10. KEVIN HAGUE (Green) to the Minister for ACC: Have all of the recommendations of the 2012 Independent Review of ACC’s Privacy and Security of Information been implemented; if not, why not?
Hon JUDITH COLLINS (Minister for ACC): ACC advised that it has implemented 37 of the 44 recommendations. A number have ongoing activity associated with them. Of the remaining seven, two are under active management, which relate to information governance and the implementation of data loss protection software. The other five involve a fundamental review of ACC’s end-to-end claims process activity. Accordingly, ACC advised that it has taken a deliberate decision to complete the end-to-end process review of claims management as part of its work around improving trust and confidence. This is to ensure all processes and information technology changes required under these five recommendations comprehensively meet the intent of the report.
Kevin Hague: Is she confident that the recommendations to ensure that consent forms follow the law and are best practice have been properly implemented, given that the court has just found that the way that ACC was using its ACC167 form was actually illegal?
Hon JUDITH COLLINS: I do not want to argue with the member, but, strictly speaking, the form was not held to be illegal, but the way in which it was used was outside of the statutory requirements. I agree with the member that the form must be changed to comply with the latest decision. I have also been advised by ACC that this form has in the past been approved by the Privacy Commissioner, by the Human Rights Commission, and, I have been told, by six different District Court decisions. So the fact that this latest decision has said that it has been wrongly used is something that ACC is taking very seriously, as am I.
Kevin Hague: How does she reconcile ACC’s illegal use of this form with the privacy review’s findings that stakeholders’ single-biggest concern was the attitude and culture of the organisation in dealing with their personal information, and the report’s finding that a consistent theme was that information not relevant to the claim was held on file?
Hon JUDITH COLLINS: I also recall that the review said that the form itself was able to be used. So I think the problem is that the past decisions of the courts and of other agencies, like the Human Rights Commission, the Privacy Commissioner, and also the review, have not actually said that the form has been misused. But I believe that the member is right that the form should be changed. ACC told me on Monday this week that it was not going to appeal the decision and that it would abide by it. I think that is the right outcome.
Kevin Hague: How do revelations today that ACC has been handing people’s full ACC files—including information on sensitive claims—over to prospective employers stack up against the recommendations of the privacy review?
Hon JUDITH COLLINS: I am sorry, I have not heard that claim, but if the member would like to provide me with the information, I will be happy to take some action. I seek leave to assist the member with the summary—
Mr SPEAKER: You are seeking leave to table a document?
Hon JUDITH COLLINS: It is a document that is the independent review recommendations and summary of actions as at 24 January this year, and I think that might help the member.
Mr SPEAKER: Leave is sought to table that summary of actions. Is there any objection to that being tabled? It can be tabled.
Document, by leave, laid on the Table of the House.
Kevin Hague: How does the Minister reconcile the responsibility she took as Minister in 2012 and her comment that “I’m not going to sit back and let one of the most important Government entities we have let people down time and time again around things such as privacy. They have to act in the way that I expect them to act.” with her comments over the past several days that the implications of the court decision are an operational matter?
Hon JUDITH COLLINS: Well, strictly speaking, forms are an operational matter, but if the member is going to come to see the progress that has been made and what actions I have taken, I think that I have been very strong on this issue relating to ACC. I can look at the proof of just how successful that has been. In August 2012 there were 80 privacy breaches from ACC. A year later, in August 2013, that was down to 28. In March 2014—the month just past—it was down to 19. There are significant improvements in the ability of ACC to protect people’s privacy, and at the same time, to comply with its obligations under its own Act.
http://www.parliament.nz/en-nz/pb/business/qoa/50HansQ_20140416_00000010/10-accident-compensation-corporation%E2%80%94privacy-and-security