Check which ACC staff have accessed your file, abuse survivors urged

One advocate believed her own privacy had been breached about 30 times.
One advocate believed her own privacy had been breached about 30 times. Photo credit: RNZ / Richard Tindiller.

By Anusha Bradley of RNZ

There is a widespread and systematic problem of ACC staff having inappropriate access to the files of sexual abuse survivors, advocates say.

One advocate believed her own privacy had been breached about 30 times by ACC staff clicking into her file, simply because she was representing a claimant they were managing.

The advocates' concerns come after RNZ reported yesterday that an Auckland man left disabled by an accident discovered dozens of ACC staff had accessed an old sensitive claim he opened for childhood sexual abuse. It had been accessed hundreds of times since he closed the claim.

A sensitive claim file belonging to the man's wife, who acted as his advocate, had also been accessed by an ACC investigator. The couple only made the discoveries after requesting digital footprints from ACC.

ACC has said every access to the couple's sensitive claim files were justified.

It was a scenario that was "unfortunately quite common" victim advocate Ruth Money said. "It's an utter breach of privacy."

Money said she was not surprised ACC said all 350 accesses to the man's file were justified.

"In my experience, this is ACC's fallback to say it's for a legitimate reason ... and they point to an administrative reason like an address check or a reimbursement. That's utter rubbish. They do not need to be poking around in your sensitive claim, or any claim, for that reason," she said.

Money recommended every client ask for a digital footprint to check who was accessing their information. If the information they received was concerning, she urged them to raise it with ACC and the Privacy Commissioner.

Better security and more restrictions on sensitive claims were needed, she said. She believed inappropriate access had worsened since ACC disestablished the Wellington-based Sensitive Claims Unit in September last year in favour of managing some claims by teams of people spread across eight different locations.

"So when you call up for a sensitive claim you could be dealing with anyone. So they've had to open up their system so that people can access stuff, which is just abhorrent and is a total violation," Money said.

"We're not talking about a broken ankle or a bad back here. We're talking about really personal, intricate and traumatic details that are sitting on that system about your sexual abuse."

ACC told MPs last month that its privacy controls had not changed with the introduction of the new claims management system.

ACC consultant Fiona Radford said about 20 clients she advocates for had requested digital footprints and found what they believed was inappropriate access to their sensitive claims by ACC staff.

She believed her own privacy had also been breached about 30 times by ACC because of her advocacy work. In a recent example, digital footprints showed an ACC case manager of a client she had advocated for 18 months prior had gone into her file.

"I was really angry, I think it was inappropriate after 18 months of not dealing with a particular claim."

She said ACC told her the access was legitimate but she did not agree and was in the process of laying a complaint with the Privacy Commissioner.

She believed employee browsing of ACC files was widespread.

Last month, unionised ACC staff expressed "discomfort with the level of access they have to sensitive claims" in a Public Service Association survey. In response, ACC Acting Chief Executive Mike Tully told RNZ he wasn't aware of those concerns, but staff who worked in call centres, claims, payments as well as clinician advisors all had access to sensitive claims information in order to help the claimant.

Green Party ACC spokesperson Jan Logie said she was "appalled" at ACC's response to concerns about the way it deals with sensitive claims information.

"Advocates, ACC staff and abuse survivors have all said there is a problem with how ACC handles sensitive information. They've [ACC] doubled down on the fact that this is business as usual and perfectly acceptable, when the test of whether it is is the experience of survivors."

"ACC's refusal to see things from their perspective just undermines that trust before they even reach out. They've got to do better."

She called for tighter restrictions to ensure sensitive information could only be seen by ACC staff directly involved in managing or treating a client.

ACC would not talk to RNZ but in a statement said it was "confident sensitive claims information was managed with due diligence and respect."

"Unless an ACC employee is involved in managing a claim, then under no circumstances is it legitimate for ACC staff to access a claim file belonging to a client's advocate. Any staff member doing so would be breaching ACC's Code of Conduct."

ACC did not answer RNZ's questions about whether staff accessing personal files belonging to a client's advocate was considered acceptable.

ACC said staff were required to adhere to its Code of Conduct which set out expectations that employees maintain the highest standards of integrity, discretion and ethical conduct when performing their duties.

"This includes not accessing claims information that is not required for them to carry out their role. All staff and contractors are also required to act in accordance with the ACC Code of Claimants' Rights, which covers claimants' rights to have their privacy respected."

ACC said it had not received any complaints about inappropriate staff access to sensitive claims files in the past 12 months.

RNZ has seen a complaint filed by Radford to ACC in June about staff accessing her files.

RNZ reported yesterday that two sensitive claimants, known as Matthew and Kate, had also filed complaints in the past 12 months about inappropriate access to their information. Both were dismissed by the agency.

RNZ has asked ACC for further clarification.

The Privacy Commission would not comment on individual cases but told RNZ it received 19 complaints about ACC in 2020/21, though none were for "employee browsing" of files and none related to sensitive claims.