Information Management Policy
POLICY NUMBER
5.0.0
TOPIC
Information Management
OWNER
Chief Technology and Innovation Officer
BUSINESS
Technology and Innovation
GROUP
AUTHOR
Out of scope
Manager Information Frameworks and Assurance
DATE APPROVED
25th March 2021
APPROVER
ACC Board
NEXT REVIEW
25th March 2023
DATE
1 Policy Statement
As a Crown entity, ACC holds information on behalf of the peoples of New Zealand. The
information held is related to the duties ACC is responsible for in accordance with the Accident
Compensation Act 2001. These duties relate to ACC’s major functions: injury prevention,
rehabilitation, setting and col ection of levies; assessing and paying claims and investment
management. This constitutes the primary use of this information.
ACC holds a unique set of information that has significant value, not only for NZ but international y.
Information is the only enduring asset that ACC holds and should be treated as such. This aligns
with the Māori data sovereignty principle of viewing this as a treasure (Māori: taonga). In
recognition of the obligations under the Treaty of Waitangi (Māori: Te Tiriti o Waitangi).
To extract the maximum value of this resource, the secondary use of information must be actively
promoted and supported for secondary use which includes:
1. Identifying opportunities for injury prevention initiatives
2. Improving customer service by improving outcomes, ef iciencies and ef ectiveness
3. Sharing information for external use in support of insights and research related to accidents,
injuries, treatments
4. Ensuring information is available and representative of the peoples of NZ, including Māori,
minorities and marginalised groups to facilitate and support these communities
5. Partnering with representative groups to promote, support and advise on the appropriate
use of ACC information
Accident Compensation Corporation
Page 1 of 15
To ensure that information is fit for purpose, ACC is committed to establishing, maintaining and
monitoring modern information management practices to ensure they meet both primary and
secondary needs. This includes meeting legal compliance, accountability requirements and
stakeholder expectations.
2 Alignment with Government
As a crown entity, ACC is expected to conform and adhere to government policies and practices
related to information management as specified by appointed officials. In addition, as ACC is viewed
as part of the health and disability sector, we also need to conform to specific sector requirements.
These are described in more detail in Appendix 3.3.
3 Policy Objective
We are committed to establishing modern information governance and management practices that
meet our customer expectations, ongoing business needs, security, privacy and legal requirements
including:
• Capturing only relevant, and applicable, information
• Securing and storing our information appropriately, recognising that we are a customer-centric
organisation
• Documenting actions and decisions as required for legislative, governance and legal reasons
• Managing information as a strategic corporate asset
Al our information management practices are delivered in accordance with the principles set out in
this policy, and its supporting standards and procedures. ACC is committed to continuous
improvement in our corporate information policies, processes and standards.
4 Policy Scope
This policy is intended for al our people, including our board members, consultants, contractors
and organisations (including vendors and other third parties) engaged to undertake work on behalf
of ACC.
This policy covers al information that we create, ingest, receive, manage, store and share as part
of conducting our business.
5 Policy Principles
Our Information Management principles are the foundations for the way that we use information
within ACC.
Our information must be managed, secured, and maintained as per our Information Management
principles. We must also comply with al relevant legislation and government standards.
Personal and health information makes up a significant part of our information.
Accident Compensation Corporation
Page 2 of 15
The ACC Privacy Policy sets out additional requirements for storage and use of this information
and must be read in conjunction with this policy when dealing with personal and health information.
4.1 Our Information is a strategic asset and we actively manage it
Our Information Governance Group (IGG) must ensure that our information assets are
professional y managed. This supports our objectives, principles, and the obligations set out in the
IGG Terms of Reference.
Active management means:
• We have senior leaders setting strategy, and making sure we are sufficiently resourced to
manage our information assets in a consistent, integrated way
• We use our information assets to deliver insights and enable smarter business decisions
• Our change management processes consider, and actively manage, information management
risks at both design and implementation stages
• Al staff must ensure the information they use is accurate and fit for purpose.
