ACC clients and advocates who raised concerns about the way personal information was managed at the agency are welcoming a damning report that found ACC lacks a strong privacy culture.
The review, prompted by RNZ's reporting, found ACC's privacy policies were outdated, had gaps and were poorly understood by staff.
A man RNZ has agreed to call Matthew*, whose old sensitive claim was viewed hundreds of times by 92 staff said the review's findings were unsurprising and he had little faith that real change would occur.
"I do not think this audit will bring about the changes necessary to return faith that ACC will respect claimants' privacy, as I feel it does not address all the issues and the problems within the ACC complaints process and failings to investigate client concerns thoroughly from a neutral perspective.
"This audit shows the concern but I don't feel the recommendations address it."
Matthew believed his privacy had been breached, but ACC disagreed, so he filed a complaint which was still being considered.
Earlier this year, an independent review found an ACC staffer breached his wife's privacy by accessing her sensitive claim while investigating Matthew. ACC then apologised.
Matthew's wife told RNZ it was incredibly difficult to prove ACC had breached her privacy, and to get the information needed to file a complaint to ACC regarding her husband's potential breaches.
"This process has taken me a year and a half to date to extensively dissect and relate the claim file information to the accesses in Matthew's digital footprint.
"The sheer amount of work needed to prove the issues, which in my experience nearly all clients do not have the ability to achieve themselves or find the help or financial resources to have someone else do it for them."
Matthew said he would have liked the opportunity to speak to Linda Clark, who carried out the review, about his concerns, though the report noted it was not in its terms of reference for her to do so.
He said it was vitally important that one of the 30 recommendations to introduce a "confirm access required" function on ACC's case management system, especially for all medical notes, was implemented.
"Without this type of protection all ACC claimants are left in the same position as before this audit," Matthew said.
Another sensitive claimant who believed his privacy had been breached - though ACC did not agree - also welcomed the review's finding.
"I'm hopeful things will improve. The biggest takeaway from the report for me is that it rightly identifies that ACC have been responsive and not proactive. I hope it will become more proactive," he said.
He also wanted ACC to improve the way it responded to, and supported clients, who raised concerns about potential privacy breaches.
Ignorance about privacy laws
ACC advocate Daniel Wood said the report confirmed his concerns that frontline staff did not understand privacy laws. He often had to battle to get them to understand the rules, he said.
"The Privacy Act has been in place since 1993 and updated in 2020, so they've had 30 years to understand it.
"But what this report identifies is that ACC has a systemic issue in regards to privacy and unfortunately the people that should know, don't. And that is totally disappointing."
ACC chief executive Megan Main, who joined ACC in December, told RNZ yesterday that the organisation accepted the review findings and would implement all of the recommendations.
"We have work to do to ensure it is not just about avoiding the release of information to the wrong person outside ACC, attaching the right file to the right email, but how we treat our clients' information internally, between ourselves, as well."
Changes being made included: updating policies, adding more checks and balances to ACC systems, limiting and auditing access to people's files, and planning more training opportunities for employees, she said.
So far six of the 30 recommendations had been implemented but the remainder of the work would not be completed until the end of 2023.
In the meantime, clients could have confidence that their information was safe, she told RNZ.
"We handle almost 10,000 new claims every day, 2 million claims per annum. I take every privacy incident seriously, but this was our first significant privacy incident in a decade.
She said ACC was putting things in place, including additional monitoring to provide "assurance to give New Zealanders confidence that we are protecting their personal information".