INZ’s Response - A Matter Of Privacy - Access To Immigration New Zealand’s Online Accreditation System
You may recall in February of this year I raised a privacy concern with Immigration New Zealand (“INZ”) regarding access to, or more correctly removal of access from, INZ’s Online Accreditation System.
I followed up with INZ a few times and each time was told my concern had been sent to “an IT Department” and that there was no time frame for resolution.
After a few weeks of this, I escalated the concern via INZ’s complaints portal copying my submission to the Office of the Privacy Commissioner.
INZ extended the deadline for response to my concerns a couple of times to give themselves time to test various scenarios I’d raised in my feedback.
On Saturday (6 April 2024) I received a substantive response to my concerns from Katy MacLeod (Director, Online Services, Immigration New Zealand).
I am very grateful to Ms MacLeod for coming back to me. Below I set out Ms MacLeod’s response to the concerns I raised. I am sharing Ms MacLeod’s response because, as you will see, the privacy issues I identified are ongoing.
I want you to be aware of the ongoing issues and INZ’s advice on what you need to do to protect your / your client’s confidential information whilst INZ addresses the concerns raised.
Here’s the background. INZ’s Online Accreditation System has a sharing function.
When an Accredited Employer comes to me for assistance, I contact the former adviser/lawyer and ask that person to share access to the Employer’s Online Accreditation information held on INZ’s Online Accreditation System. Once access is shared, I can go onto INZ’s Online Accreditation System and see all the Employer’s Online Accreditation information.
But the former adviser/lawyer continues to have access to my client’s information. And the former adviser/lawyer continues to be able to share access to my client’s information with third parties.
There is a feature on INZ’s Online Accreditation System that purports to allow me to “Remove” access to the former adviser/lawyer. Nick Mason (my business partner) and I tested that “Remove” feature. We concluded it didn’t work.
Nick shared an accredited employer’s Online Accreditation information with me. Nick then applied the “Remove” feature in an attempt to revoke his own access to the Online Accreditation information he’d just shared. It didn’t work. He retained access.
My attempts to revoke Nick’s access using “Remove” failed as well. More worryingly, when I attempted to “Remove” Nick’s access, my version of the employer’s Online Accreditation platform told me Nick had been removed. Nick told me he still had access.
INZ’s Response
“It is clear from your letter that you have also spent time testing the functionality of the sharing/unsharing/remove options available in our enhanced Immigration Online System (ADEPT). Our ADEPT Operations Team has started to undertake some of these same tests and has confirmed for me that further investigation is required. This work is underway. In response to your specific bullet points I can advise:
1. My concern: There does not appear to be functionality that allows a Licensed Immigration Adviser/Lawyer to remove their own access from a client’s INZ
“Employ Migrants” accreditation webpages once they cease to act for that client.
INZ’s response:
“This functionality does exist but is not currently working as expected. Users who attempt to remove their own access (where another user also has access) are
currently receiving an error message. I have asked our ADEPT Operations Team to investigate and remedy this error as a priority.”
2. My concern: There does not appear to be functionality that allows an organisation or an organisation’s new Licensed Immigration Adviser/Lawyer, to remove the
organisation’s former Licensed Immigration Adviser / Lawyer from having ongoing access to the organisation’s INZ “Employ Migrants” accreditation webpages.
INZ’s response:
“This statement is correct. Currently, only the original user can remove themselves, but as noted above, this functionality has not been working as expected. I have asked our ADEPT Operations Team to review the requirements for this functionality so I can determine next steps in addressing this issue.”
3. My concern: An organisation, or an organisation’s new Licensed Immigration Adviser/Lawyer, cannot rely on the “Access” information on the organisation’s INZ “Employ Migrants” accreditation webpages. Using the “Remove” option may update the webpage “Access” information to show that access to a former Licensed Immigration Adviser / Lawyer has been removed when in fact it hasn’t.
INZ’s response:
“This is correct. Currently, only the original user (not those who have been subsequently had access shared) can view all those who have access via the access grid. I have asked our ADEPT Operations Team to review the requirements for this functionality so I can also determine next steps for addressing this issue.”
4. My concern: There does not appear for be clear guidance from INZ around how: 1. a Licensed Immigration Adviser/Lawyer removes their own access from a
client’s INZ “Employ Migrants” accreditation webpages.
2. an organisation, or an organisation’s new Licensed Immigration Adviser/Lawyer, removes the organisation’s former Licensed Immigration Adviser/Lawyer from ongoing access to the organisation’s INZ “Employ Migrants” accreditation webpages.
INZ’s response:
“I agree that the User Guide does not clearly set out how this functionality currently works, and I have asked for this to be updated. “
“In the meantime, the only way to resolve 1-3 is by customers or their representatives calling our Customer Service Centre to ask that they action the request. I would like to note that INZ takes any breaches to privacy very seriously and I thank you for bringing this to our attention. The investigation and next steps are a high priority.”
What Action Should You Take After Access To Online Accreditation Has Been Shared With You?
It is clear from INZ’s response that, as things currently stand, you cannot rely on the “Remove” feature on INZ’s Online Accreditation System.
If you are:
(a) an Accredited Employer taking back access to your INZ Online Accreditation from you Immigration Lawyer/Adviser; or
(b) an Immigration Lawyer/Adviser taking over access to an Accredited Employer client’s INZ Online Accreditation from the client’s former lawyer/adviser, you must call INZ’s Customer Service Centre and have INZ manually remove access to the former lawyer / adviser.
As things stand, you cannot rely on the “Remove” feature on INZ’s Online Accreditation System to ensure the former lawyer /adviser ceases to have access to their former client’s Online Accreditation.
I look forward to seeing formal communications from INZ putting stakeholders on notice of what would appear to be a longstanding and ongoing privacy issue.