ACC privacy policies, outdated and “narrow” legislation, review results


A damning independent review found that ACC’s privacy policies are outdated, flawed and misunderstood by staff.

ACC’s privacy policies were based on outdated legislation, and staff’s understanding of what constituted a privacy breach was too “narrow”, the review found.
Photo: RNZ / Angus Dreaver

The review, carried out by lawyer Linda Clark and published today, was commissioned by the ACC board after RNZ revealed that a group of call center staff had shared and laughed at customer information in a private Snapchat group, while another customer discovered his sensitive old request. was viewed more than 350 times by 92 employees.

The ACC should treat customer information as “taonga,” something to be respected and protected, but that hasn’t always been the case, according to the review.

“VAC’s overall privacy culture is not strong and there is still work to be done before all staff fully understand what is needed to protect client information,” Clark wrote in his report.

“We have identified gaps, both in the systems on which VAC depends and in the overall culture of the organization.”

ACC’s privacy policies were based on outdated legislation, were “reactive rather than proactive” and staff’s understanding of what constituted a privacy breach was too “narrow”, according to the review.

Through work undertaken by ACC following a major privacy breach in 2011, staff understood the implications of incorrectly sending customer information to an outside third party, but they had no not the same understanding of information shared internally, according to the report.

The ACC also lacked adequate oversight of staff access to customer information, so it was impossible to “say with certainty” that employee browsing had not occurred.

“Instead, managers rely on a certain belief that staff are too busy to navigate,” the review says.

See also  FDA authorizes COVID-19 vaccines for children under 5

“While we accept this at face value, it is nonetheless interesting to note that when asked about browsing, no staff responded that browsing would be a breach of privacy. “

In the case of the Snapchat incident, the 12 call center employees who shared information were new to ACC, most were under 30, and some had not received privacy training.

Most of the image sharing took place while working from home as a way to keep in touch with colleagues during the National Alert Level 4 lockdown in 2021 and as a way to deal with stressful work situations.

“For example, if a member of the Snapchat group had a difficult or stressful customer call, they can share that experience with the Snapchat group by filming themselves talking about the call and how they felt.”

Introducing work-from-home and social media policies for staff was one of 30 recommendations Clark made to address the agency’s privacy breaches. But she also wanted VAC to do more to help call center staff cope with the stress of their jobs.

“Frontline staff need to decompress after certain calls and it is ACC’s responsibility to ensure that there are safe ways to do this without infringing on privacy or running counter to customer expectations. “

The fact that Snapchat’s whistleblower alerted the media rather than reporting the incident internally underscored that ACC’s Integrity Policy “is not fit for purpose and not widely used or understood.” .

Some of these risks were highlighted by an internal review of VAC’s new case management system, but were not taken seriously, according to the review.

The privacy impact assessment of the next-generation case management system, undertaken during its rollout, raised concerns about an influx of new hires and temporary employees unfamiliar with the ramifications of the breach Privacy Act of 2012 and a tendency to manage clients in teams of case managers, rather than individually, could lead to a “less rigorous approach to information management”.

See also  Michigan Matters: Mackinac Moments

While customers benefited from the new case management system, it also meant “more eyes that can access every file”, including sensitive, sexual abuse claims.

Referring to the case of Matthew*, whose sensitive former application has been viewed hundreds of times by ACC staff, the review said: “In our opinion, whether access is granted or not, it is reasonable for clients and attorneys to feel a degree of anxiety over the knowledge that any record (not to mention a record containing highly sensitive information for a client) has been viewed more than 300 times by 92 ACC staff members.”

Following a report by RNZ, an independent review found that an ACC investigator breached the privacy of Matthew’s wife after reviewing her sensitive request during the Matthew investigation. The ACC is still investigating Matthew’s privacy breach complaint.

In his report, Clark said the couple’s experience highlighted some “worrying issues” around staff access to information, poor verification of that access, the high-trust default model on which VAC seemed to be leaning on and that placed “more weight on supporting the organization than on protecting customers’ personal information”.

“The default position should be that all personal information should be protected.”

VAC had since significantly reduced the number of employees with access to sensitive requests and was making changes to its systems to further restrict and monitor who had access to sensitive customer information.

ACC chief executive Megan Main, who joined ACC in December, said the organization accepts the findings of the review and will implement all recommendations.

See also  VinFast part ways with four senior executives as it prepares for expansion

“We have work to do to make sure that it’s not just about avoiding the disclosure of information to the wrong person outside of the ACC, attaching the right file to the right email, but also to process our customers’ information internally, between us as well.”

Co-Lead Managed Isolation Megan Main during the Covid-19 briefing on 14.7.2021.

ACC Executive Director Megan Main.
Photo: RNZ / Samuel Rillstone

Changes made included updating policies, adding more checks and balances to ACC systems, limiting and auditing access to people’s files, and scheduling more training opportunities for employees. , she said.

So far, six of the 30 recommendations have been implemented, but the rest of the work will not be completed until the end of 2023.

In the meantime, customers could be sure their information was safe, she told RNZ.

“We process nearly 10,000 new complaints every day, you know, 2 million complaints a year. I take every privacy incident seriously, but this was our first major privacy incident in a decade.

She said the ACC was putting things in place including additional monitoring to provide “reassurance to give New Zealanders confidence that we are protecting their personal information”.

The review recommended that CAC provide updates on the implementation of recommendations to the Office of the Privacy Commissioner every two months for the next year.

Acting Privacy Commissioner Liz MacPherson said the commission was pleased that the ACC learned of the Snapchat incident.

“We are pleased that ACC is taking comprehensive steps to ensure it takes good care of the often sensitive personal information New Zealanders entrust to it. We look forward to being assured that the underlying issues are resolved. as this work program progresses.”



Please enter your comment!
Please enter your name here