
to send information externally, please consult with the Pri-
a If we send a work-related injury notification to an incor-
vacy team.
rect address this is still a breach of the client's privacy,
Disclosure may be contrary to the interest of a
even if we’ve taken reasonable care to locate the correct
person under 16 Policy
employer.
https://au.promapp.com/accnz/Process/626edb08-
ce2c-4049-a05f-171934bb33e1
Where an employer denies that a claim is work-related,
there is no breach if we’ve notified the correct employer.
2.0 Exceptions
a Under the Privacy Act, Section 6, Information Privacy
Principles 10 and 11, we may use or disclose information
for a different purpose if we reasonably believe that it's
necessary. These situations include:
• to assist legal proceedings and investigations
• to avoid a serious and imminent threat to public health
or safety, or the life or health of the individual concerned.
If you are unsure whether an exception applies, please
contact the Privacy Team.
For details see Complete information privacy principles.
Complete information privacy principles
http://thesauce/team-spaces/chips/clients/client-
privacy/reference/complete-information-
privacyprinciples/index.htm
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Limits on using and disclosing
information Policy
Uncontrolled Copy Only : Version 3.0 : Last Edited Tuesday, August 4, 2020 11:35 AM : Printed Monday, October 5, 2020 9:58 AM
Page 1 of 1
Manage requests for client information from insurers
Policy v3.0
Summary
2.0 Requirements for assessing insurers’ authori-
sations
Objective
a Before disclosing information you must be confident that
We receive requests for information about our clients from
the client is aware of:
insurers to inform their decisions on insurance cover and ser-
vices.
• the information is being collected
• the purpose of the information being collected
We must assess and provide the requested information in
• the intended recipient of the information
accordance with the Official Information Act 1982 (OIA) because
• the name and address of:
they are requests from third parties. We must also comply with
- the health agency (in this case, the insurer) collecting
the Privacy Act 1993 (Privacy Act) and ACC processes. See
the information, and
Requests for personal information and Official information re-
- the health agency that will hold the information.
quests.
You must also consider:
Owner
9(2)(a)
• how old is the authorisation?
• will our client remember authorising the insurer to col-
Expert
9(2)(a)
lect the information?
• will the client still agree to the collection?
Policy
• how sensitive is the client’s information?
• does the scope of the insurer’s request cause concern?
1.0 Requests from insurers for our clients’ infor-
mation
If an insurer’s authorisation to collect information isnt
a When a request is received from an insurer, you must:
adequate regarding the Privacy Act, we can't rely on our
client’s authorisation to disclose their information.
• make sure the request is specific enough for you to
identify what information is being asked for, If you’re
If you have any questions about whether an insurer’s
unsure and cannot identify what’s required you must ask
authorisation form is acceptable, please contact the Pri-
the insurer to refine their request
vacy Team.
• make sure the insurer provides written ‘authorisation to
collect’ what information they’re asking for. Make sure the
information complies with the Privacy Act and meets the
requirements below. Alternatively, we can ask our client
to authorise disclosure by ACC
• send copies of the information to the insurer.
• The information must go directly to the insurer
• Information must not be given to the client to pass on to
the insurer
• only provide a copy of the released information to the
client when requested. Preferably in a secure format, to
mitigate any risk of breaching privacy.
It’s the insurer’s responsibility to make sure they do not
collect more personal information than they need.
If our client is concerned about information the insurer
has requested, do not release the information. If there
are any issues about the requested information it must be
resolved between the client and insurer.
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Manage requests for client
information from insurers Policy
Uncontrolled Copy Only : Version 3.0 : Last Edited Tuesday, November 19, 2019 9:50 AM : Printed Monday, October 5, 2020 9:59 AM
Page 1 of 1
Personal information requests Policy v5.0
Summary
3.0 Requests from members of Parliament
a We frequently receive enquiries from members of Parlia-
Objective
ment (MPs), or their electorate office staff, advising that
The Privacy Act 1993 (Privacy Act) and the Health Information
they're acting on behalf of an ACC client or customers.
Privacy Code 1994 (Health Information Privacy Code) provide
legislation for protecting individual privacy and managing per-
If you're concerned about disclosing or releasing the
sonal and health information.
information, contact the client to confirm the MP is acting
on their behalf. If you're unsure, contact Government Ser-
• The Privacy Act contains 12 Information Privacy Principles for
vices for advice.
collecting, accessing and releasing personal information
Government Services
• The Health Information Privacy Code 1994 (2.08M) contains
http://thesauce/about-acc/groups/governance-group/
12 Health Information Privacy Rules for collecting, accessing
government-engagement-and-support/index.htm
and releasing an individual’s health information.