4.2 Our information has clear ownership
Al our business-critical information assets must be assigned a Steward (business owner) by
subject area, and at least one Custodian (information caretaker) as per our Information Stewards
and Custodians Standard.
Stewards and Custodians must ensure that our information is cared for (actively managed)
throughout its lifetime. They must also ensure that information access is only granted where
needed for the particular role and is disposed of (destroyed or archived) at the end of its lifetime in
accordance with our approved disposal authorities.
Clear ownership means:
• We must ensure al staff understand and are able to manage our information within their role
• We must ensure our information is fit for purpose and aligned with the strategic direction set by
the Information Governance Group (IGG)
• Al our key information assets have defined business owners (Stewards) with agreed
delegation of authority
• Stewards are responsible for making decisions related to their assigned information assets
• Custodians support Stewards by ensuring the information they are responsible for is fit for
purpose, meets primary and secondary needs, is readily accessible by those that need it and
is trustworthy.
4.3 We make our Information fit for purpose
We must manage information to ensure it is fit for purpose, consistently described, trustworthy and
meets al needs. We al have a responsibility to conform with required quality requirements by,
taking ownership of the information in our care.
Fit for purpose means:
• We protect the value of information against misuse, misinterpretation, unnecessary access
restrictions or failure to maintain its quality
Accident Compensation Corporation
Page 3 of 15
• Active stewardship of our information ensures that it remains fit for purpose. To do so it must be
accessible and complete, wel described so that it is understood, and can be used with
confidence in support of both internal and external:
o Evidence-based decision making
o Research
o Reporting
o Analytics, and
o Data Mining
• Information must be periodical y reviewed to ensure compliance with al relevant legislation and
standards as shown Appendix 1
• Good archiving and disposal practices ensure our information is compliant with the requirements
of the Public Records Act 2005.
4.4 We make our information Accessible, yet Secure
We enable the sharing of our information to make best use of the information assets we hold and
promote public and government confidence in our information.
We protect the ethical use, confidentiality, integrity and accessibility of information, through active
management and adherence to the principles of our Privacy Policy, Information Security Policy and
Standards.
Accessible, yet Secure means:
• We comply with our obligations under the New Zealand Open Data Charter
• We enable appropriate, and prevent inappropriate, access and reuse of our data assets
• We improve the effectiveness and efficiency of work by al owing people to discover, use, and
share information
• We enable better, evidence based, decision making
• When we share information external y, we ensure appropriate approvals and/or formal
agreements are in place, and where relevant wil seek advice from the ACC Ethics Panel.
• We minimise the risk of uncontrol ed release of our information, and the resulting harm arising to
our clients, business and personnel
• The privacy and confidentiality expectations of al stakeholders are met.
4.5 Our Information is simplified by design, and we standardise it for reuse
Our information architecture and Enterprise Information Management (EIM) Strategy provides the
big picture of how our information hangs together. It is designed to provide visibility, promote reuse,
integration and ef iciency.
Simplified and standardised information means:
• A wel -managed information architecture that al ows people to discover, use and share
information
• It provides a lean, agile information environment that results in more ef icient use of information
assets, and promotes cost ef ective business outcomes
• The concept of ‘create once, use many times’ meaning duplication and reinvention is minimised,
which al ows us to significantly reduce the cost and ef ort in creating and managing duplicate
information
Accident Compensation Corporation
Page 4 of 15
practices are present in team thinking, discussion, and decision-making
• Develop skil s and knowledge to support and facilitate staff in
information management best practices
• They communicate expectations with staff, monitor compliance, and
ensure accurate reporting.
The Information
• Operates with appropriate delegation of responsibility to oversee and
Governance Group
govern the information management function and is accountable for
(IGG)
Enterprise Information Management Strategy
• IGG’s focus is to ensure that our information is actively managed
throughout each stage of its lifecycle as a strategic business asset
• IGG’s roles and responsibilities are set out in by the IGG Terms of
Reference Document
• Appoints required roles and delegates appropriate authority to ensure
they can operate effectively in their information role and duties in
conjunction with their manager.
