One man’s art is another’s porn

With a shift in the way we respond to privacy breaches on the cards, now is a great time, if you haven’t already, to reflect on your privacy processes and policies. What are your obligations and do you have the most robust privacy policies in place?

Based on the recommendations on New Zealand’s Privacy Act table, what do you need to do if your information is accessed maliciously, misused, unintentionally or deliberately shared; or a device is lost or stolen, and there is a privacy breach as a result? More specifically, who, what, when and why should you let people know?

Your customer

Fundamentally, the law’s designed to protect your customers’ rights, dignity and reputation and to alleviate economic, emotional and physical harm. 

Be careful about who you notify. Telling the wrong people by mistake can cause unintentional damage to both them and your brand. Only tell customers when you are sure that their information has been compromised and there is a risk of harm. 

Consider the type of information you hold. Is it highly sensitive? For example, is it mental health or medical records, or disciplinary details? Would a leak of that information hurt someone’s reputation, relationships or job security? And even if it’s not deeply personal, consider if there is a risk of the holder of that information engaging in a criminal activity – say delivery instructions to “leave parcels round the back” or “there’s a key in the pot plant” might result in theft. Use your imagination and plan for the possible worst case scenario.

So, you’ve established that the privacy breach could cause harm. You must let your affected customers know as soon as possible after discovering the breach. However, if the police are involved, check with them first in case it impacts their investigation.

It’s best to let people know directly – either by phone, letter, email or in person. It’s more genuine and personal than a website or social media post, and it demonstrates that you are accountable and willing to put the work in to repair the relationship and, hopefully, regain their trust.

The Privacy Commissioner

If someone’s privacy has been breached you must also notify the NZ Privacy Commissioner as soon as possible after the date of becoming aware of the breach.

Even if the breach is unlikely to cause any harm to your customers, it’s sensible to let the Office of the Privacy Commissioner know because they can give you advice on what to do next. It gives you the opportunity to be open about it, demonstrate you take privacy seriously, and discuss what you’re doing to fix it.

Your bank 

You should consider letting credit card companies, financial institutions or credit reporting agencies know about the data breach, especially if the information is around bank account numbers, credit card details, next of kin, dates of birth and other unique identifiers. 

Also think about the breach from an insurance perspective and get in touch with your insurers where needed.

Key suppliers and contractors

Do you have any third party suppliers where the leak of information will breach their confidentiality or affect their ability to do their job properly? Again, it’s about being open and proactive and thinking about how a breach of information will affect your working relationship.

If your key supplier or third party contractor is the one who has the direct relationship with the client – then they should be the people who notify the customer.

Overseas customers

Be aware that your international customers will fall under a different jurisdiction. The Office of the Australian Information Commissioner has a notifiable data breach form, which can be accessed here:

Customers affected and the Privacy Commissioner in Australia must be notified and the following information must be included:

· the identity and contact details of the organisation

· a description of the data breach

· the kinds of information concerned

· recommendations about the steps individuals should take in response to the data breach. 

(Directly quoted from:

EU Customers

The European Union’s sweeping General Data Protection Regulation (GDPR) came into effect in May last year. Its all-encompassing impact extends far beyond Europe to include any company that has EU-based customers. It’s wise for us to take its rules into account when developing privacy policies, as data breaches could result in hefty fines and severe damage to your reputation.

In summary, the GDPR rules are around: 

- Consent must be given to obtain and hold personal information.

- A specific purpose - Data must be collected and used for a purpose and only that purpose.

- Security –Data must be held in an accurate and secure way.

- Delete – Data must be destroyed once the specific purpose of use has expired. 

Not sure whether to notify a breach? 

The website for UK’s Information Commissioner’s office has a handy self-assessment for data breaches, to ascertain if you need to let them know.

Summary of key points:

1) There’s not one size fits all response to data breaches. Exercise your discretion and think about each incident on a case by case basis. 

2) There is the potential to be an over sharer.

3) What type of information do you hold and does it have the potential to cause harm if it falls into the wrong hands?

4) Think about harm holistically - could it compromise someone’s mental health, dignity, job security, relationships, security of their home or assets?

5) Use your imagination and think laterally – it’s best to think about all possible scenarios. Plan for the worse case.

6) Consider if it’s a one-off breach or a systemic failure – this will help you contain the issue and prevent it happening again. 

7) The Privacy Commissioner and its equivalents throughout the world have lots of great resources for you to brush up your knowledge on privacy rules and your responsibilities.

8) Most importantly, prevention is better than cure – think about how you collect, store, share and destroy information, and evaluate if you’re putting personal information at risk.

We can help

The IT Psychiatrist can design and develop best practice policies, processes and strategies around data collection, storage and sharing, so that you feel confident that your business is protected, compliant and ready for the upcoming changes to privacy law. 

You may also need some more resources to get ready for the changes. We can be your dedicated part-time IT manager for as long as you need and connect you with a virtual privacy officer. 

If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you get ready for the privacy changes, please give us a call. 

Further reading:


UK and EU:


Experimenting Is Not Just For Labs

After doing the vital background work that we covered in our last two blogs, you’re finally ready to move on to the next phase – solution mo…

Learn More / >


Build vs buy. What’s the right choice for your enterprise?

In our last blog we looked at how you can clearly identify problems, so you have a strong grip on the complexity of the problem and its boun…

Learn More / >


Problem Solving? Try Problem Identifying

A costly and common mistake: underestimating the power of problem statements.

Learn More / >


"One of Ant's strengths is relating to owners in a visionary sense and talking to people who are on the ground...[Ant has a] wide understanding of different systems, processes and applications and can articulate where we're going and what the possibilities are...working with Ant has changed the way we make decisions about IT structures and support systems."

Felicity Hopkins, Director - Research Review

We hired Ant to support us with an important project after he was highly recommended by colleagues. Ant was responsive, speedy, super-helpful and helped us to make key decisions. We appreciated his broad experience, and his ability to hold a high level strategic view alongside expert advice on details. We will definitely be consulting with Ant again and are happy to recommend him.

Gaynor Parkin, CEO at Umbrella Wellbring

"We don’t need a full-time CTO [chief technology officer]. Ant knows enough about our business he can deliver it virtually. He can translate things for us. During project management, Ant came into his own... Ant gets his head round your business and [took his time] understanding our context. He was really clear about pausing on investment into the app...Ant's inquisitive, curious and approachable - he's very easy to work with."

Gus McIntosh, Chief Executive - Winsborough

"Ant was really quick to understand the business model and our processes and IT structures."

James Armstrong, Director - MediData

"Ant helped us at the early stages of Aerotruth helping us to plan our technical infrastructure and ensure we built a product that would scale. Ant was great to work with and we really valued his support and contribution to Aerotruth"

Bryce Currie, Co-Founder & Chief Commercial Officer - Aerotruth