20 February 2024
[FYI request #25177 email]
Kia ora Anon
Your Official Information Act request, reference: GOV-030178
Thank you for your request of 25 January 2024, asking for the following information under the Official
Information Act 1982 (the Act):
Please provide me with all documentation that shows that ACC's use of sending private health
records via email meets the standards set by the Government Cheif Privacy Officer and the
Government Chief Information Privacy Officer (Department of Internal Affairs).
The Office of the Privacy Commissioner repeatedly states that email is not secure from interception
or unauthorised access, and thus fails to meet the requirements set out in s 22, IPP 5, of the Privacy
Act 2020, or the Health Information Privacy Code 2020, rule 5. I have noticed that ACC does not
even take the step to ensure that health records are password protected when sending
electronically to third parties. Again, I ask for a list of methods that meet the standards set by the
government, and which ACC is legally obliged to comply with under the Privacy Act and the HIPC.
The Office of the Privacy Commissioner has provided advice on whether personal information can be
sent securely by email
This advice states that emails with personal information can be sent provided reasonable steps are made to
secure the information
: www.privacy.org.nz/tools/knowledge-base/view/229?t=1234058_1387568.
ACC follows clear guidance when emailing personal information to providers
Embedded in ACC’s processes are the instructions which must be followed to maintain the privacy and
security of client information. For example, the instructions to complete a provider referral to a Medical
Case Review Assessment
can be viewed online:
www.acc.co.nz/assets/Policy-and-procedure-
documents/arrange-medical-case-review-mcr-assessment.pdf. Further, we have attached the document
Inbound and Outbound Document Checks Supporting Information
which identifies the types of checks we undertake to ensure we are meeting our privacy obligations. This
document is used over several Recovery Administration/ Recovery Team Member tasks and in conjunction
with instructions such as
Emailing from Eos using a Template – System Steps. We have also attached these
system steps as they ensure referral documents are only sent to verified email addresses.
As this information may be of interest to other members of the public
ACC may decide to proactively release a copy of this response on ACC’s website. All requester data,
including your name and contact details, will be removed prior to release. The released response will be
made availab
le www.acc.co.nz/resources/#/category/12. If you have any questions about this response, please get in touch
You can email me a
t [email address]. Ngā mihi
Christopher Johnston
Manager Official Information Act Services
Government Engagement
GOV-030178 Page 1 of 1