Two recent reports on the Accident Compensation Corporation should be a wake-up call to the board and senior management.
First there was the internal review of the controversial change to the way it manages claims which found its benefits were unclear and there is some question whether promised financial gains will be realised by the end of the decade.
The $74million (and counting) "Next Generation Case Management" overhaul of the claims system, introduced in September 2020, was meant to improve case management, save money, reduce staff workloads and also be more client-centred.
However, what it appears to have done is overwhelm many staff and raise staff turnover, increase minor privacy breaches, cost more than planned, and offer questionable benefit for people making claims.
Then, last week came the damning review by Linda Clark into access to information and use of client information at ACC. This followed RNZ’s reporting last year on two incidents: some call centre staff in Hamilton and Dunedin sharing details of clients injuries and making fun of them in a private Snapchat called "ACC whores", and a client who was distressed that his "sensitive claim" had been accessed by more than 90 staff.
Ms Clark’s review shows a shocking paucity of understanding of privacy within the organisation — even though the Privacy Act is nearly 30 years old.
Since the scandal of the emailing of information about 6700 claimants to Bronwyn Pullar, and the resulting 2012 review by KPMG and former Australian privacy commissioner Malcolm Crompton, the organisation has had almost an obsession about ensuring such breaches do not occur again. In doing so it has failed to recognise other privacy risks.
Given the importance of managing personal information to the organisation’s key role, Ms Clark’s team expected to find a clearly laid out plan for how information was received, managed, used disclosed, retained and then destroyed. However, while staff interviewed understood what access rights they had to information to do their jobs, they could not provide a complete description of what Ms Clark called the client information journey.
"Likewise, no guidelines describing the circumstances in which personnel should or should not access client information in the course of their role were available."
Staff understanding of privacy was limited with many interviewees drawing "an artificial distinction between sensitive claims and other claims, as if the personal information held in respect of the general claims was in some way less private or able to be managed with fewer protections". As Ms Clark rightly points out, all claims can and do contain sensitive information, such as a client’s mental health, family living arrangements or income.
Auditing processes were poor with no regular and proactive spot checks on access.
This high trust setting of its limited monitoring and auditing processes was a policy decision, Ms Clark said.
Accountability for privacy was opaque and answers were hard to find, despite the 2012 review urging the organisation to take steps to create a culture of respect for client privacy under which everyone in the organisation has ownership and responsibility for protecting personal information.
Her report includes a raft of recommendations for improvements, some of which are already under way, although all of them will not be completed until the end of next year.
Those involved in the Snapchat incident lost their jobs, but have those responsible for the "vacuum of leadership" which included not having proper policies in place and checking they were followed, ensuring there were safe ways for staff to debrief and vent after dealing with difficult calls, and the concentration on tasks rather than the client, been censured?
It hardly seems fair.
We trust the new Privacy Commissioner, Michael Webster, who comes to the role after being Secretary of the Cabinet and Clerk of the Executive Council, will be casting a weather eye on what happens next.