New Zealand / Policy

ACC staffer breached client privacy after snooping in sensitive claim - review authority

11:52 am on 10 March 2022

ACC has apologised to an abuse survivor after an employee breached her privacy by looking at her sensitive claim while investigating her husband for suspected fraud.

Photo: RNZ/Vinay Ranchhod

RNZ reported the case of Matthew* who discovered 92 ACC staff had looked at his sensitive claim file, which relates to sexual abuse, 356 times since it had been closed.

His wife Kate* later discovered an ACC investigator had twice looked at her own sensitive claim file in October 2017 as part of his investigation into her husband. Matthew was later cleared of any wrongdoing.

ACC last year dismissed a complaint from Kate that the investigator had breached her privacy under the ACC Code of Claimants Rights, which states clients' privacy must be respected. But an independent review of ACC's decision has now found the agency's original decision was "not correct".

The Independent Complaint and Review Authority (ICRA) found "ACC had breached [Kate's] right to privacy when it accessed her sensitive claim file".

Kate said the win was "bittersweet".

"Even though the review's come back in my favour, it doesn't really make me happy. They've gone through some pretty horrific personal stuff of mine and they have disregarded the importance of going through that stuff.

"And I've had to go through a review process to prove that it shouldn't have been gone through," she said.

The ICRA decision, seen by RNZ, found ACC had a right to investigate possible fraud but it did not have "unbridled" power to do so, and it did not need to access Kate's file in order to investigate Matthew.

"In this case, I am not convinced that the breach was done out of necessity or relevance," the reviewer said. There was also "no explanation" for how the investigator, who no longer worked for ACC, even knew Kate had a sensitive claim in the first place.

It directed ACC to issue a written apology to Kate, which she has received, and recommended the agency "review and consider its safeguards for staff to access sensitive claims".

"Surely accessing a sensitive claim, given its subject matter, should only be allowed in the rarest of circumstances and clearest of cases," it said.

"Unfortunately, there is no indication of why [Kate's] claim was accessed, which could have been avoided if a system was implemented that required ACC to input a clear explanation before accessing sensitive claims."

An independent review by lawyer Linda Clark into how ACC staff access client information was announced in November after RNZ revealed a group of call centre staff shared, and laughed at, clients' injuries and personal information in a private Snapchat group. This review was expected to be completed mid-2022.

ACC's written apology to Kate, seen by RNZ, said its investigations team no longer had access to sensitive claims files and it had also reminded them claims can only be accessed for "legitimate business reasons and that records must be kept as to why that file was accessed".

Access was removed in November 2021 after the agency made changes to limit the number of staff who could look at sensitive claims, ACC told RNZ.

"We also reviewed the other roles that had historically included sensitive claims access and have had this de-coupled. These roles included Resolution Specialists, Claimant Support Co-ordinator, Examining Officer and Ministerial writing," ACC acting chief operating officer Gabrielle O'Connor said in a statement.

ACC investigators had to complete activity logs of their investigations, including reasons for accessing client information, because they could be used as evidence in a court of law, O'Connor said.

Activity logs were unique to investigations staff and were not part of the client management system footprint report.

ACC stopped publishing staff names on digital footprints issued to clients on request, after RNZ's story about Matthew and Kate was published.

Matthew was now seeking a review of ACC's decision to dismiss his complaint that his privacy had also been breached.

*Names have been changed.