It is the latest case of a government agency using the Privacy Act exception to seek and receive private information.
One section of the Privacy Act allows those holding people's personal information to simply hand it over if it assists "maintenance of the law".
It is meant to be used in critical situations - such as accessing phone records to find someone whose life or safety is in jeopardy - but cases have emerged of police using it when officers should have sought production orders or warrants through the court.
Doing so has allowed police to get people's private financial details from banks and other institutions holding personal information.
This latest case emerged after the ACC claimant travelled to Cannes in France for a series of training courses associated with the international film festival as part of a plan to return to work.
The claimant, who was not willing to be named, had been unable to work after a head injury in 2009.
He said his ACC case manager became suspicious of the travel after seeing an image he had posted on social media showing he was present at an event near the film festival.
The case manager had also noted the claimant had been listed as connected to a New Zealand production company present at the festival - a link the claimant said had been arranged to ease his way through security to attend the training courses.
Documents show the ACC case manager asked the corporation's "Integrity Insights" team to "find out the overseas travel movements of my claimant" from 2009 through to 2018.
Two days later, she was sent Customs data showing every occasion on which the claimant had left or returned to New Zealand, including dates of arrival or departure, the name of the destination, the time he left and the type of visa on which he was travelling.
There is no information-sharing agreement between ACC and Customs.
"My case manager rang and asked me all these really weird questions (about Cannes). It was like she was trying to trip me up."
But when she asked about an earlier trip to Australia, the claimant said: "I thought, 'they're spying on me'."
He said he sent ACC a Privacy Act request seeking information it held about his travel movements and was astonished to find it had sought and received his travel data from Customs.
The claimant said he then complained over "a blatant breach of my privacy", which eventually led to an apology.
A spokesman for ACC said the request for the claimant's travel movements came after he had disclosed "work-like" activity while overseas which had not been mentioned previously.
He said "we needed to be sure he was still entitled to weekly compensation".
However, the spokesman also confirmed the claimant was not actually under investigation when the corporation sought his personal information from Customs.
The request to Customs should not have been made, he said. "We were wrong to do this and should have asked him first. This was a breach of his privacy and we've apologised."
He said ACC had made "information requests" 38 times this year out of the 400 investigations it had carried out.
"We've looked at each of those 38 requests and the majority were done correctly. However, there were nine requests where we should have asked the individual for the information first.
"As a result, we're reviewing our policies and guidelines about requesting information from other agencies. We're also strengthening the privacy training for the teams involved in making those requests."
A spokeswoman for Customs said it had "reasonable grounds to believe that this was a bona fide investigation by ACC".
As a result, it handed over the details. She would not say what the grounds were, other than it was a request by ACC.
She said there were "many requests" each year which cited the Privacy Act exception.
Customs was now checking to see whether its processes for making information available remained "fit for purpose".
Lawyer John Miller, who specialises in ACC-related cases, said information-sharing agreements governed the transfer of personal information.
"If there's no information-sharing agreement, it should be very limited. If they are using that element of the Privacy Act, it should be very specific and justified."
Miller said it was a "worrying development" and ACC should simply have asked the claimant before trying other means to access his personal details.
The Office of the Privacy Commissioner had previously raised concerns about the manoeuvre being used to access private information.
A spokesman for the office said there were no requirements for government agencies to declare how often they used the "maintenance of the law" exception to gain people's information.
As a result, nobody had any idea how often it was used or how widespread the practice was.
The spokesman said the exception was not "a positive power to seek information", meaning it could not be used to compel release of personal details.
Instead, it required the holder of the information to make a judgment whether there were "reasonable grounds" to provide the information.
The Privacy Commissioner recently published a report into a transparency pilot project which saw government agencies declaring the use of such "requests for information".
Its report on the project included the statement "law enforcement agencies should be monitoring, auditing, and reporting on the use of the information gathering powers".
