5 December 2017
Mr David Lawson
[FYI request #6843 email]
Dear Mr Lawson Reference: 0051012
Official Information Act Request
Thank you for your request of 17 November 2017, asking for the following information under
the Official Information Act 1982:
Request 1:
(a) I welcome the provision to me through the www.fyi.org.nz, a complete copy of
the comprehensive Privacy Strategy ACC adopted in 2013 as referred to in the
Human Rights Review Tribunal ruling referred to above under [26.3].
(b) please confirm the exact 2013 date that ACC formally adopted their
comprehensive Privacy Strategy.
Request 2:
I welcome the provision to me through the www.fyi.org.nz, a complete copy of the
ACC privacy policy that was put into effect as a direct result of ACC's
comprehensive Privacy Strategy being adopted by ACC in 2013, and any
amendments and or iterations that were introduced by ACC that occurred prior to
ACC superseding their comprehensive Privacy Strategy with ACC's Privacy
Maturity Plan.
Request 3:
(a) I welcome the provision to me through the www.fyi.org.nz, a complete copy of
the ACC Privacy Maturity Plan which
1. formalises ACC’s approach to continue to improve ACC’s privacy maturity
between now and 2020, and
2. superseded the comprehensive Privacy Strategy adopted by ACC in 2013,
and any and all amendments and or iterations that were introduced by ACC that
occurred following the introduction of ACC's Privacy Maturity Plan.
(b) please confirm the exact date that ACC formally adopted their ACC Privacy
Maturity Plan.
Privacy Strategy
A copy of ACC’s Privacy Strategy is attached as Appendix One.
The Privacy Strategy was approved by the ACC Board following the submission of a board
paper on 27 June 2013. Training in the use of the Privacy Strategy was rolled out to the
branches over the following months.
Privacy Policy
ACC’s Privacy Policy is publicly available on our website. You can find it, and other
documents that may be of interest to you, through the following link:
https://www.acc.co.nz/privacy/our-privacy-framework/?smooth-scroll=content-after-navs
There were no documented amendments of the Privacy Policy between 2013 and 2016,
when the Privacy Maturity Plan was implemented.
Privacy Maturity Plan
ACC’s Privacy Maturity Plan is publicly available through the link provided above. There have
been no documented amendments of the Privacy Maturity Plan to date.
The Privacy Maturity Plan was approved by the ACC Board following the submission of a
board paper on 28 April 2016.
Comments or queries If you have any questions or concerns about the information provided, ACC will be happy
to work with you to resolve these. Please address any concerns by emailing
[email address] or in writing to
Government Engagement and Support, PO Box 242,
Wel ington 6140.
If you’re unhappy with ACC’s response, you may make a complaint to the Office of the
Ombudsman. You can cal them on 0800 802 602 between 9am and 5pm on weekdays,
or write to
The Office of the Ombudsman, PO Box 10152, Wel ington 6143.
Yours sincerely
Government Engagement and Support
Appendix One
ACC Privacy Strategy
June 2013
ACC Privacy Strategy
Page 1 of 5
1 What is personal information and why is it important to ACC?
Personal information is information about identifiable natural persons. It does not include company or
organisational information.
Information management is critical to the way ACC conducts its business because we are an information
intensive organisation. Each day, we receive 24,000 telephone calls and post 24,000 letters to customers.
We receive just over 80,000 emails from external sources daily and send out about 40,000.
ACC’s customers include clients, levy payers, providers, employers and staff in New Zealand and overseas.
We therefore hold a wide range of personal information including names, birthdates, addresses, medical
histories, financial data and employment details.
This strategy sets out ACC’s path to becoming a recognised leader in the management of personal
information.
2 ACC’s Privacy Strategy
Privacy Vision
Personal information in our care will be managed as carefully and respectfully as if it were our own
.
Principles
Personal information is owned by the customer and we will be proactive in our role as custodians of that
information on the customer’s behalf.
In order to build lasting trust-based customer relationships, we wil give deep attention to the processes
and practices with which we manage a customer's information, including putting the customer at the
centre of those practices.
We wil do everything necessary to ensure the integrity, reliability, security and accuracy of all the
personal information that we manage on our customers’ behalf.
We wil engineer privacy directly into the design of how we do business.
ACC will benchmark ourselves against recognised best operators in the field of managing personal
information.
Accountabilities
Everyone at ACC is responsible for the management of personal information:
a.
Board: Responsible for ensuring the organisation is aware of the need to look after our customers’
information through high-quality monitoring and information management practices.
b.
Senior Executive: Model best privacy practices and ensure privacy is core to all aspects of ACC’s
culture.
c.
Managers: Deliver good privacy results by demonstrating excellence in privacy, complying with legislative
requirements, ensuring privacy breaches and near misses are accurately recorded, reported and
investigated, identifying privacy risks, ensuring appropriate training for new employees and recognising
innovation in privacy by employees.
d.
Staff: maintain best practice privacy behaviours, promote privacy at work, actively participate in privacy
training, report all privacy breaches and near misses to managers, and identify privacy risks.