Security and Privacy
• Responsible for advising the IGG on the outcomes of the Information
advisory group (SPAG)
security roadmap and the Privacy maturity roadmap.
Content and Records
• Responsible for the advising the IGG on the outcomes of the content
Advisory group
and records (C&R) roadmap and ongoing maintenance of the
(CRAG)
Information Management Policy.
Chief Technology and
• Directs and leads our information management initiatives
Innovation Officer
• Holds the positions of Chief Data Officer (CDO) and Chief Information
(CTIO)
Officer (CIO) as defined in relevant NZ legislation and policy
• Ensures that our Information is managed and updated, disposed of, or
archived in a timely fashion in accordance with our approved disposal
authorities
• Responsible for ensuring Information Stewards and Custodians are
trained in the skil s needed for their role in our information management
• Provides Senior leadership representation as chair of the IGG.
Ethics Panel
• Advises on any research requests for personal y identifiable or
potential y personal y identifiable ACC data
The Head of Enterprise • Responsible for developing and implementing information systems and
Data, Information and
governance processes to ensure operational measures and monitoring
Security (EDIS) on
is in place to support this policy
behalf of the CTIO.
• Ensures al staf are aware of the policy and that the appropriate
structures and roles are put in place with the right level of training and
guidance to operate at the required level
• Support IM governance groups and roles to enable them to fulfil their
obligations and responsibilities.
Information Stewards
• Accountable and responsible for implementing operational policy,
business value, scope, definitions, rules, standards, structure, content,
use and disposal for information and data under their responsibility
• Make decisions on strategic needs as wel as the col aborative needs
and external partners and providers
• Ensure that Custodians are supported by management
• Ensure that al our information assets for which they are responsible
are defined and maintained in the Information Asset Register.
Accident Compensation Corporation
Page 6 of 15
Our Information
Al data and information produced by ACC, and al information under our
care regardless of to whom it belongs, or where it originated.
Custodian and Steward As defined in the Information Stewards and Custodians Standard.
Information
Al recorded forms of data, knowledge, facts, intentions, opinions, or
analysis, irrespective of the content, or the medium through which it is
communicated or stored.
Information may be contained in a variety of media, for example: printed
documents, handwritten notes, diaries, maps, spatial data, photographic
data, images, videos, electronic databases, electronic documents, emails,
web pages, voice mail and audio records.
Information Architecture The structured organisation of information and its relationship to business
processes and systems. This excludes technical system design.
Information
The creation and maintenance of complete, accurate and reliable evidence
management
of business transactions in the form of recorded information.
Information Repository An environment (either electronic or physical) where information is
registered, stored, and managed.
Records
A record is any documentation or evidence of business activity and
decisions, regardless of format.
Retention and Disposal A systematic listing of the records created by an organisation, which
Schedule
informs their lifecycle management from creation to disposal.
12 References
This Information Management Policy is supported by the Information Management Governance
structure in Appendix 2. Supporting sub policies, standards, procedures and guidelines are outlined
in Appendix 1.
The legislative requirements that our information assets must meet are listed under Appendix 2.
13 Version Control
Version Date
Material change reason
Who
0.1
13/07/20 Initial Draft
Out of Scope
0.2
26/7/20
EDIS review completed
Out of Scope
0.3
21/9/20
Feedback from reviews added
Out of Scope
0.4
12/10/20 Final preparation for GG’s
Out of Scope
0.5
16/04/21 Amendments for Board (minor)
Out of Scope
Accident Compensation Corporation
Page 9 of 15
14 Appendices
Please note the fol owing appendices are informative only they are accurate as of the time of
publication and should not be considered an authoritative list or source given the changing policy
and legislative landscape.
Accident Compensation Corporation
Page 10 of 15
3.2 Appendix 2 – Information Governance Boards
Accident Compensation Corporation
Page 12 of 15
3.3 Appendix 3 – Alignment with Government
As a crown entity, ACC is expected to conform and adhere to government policies and practices related
to information management as specified by appointed officials. In addition, as ACC is viewed as part of
the health & disability sector, we also need to conform to specific sector requirements.
