Best practice guidelines
We follow best practice guidelines as outlined by the Privacy Commissioner, including physically securing personal information, giving access to sensitive data only to the specific staff who need it, transmitting sensitive data via secure methods, and deleting sensitive digital data and securely destroying physical records when no longer required.
All the data storage and transfer solutions used by Pikselin are protected by multi-factor authentication. These include our document storage (Dropbox), email, and CMS solutions.
Response to data breaches
We have developed a plan based on the Privacy Commissioner’s guidelines to deal with any data breach that might occur. The plan follows a Contain, Assess and Notify model:
- Contain: We would try to get the data back, change passwords, and turn off any affected systems until the nature of the breach was understood and could be mitigated against.
- Assess: We would determine what information had been accessed and by whom and identify the potential harm that could be done by that information being in the wrong hands.
- Notify: We would notify the client of any breach immediately. Following the assessment and in coordination with the client, we would notify anyone we know had been affected by the breach about the possible implications of that information having been accessed (e.g. the risk of identity theft or financial loss). As per the Privacy Act 2020, we would also notify the Privacy Commissioner of the breach. Depending on the type of breach and the data accessed, we might also need to contact the Police and/or other third parties where applicable.
Data storage and processing
When approaching a project or creating an application that deals with the gathering and processing of confidential, sensitive or personal information, we:
- Evaluate the type of information that is being gathered, how it is being gathered, and where that information is being stored
- Identify any data protection risks
- Create a data protection risk register from those identified risks
- Assign a priority, likelihood, and overall risk level for each identified risk
- Put in place controls to mitigate against those risks.
We use Dropbox to store and process project data outside the application itself. Dropbox has security certifications including:
- ISO 27001 (Information Security)
- ISO 27017 (Cloud Security)
- ISO 27018 (Cloud Privacy and Data Protection)
- ISO 22301 (Business Continuity).