ACC Privacy Strategy
Page 2 of 5
Privacy Strategic Intent
Our privacy strategic intent aligns with and is consistent with the information management lifecycle and the
Information Privacy Principles as set out in the Privacy Act 1993. We recognise that it may not be possible to
apply these principles in every situation, and in those situations, our actions wil be governed by the Privacy
Act 1993 and Health Information Privacy Code 1994. ACC’s commitments around privacy will extend to those
organisations we contract with, who are entrusted to manage and process our customers’ personal
information on our behalf.
a.
Creation and collection of personal information:
ACC commits to collecting information only for the purposes linked to our organisational functions.
ACC commits to making people aware of the collection of information, our purposes for doing so, and
their rights to access and correct that information.
b.
Storing, accessing and availability of personal information:
ACC commits to maintaining all reasonable safeguards against the loss, misuse or inappropriate
disclosure of personal information, and maintaining processes to prevent unauthorised use or access
to that information.
ACC commits to providing individuals with access to their personal information, where appropriate,
and respects the individual’s right to seek amendment of factually incorrect information.
c.
Use of and maintenance of personal information
ACC commits to only using or disclosing personal information for the purposes for which it is collected,
taking reasonable steps to ensure it is complete, relevant, and up to date, and will engage the
customer who owns that information in ensuring the quality of that information.
ACC will not use or disclose information for a purpose that is inconsistent with the original purpose of
collection, unless legislatively able to do so or we have consent.
d.
Archiving and destruction of personal information
ACC will maintain and implement retention and disposal policies for personal information as agreed
with New Zealand’s Chief Archivist and make these polices available to the public.
3 ACC’s Privacy Roadmap
The privacy strategic roadmap summarises ACC’s privacy-related goals for the next three years to June 2016.
The roadmap references the Personal Information Management Index (PIMI), developed in August 2012, as a
starting point. The PIMI comprises of three parts and allows for a maximum possible score of 120 points:
Part 1 (50 points) assesses the quarterly average number of breaches over a denominator of the average
number of entitlement claims in a quarter.
Part 2 (22 points) assesses the organisation’s maturity of Governance (i.e. operating procedure) and Staff
Capability. This includes organisational management of personal information, progress on implementing
the recommendations of the Independent Review, and a measurement of staff that participate in annual
privacy training.
Part 3 (48 points) groups the 12 Information Privacy Principles against an information lifecycle and is
designed to assess ACC’s maturity and capability against a five point scale in the application of each of
the principles to our operations.
ACC aims to increase the total PIMI score by reducing our breaches, improving our Governance and Staff
Capability, and aligning with best practice implementation of the information lifecycle.
ACC Privacy Strategy
Page 3 of 5
Table 1: Privacy Strategy Roadmap 2013-2016
June 2013
June 2014
June 2015
June 2016
ACC’s privacy operating procedure and staff capability Privacy operating procedure is
Procedures are operating
Procedures are operating
Operating procedures are in
centrally located and having an
effectively (Level 4). Privacy
effectively. All privacy
place at all levels, and best
impact on the achievement of
improvements and issues are
improvements and issues
practice in operation, is
overall performance against the
mostly being identified and
are being identified and
effective, efficient and
privacy strategy, however
resolved by frontline staff.
resolved. 100% of staff
responsive. 100% of staff
maturity is still forming (Level 3).
100% of staff complete the
complete the annual
complete the annual privacy
100% of staff complete the
annual privacy refresher
privacy refresher module
refresher module
annual privacy refresher module
module
Independent Review recommendations complete
50% complete
80% complete
95% complete
100% complete
Personal information management maturity
All Information Privacy Principles The organisation will increase
The organisation will
Maintain al areas at a score of
(IPPs) maturity levels are
maturity in the IPPs relating to increase maturity in al the
4, with scores of 5 in key
assessed as “Defined” (Level 3). storage/security (IPP 5) and
IPPs to a score of at least
principles (including IPPs 5 and
This rating means that relevant
the disclosure of personal
Level 4, meaning all
11). A score of 5 means that
policies and procedures are
information (IPP 11) to the
domains have policies and
policies and procedures are in
defined and exist, but in some
“Operating and Managed”
procedures that are
place, enforced and replicated
cases there is sporadic
level (Level 4). This score
operating, managed and
across the New Zealand
application across ACC.
means policies and
consistently enforced.
business and government
procedures in those domains
Incidents may still occur,
sector as a best practice
are operating, managed and
but very rarely.
example. Incidents under these
consistently enforced.
principles do not occur.
Inadvertent disclosure of personal information (privacy
The number of breaches at or
The number of breaches at or
The number of breaches at
The number of breaches is
breaches)
below a quarterly rolling average
below a quarterly rolling
or below a quarterly rolling
maintained below a quarterly
of 45 per month
average of 22 per month
average of 12 per month
rolling average of 12 per month
Personal Information Management Index target score
80
90
97.5
105
(out of a maximum 120)
ACC Privacy Strategy
Page 4 of 5
4 Privacy management good practice framework
In August 2012 the ‘Independent Review of ACC’s Privacy Security of Information’ established a framework for
what ACC needs to do to govern the management of personal information. The ACC Privacy Strategy is aligned
with this framework, which is shown in Diagram 1 below.
ACC Privacy Strategy
Page 5 of 5