Al -of-Government Official Functions (www.digital.govt.nz)
The NZ Government has established functional leads who are charged with developing and improving
designated areas across government. The roles are delegated to specific chief executives by the Public
Service Commissioner.
The roles are:
1. Government Chief Digital Officer (GCDO) oversees the development and management of digital
for the state sector. The GCDO is responsible for:
• setting digital policy and standards
• improving investments
• establishing and managing services
• developing capability
• system assurance (assuring digital government outcomes)
2. Government Chief Data Steward (GCDS) supports the use of data as a resource across
government to help deliver better services to New Zealanders. The GCDS is the government
functional lead for data and ensures that government agencies have the capability and right
skil s to maximise the value of data. This is achieved through setting data standards and
establishing common capabilities, developing data policy and strategy, and planning across the
state sector. Focus has been on:
• Co-developing a Data Stewardship Framework to enable agencies to manage data as a
strategic asset and benchmark their data maturity
• Leading the government’s commitment to accelerate the release of open data, including the
implementation of the International Open Data Charter
• Developing data governance across the system through evolving approaches to data ethics
and Māori data governance.
3. Government Chief Information Security Of icer (GCISO) role strengthens Government decision
making around Information Security and supports a system-wide uplift in security practice. The
GCISO is the government functional lead for information security. The GCISO’s work includes:
• coordinating the government's approach to information security
• identifying systemic risks and vulnerabilities
Accident Compensation Corporation
Page 13 of 15
• improving coordination between ICT operations and security roles, particularly around the
digital government agenda
• establishing minimum information security standards and expectations
• improving support to agencies managing complex information security chal enges.
4. Government Chief Privacy Officer (GCPO) leads an al -of-government approach to privacy to
raise public sector privacy maturity and capability. The role sits within the Digital Public Service
branch of the Department of Internal Affairs, reporting to the Government Chief Digital Officer.
The GCPO is the practice lead for privacy and supports government agencies to meet their
privacy responsibilities and improve their privacy practices. The GCPO is responsible for:
• providing leadership by setting the vision for privacy across government
• building capability by supporting agencies to lift their capability to meet their privacy
responsibilities
• providing assurance on public sector privacy performance
• engaging with the Office of the Privacy Commissioner and New Zealanders about privacy.
Statistics NZ (data.govt.nz)
Statistics NZ (as GCDO) is responsible for overseeing official government statistics. Tier 1 statistics are
New Zealand’s most important statistics, and are essential to help the Government, business, and
members of the public to make informed decisions and monitor the state and progress of New
Zealand. Tier 1 statistics describe New Zealand’s economy, environment, population, society, culture,
international relations, and civil and political rights. Tier 1 statistics are also used by a range of
organisations to develop new services and products.
One of the 162 Tier 1 statistics is the incidence of injuries annual y produced by Statistics NZ using
ACC and MoH data.
As ACC supplies data to produce a Tier 1 statistic, ACC must ensure that the Tier 1 statistic is of good
quality and has integrity. Producers of Tier 1 statistics must adhere to the Principles and protocols for
producers of Tier 1 statistics. Tier 1 statistics must be presented impartial y and clearly without
judgement and must be managed in such a way to ensure that the statistics are free from undue
influence.
Ministry of Health
The Health Information Standards Organisation (HISO) with the Ministry of Health supports and
promotes the development and adoption of fit-for-purpose health information standards for the New
Zealand health system. HISO works with health providers and shared services organisations, clinical
and consumer groups, software vendors and industry bodies, the academic community, the wider
government sector and other standards development organisations. It also supports
He Korowai
Oranga: Māori Health Strategy for the ef ective delivery of health and disability services to Māori and
Accident Compensation Corporation
Page 14 of 15
represent the interests of al New Zealanders as consumers of health services and stakeholders in the
health system.
HISO links with the international standards community through Standards NZ, SNOMED International
for SNOMED CT, and through HL7 New Zealand for HL7 standards.
As a participant in the Health & Disability Sector, ACC is expected to adhere and support the standards
produced by HISO.
Accident Compensation Corporation
Page 15 of 15