We must all understand these principles and rules when han-
dling requests for the release of personal and health infor-
4.0 Requests from members of the New Zealand
mation. For more information see Differences between personal
Police
and health information.
a We occasionally receive requests from the Police for
information about clients. These should be referred to the
As of 1 December 2020, the Privacy Act 2020 comes into effect.
Privacy Team who will respond direct to the Police.
Please contact us if this page has not been updated by Decem-
ber 2020.
If you receive a written request, please email it to the Pri-
Owner
vacy Team on [email address].
9(2)(a)
Expert
If you receive a verbal request, advise the Police that
9(2)(a)
they must make their request in writing (email or letter)
Policy
and send it to The Privacy Officer, ACC, PO Box 242,
Wellington 6140 or [email address].
1.0 Office of the Privacy Commissioner
Under no circumstances should you disclose any infor-
a The Office of the Privacy Commissioner is responsible for
mation about the client. If you have any questions, please
investigating complaints about the withholding or disclo-
contact the Privacy Team.
sure of personal information. Our Privacy team manages
ACC’s liaison with the Office of the Privacy Commis-
Manage requests for client information from insurers
sioner.
http://thesauce/team-spaces/chips/clients/
information-disclosure-and-requests/policy/client-
information-requests-from-insurers/index.htm
2.0 Who can request personal information?
a
5.0 Requests from insurance companies for client
Under the Privacy Act, only the client or a person with au-
thority to act on their behalf may request information that
information
we hold about a client.
a If you receive a request from an insurance company for a
copy of a client’s file(s), See Manage requests for client
Under the Official Information Act 1982 (OIA) the fol-
information from insurers.
lowing parties may request information that we hold
about a client:
• a third party administrator
• an insurance company assessing a related claim
6.0 Charging for information
• any other person or organisation.
a ACC cannot charge for providing personal information.
7.0 Response time
a Under the Privacy Act, we must make a decision on a re-
quest for personal information:
• as soon as reasonably practicable
• within a maximum of 20 working days after receiving the
Who can request personal information..PNG
request.
All About Requesting Personal Information
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Personal information requests Policy
Uncontrolled Copy Only : Version 5.0 : Last Edited Monday, July 20, 2020 1:15 PM : Printed Monday, October 5, 2020 10:00 AM
Page 1 of 2
8.0 Extension of response time
13.0 Releasing only part of the requested personal
a Sometimes you may need a time extension to respond to
information
a request for personal information. Extensions are al-
a Sometimes it's appropriate to release only part of the per-
lowed where:
sonal information requested, eg when the information
identifies multiple individuals. The Privacy Act, Section 43
• large quantities of information are involved
permits us to redact the part(s) of the document con-
• searching through large quantities of information will
taining this information before releasing it. We must pro-
unreasonably interfere with ACC’s operations
vide reasons for withholding any parts of the information.
• you need to consult.
The recipient must not be able to read any of the infor-
You may only make one request for an extension so you
mation that has been redacted.
must be able to complete the response within the ex-
tended timeframe.
We might also only provide part of the personal infor-
mation requested if:
• we're satisfied, after consulting with the requestor’s
9.0 Formal notification of extension
medical practitioner, that disclosure would be likely to
a
affect the requestor’s physical or mental health
You must formally notify the requestor about an extension
• the request is frivolous or vexatious, or the information
of time within the 20-working day limit and include the:
requested is trivial.
• extension period required
You must consult the Privacy team about any decision to
• reason(s) for the extension
decline a request based on it being frivolous, vexatious or
• advice that the requestor has the right to lodge a com-
trivial.
plaint about the extension with the Office of the Privacy
Commissioner.
INP02 Personal Information Request - Advise Time
Extension
10.0 Transferring a personal information request
a If we don't hold the requested personal information, but
know another government agency that does, we can
transfer the request to the other agency under the Pri-
vacy Act, Section 39. The transfer must be arranged
within 10 working days of the date of receiving the re-
quest.
11.0 Releasing personal information
a We must release requested personal information unless
we have good reasons to withhold it. See "Withholding
personal information".
Withholding Personal Information
https://go.promapp.com/accnz/Process/Group/
b03db99d-c7aa-435b-861d-be15ac9932a3
12.0 Withholding personal information
a If we have good reasons to withhold the information we
may consider declining the request. See Examples of de-
clining personal information requests.
Examples of declining personal information requests
http://thesauce/team-spaces/chips/clients/
information-disclosure-and-requests/reference/
examples-of-declining-personal-info-requests/
index.htm
ACC > Claims Management > Manage Client Information > Operational Policies > Communication > Information disclosure and request > Personal information requests Policy
Uncontrolled Copy Only : Version 5.0 : Last Edited Monday, July 20, 2020 1:15 PM : Printed Monday, October 5, 2020 10:00 AM
Page 2 of 2