We are committed to keeping your data, your clients' data and third-party data private and secure. We follow the best practice guidelines laid down by the New Zealand Privacy Commissioner.
Steve Barnard, our Managing Director, is responsible for the oversight and governance of our privacy policies, and Senior Developer James Guthrie is a Certified Information Privacy Technologist with responsibility for the implementation of our privacy policies and the monitoring of procedures for security and data privacy.
We apply privacy design foundation principles across the information life cycle to ensure that we comply with applicable privacy regulations and provide comprehensive privacy and security services for both existing and emerging technologies.
All Pikselin web-developers have taken an OWASP security course to learn techniques that can mitigate against some of the most common issues with web services and code that might lead to potential privacy breaches.
Our privacy policies and practices
Best practice guidelines
We follow best practice guidelines as outlined by the Privacy Commissioner, including physically securing personal information, giving access to sensitive data only to the specific staff who need it, transmitting sensitive data via secure methods, and deleting sensitive digital data and securely destroying physical records when no longer required.
All the data storage and transfer solutions used by Pikselin are protected by multi-factor authentication. These include our document storage (Dropbox), email, and CMS solutions.
Response to data breaches
We have developed a plan based on the Privacy Commissioner’s guidelines to deal with any data breach that might occur. The plan follows a Contain, Assess and Notify model:
- Contain: We would try to get the data back, change passwords, and turn off any affected systems until the nature of the breach was understood and could be mitigated against.
- Assess: We would determine what information had been accessed and by whom and identify the potential harm that could be done by that information being in the wrong hands.
- Notify: We would notify the client of any breach immediately. Following the assessment and in coordination with the client, we would notify anyone we know had been affected by the breach about the possible implications of that information having been accessed (e.g. the risk of identity theft or financial loss). As per the Privacy Act 2020, we would also notify the Privacy Commissioner of the breach. Depending on the type of breach and the data accessed, we might also need to contact the Police and/or other third parties where applicable.
Data storage and processing
When approaching a project or creating an application that deals with the gathering and processing of confidential, sensitive or personal information, we:
- Evaluate the type of information that is being gathered, how it is being gathered, and where that information is being stored
- Identify any data protection risks
- Create a data protection risk register from those identified risks
- Assign a priority, likelihood, and overall risk level for each identified risk
- Put in place controls to mitigate against those risks.
We use Dropbox to store and process project data outside the application itself. Dropbox has security certifications including:
- ISO 27001 (Information Security)
- ISO 27017 (Cloud Security)
- ISO 27018 (Cloud Privacy and Data Protection)
- ISO 22301 (Business Continuity).