Dear Accident Compensation Corporation,

In May 2022, Linda Clark provided the ACC Board was contracted to review ACC's compliance with the privacy legislation. This report titled, Independent review
of access to and use of client information at ACC, is available on ACC's website.

ACC CEO, Megan Main, stated that ACC has "an action plan in place to implement all its recommendations". I am requesting a copy of ACC's action plan, as well as the evidence of ACC having implemented and actioned the recommendations in the report.

In the event that any of the issues raised in the report have not been addressed, I seek a list of those, as well as the reasons for why ACC has not implemented changes to address those issues in the last +1 year.

I make a request under the OIA and the Code.

Yours faithfully,

AS Van Wey

Dear Accident Compensation Corporation,

This is a follow up on my request, which I make pursuant to the Code and OIA.

In Independent review of access to and use of client information at ACC, Ms Clark wrote:
32. In our view, irrespective of whether access is authorised or unauthorised, it is reasonable for clients and advocates to feel a degree of anxiety when faced with the knowledge that any file (let alone a file containing information of great sensitivity to a client) has been accessed over 300 times by 92 ACC personnel. Or, as the advocate did, that a file had been accessed in association with an investigation into another person. We identify later in this report the issues raised by this incident.

48. These issues highlight tensions that push and pull two ways. In the case of the Access Incident:
a. Clients are entitled to expect that the minimum number of 'eyes' will access their personal information, and that only those staff with a legitimate reason for accessing their files (or certain information in their file) will do so. This requires ACC to have clearly defined boundaries for determining who should have access and for what purpose. All ACC staff need to understand these boundaries and know what applies to them and the work they do; but also
b. ACC staff, particularly call centre workers, manage multiple calls each shift with each client seeking a swift response to a personal and pressing query, preferably without being 'passed on' to a second or third ACC staff member. Providing this level of service requires ready access to client information. Requests cover a range of issues that are unpredictable. Call centre workers may need to access a wide range of different information across a large number of calls each day; and
c. There needs to be regular monitoring and auditing of information and clients can be reassured all access is necessary and in their interests access so that staff are deterred from the temptation to browse any client.
...
50. In both cases, we were surprised to learn of the significant administrative issues engaged when ACC sets out to audit access or act on complaints about unauthorised access. Addressing these issues, together with the circumstances which contribute to such high volumes of access involves an analysis of ACC's systems and processes (which we comment on further in Part 7 (Systems)).

91. ... b.The Code of Conduct requires staff to 'take all reasonable steps to protect the privacy of clients' but it provides no explanation about what that means in practice (that is, what is appropriate and inappropriate behaviours in the context of client information) (see our comments at paragraphs 117 to 123).

163. In particular:...f. The systems that ACC relies on to manage personal information contribute to the disconnect between clients' expectations about how their information will be treated and how ACC actually handles that information. It is not unreasonable for individuals to be surprised when they learn about how many personnel have accessed their information held by ACC. It is incumbent on ACC to ensure that it takes all reasonable steps to ensure individuals are aware of how ACC manages their information, and how many ‘eyes’ might legitimately access a file.
g There are steps ACC can take to codify and explain the client information journey, from
collection to destruction.

Thus, addition to the information I had already requested, I seek specifically, the following:

ACC found it "reasonable" that over 90 people accessed Mr M's sexual abuse claim, even after it was closed. ACC found it "reasonable" that ACC employees shared client information on SnapChat.

(1) Please provide the updated definition of "reasonable", when referring to reasonableness of actions, decision making, access to claimant information, obtaining claimant information, and disclosing claimant information.
(2) The "reasonable" number of persons who will access any given claim, based on level of complexity (please specify how the level of complexity is determined).
(3) Definition of "necessary access". For instance, suppose a client calls the ACC call centre . The claimant requests that they be directed to a named department e.g., complaints Team, Resolution Team, Privacy Team) or asks to be directed to a specific individual (e.g., name of their claim manager or the review specialist). The ACC rep requests personal information and then accesses the claimant's file. I do not think it is "necessary" for a switchboard operator to access my personal information to transfer a call to a specified person, but ACC switchboard operators do. Is it "necessary" for the ACC call centre rep to access a claimant's information when all they are asked to do is transfer a call to the appropriate person or department? If so, please provide the rational as to why a person who is acting as a switchboard operator needs to access personal information in order to transfer a call to a specified person or team.
(4) An explanation of the client informatino journey, from collection to destruction, including stages in which ACC must communicate with the claimant to discuss the actions, seek consent to obtain or disclose the information, determine which information will be collected and from whom, how it will be used, disclose information, to the claimant and seek clarification on what may or may not be disclosed, or what needs to be corrected, etc.
(5) Access definitions and thresholds for all personnel, by employment type.
(6) Information on 'permissions' process to grant only certain persons access to EOS, and the information, policies, and process that govern who, and in what circumstances, access to EOS will be granted.
(7) Policies and process to ensure maintain an up-to-date role map and access granted commiserate with the role
(8) Employee roles of persons who have "open gate access" to claimant files, based on claim category. Number of ACC employees who have "open gate access" to EOS.
(9) Current number of ACC employees.
(10) Number of number of ACC employees , based on role and department, who "open gate access" to
(a) sensitive claims,
(b) VIP claims,
(c) RCU clients, t
(d) treatment injury claims,
(e) staff claims,
(f) claims transferred to Te Ara Tika,
(g) and all other claim categories not specified (please specify the category).
(11) Number of number of ACC employees, based on role and department, who have "limited access" (with the inclusion of the description of "limited access") to
(a) sensitive claims,
(b) VIP claims,
(c) RCU clients, t
(d) treatment injury claims,
(e) staff claims,
(f) claims transferred to Te Ara Tika,
(g) and all other claim categories not specified (please specify the category).
(12) Processes, procedures, rules, guidelines, manuals and other documents which describe how a claimant can determine who may and may not have access to their claim information, and to what extent.
(13) Processes, procedures, rules, guidelines, manuals and other documents for changing the claim manager or SCA when the relationship between the claimant and the claim manager or SCA is dysfunctional and when requested by the claimant.
(14) Processes, procedures, rules, guidelines, manuals and other documents for changing the review specialist or resolution specialist, when the relationship between the claimant the review specialist or resolution specialist is dysfunctional, and when requested by the claimant.

To be clear, dysfunctional communication includes when the ACC employee fails to provide any notifications, in accordance with the legislation and Code, fails to seek to clarify the issues with the claimant, fails to communicate with the claimant in accordance with ACC's policies, fails to seek informed consent when obtaining or disclosing information, fails to ensure all decisions are made on accurate and complete information, fails to communicate with the claimant before making decisions, fails to meet statutory deadlines and ACC deadlines, fails to engage in reviews in a manner consistent with ACC's policies, provides the claimant with "patently wrong" information (as the FairWay Reviewer described it), and in general, conducts themselves in a manner which is patently inconsistent with their employment agreement, ACC's policies, the Code and the law.

Thanks again for all your help.

Yours faithfully,

AS Van Wey