A Matter Of Privacy - Access To Immigration New Zealand’s Online Accreditation System.
Earlier this month I raised a privacy concern with Immigration New Zealand (“INZ”) regarding access to, or more correctly removal of access from, INZ’s Online Accreditation System.
I followed up a few times and each time was told my concern had been sent to “an IT Department” and that there was no time frame for resolution.
After a few weeks of this, I escalated the concern via INZ’s complaints portal copying my submission to the Office of the Privacy Commissioner.
I’m now putting it out there to make Accredited Employers and Immigration Practitioners aware of the issue so they can assess their own exposure and take appropriate action.
Here’s the background.
INZ’s Online Accreditation System has a sharing function.
When an Accredited Employer comes to me for assistance, I contact the former adviser/lawyer and ask that person to share access to the Employer’s Online Accreditation information held on INZ’s Online Accreditation System.
Once access is shared, I can go onto INZ’s Online Accreditation System and see all the Employer’s Online Accreditation information.
But the former adviser/lawyer continues to have access to my client’s information. And the former adviser/lawyer continues to be able to share access to my client’s information with third parties.
There is a feature on INZ’s Online Accreditation System that purports to allow me to “Remove” access to the former adviser/lawyer.
Nick Mason (my business partner) and I tested that “Remove” feature. We concluded it didn’t work.
Nick shared an accredited employer’s Online Accreditation information with me. Nick then applied the “Remove” feature in an attempt to revoke his own access to the Online Accreditation information he’d just shared. It didn’t work. He retained access.
My attempts to revoke Nick’s access using “Remove” failed as well. More worryingly, when I attempted to “Remove” Nick’s access, my version of the employer’s Online Accreditation platform told me Nick had been removed. Nick told me he still had access.
Luckily Nick and I were working together on this. If we hadn’t been, I would have thought “job done”. INZ’s platform was telling me Nick’s access had been revoked. I would have been blissfully unaware Nick retained access and could see everything his former client was doing.
What does that really mean?
Well, if Nick really was the accredited employer’s former lawyer then, despite the employer and Nick having parted ways, Nick would still be able to:
1. View his former client’s accreditation activity including:
(a) New Job Checks Applications including supporting documentation/information.
(b) The personal information of candidates applying to work for the former client.
(c) The personal information of migrants issued with visas to work for the former client.
(d) Accreditation Renewal Applications including supporting documentation/information; and
2. Without authorisation, share access to the former client’s Online Accreditation
information with third parties.
If Nick retired and was feeling bored, he could dip into his former client’s Online Accreditation portal and see how they were getting on.
An employer’s former adviser/lawyer should not have access to this sensitive information.
INZ’s Online Accreditation platform should provide a simple means of removing such access. According to the tests we did, it doesn’t.
As mentioned, I’m now putting this out there to make Accredited Employers and Immigration Practitioners aware of the issue so they can assess their own exposure and take appropriate action.
If you are:
1. an accredited employer who has taken back, from an adviser/lawyer, access to your INZ Online Accreditation information; or
2. an immigration adviser/lawyer who has obtained, from your client’s former adviser/lawyer, access to your client’s INZ Online Accreditation information,
I strongly urge you to conduct due diligence to determine whether that former adviser/lawyer retains access to the INZ Online Accreditation information they shared with you.
And if the “Who Has Access?” information on INZ’s Online Accreditation platform is telling you the former adviser/lawyer doesn’t have access, don’t believe it!
Conversely, if you are immigration adviser/lawyer who has shared a former client’s INZ Online Accreditation information with that client or their new adviser/lawyer, I strongly urge you to check whether you retain online access to that information. If you retain access and can’t unilaterally remove it, you should be notifying the appropriate person(s).