Sparks' Privacy and Workplace Policies

Privacy statement

We collect personal information from you, including information about your:

  • Name
  • Contact information
  • Billing or purchase information

We collect your personal information in order to:

  • Provide direct work-related communications
  • Bill for services
  • Provide access to online services, either paid or unpaid.

Besides our staff, we share this information with:

  • Our clients in order to meet their business requirements for websites we build.

Providing some information is optional. If you choose not to enter their email address, we'll be unable to provide them with online accounts.

You have the right to ask for a copy of any personal information we hold about you, and to ask for it to be corrected if you think it is wrong. If you’d like to ask for a copy of your information, or to have it corrected, please contact us at privacy@sparksinteractive.co.nz, or Dave Sparks on +6421683009, or via post/mail at 43 Parker Road, Oratia, Auckland 0604.

Privacy policy

Introduction

Sparks Interactive Limited (we, us, our) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person). This policy sets out how we will collect, use, disclose and protect your personal information. This policy does not limit or exclude any of your rights under the Act. If you wish to seek further information on the Act, see www.privacy.org.nz.

Changes to this policy

We may change this policy by uploading a revised policy onto the website. The change will apply from the date that we upload the revised policy.

This policy was last updated on 29/06/2023.

Who do we collect your personal information from

We collect personal information about you from:

  • You, when you provide that personal information to us, including via the website and any related service, through any registration or subscription process, through any contact with us (e.g. telephone call or email), or when you buy or use our services and products
  • Your website, where you have authorised us to have access to it, or where the website information is publicly available
  • Third parties where you have authorised this, or where the information is publicly available. If possible, we will collect personal information from you directly.

How we use your personal information

We will use your personal information to:

  • Verify your identity
  • Do due diligence checks prior to providing services or products
  • Provide services and products to you
  • Improve the services and products that we provide to you
  • Bill you and to collect money that you owe us
  • Respond to communications from you

Disclosing your personal information

We may disclose your personal information to:

  • Any business that supports our services and products, including any person that hosts or maintains any underlying IT system or data centre that we use to provide the website or other services and products
  • Any other person authorised by the Act or another law
  • Any other person authorised by you.

Protecting your personal information

We will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.

In the event that personal data has been accessed by or disclosed to an unauthorised party, we will notify named contacts immediately upon confirmation, or as soon as practically possible.

Accessing and correcting your personal information

Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information. Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal information relates.

In respect of a request for correction, if we think the correction is reasonable and we are reasonably able to change the personal information, we will make the correction. If we do not make the correction, we will take reasonable steps to make a note on the personal information that you requested the correction.

If you want to exercise either of the above rights, email us at privacy@sparksinteractive.co.nz. Your email should provide evidence of who you are and set out the details of your request (e.g. the personal information, or the correction, that you are requesting). We may charge you our reasonable costs of providing to you copies of your personal information or correcting that information.

Internet use

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk.

If you follow a link on our website to another site, the owner of that site will have its own privacy policy relating to your personal information. We suggest you review that site’s privacy policy before you provide personal information.

Cookies

We use cookies (an alphanumeric identifier that we transfer to your computer’s hard drive so that we can recognise your browser) to monitor website visitor statistics with tools such as Google Analytics. You may disable cookies by changing the settings on your browser, although this may mean that you cannot use all of the features of the website.

Contacting us

If you have any questions about this privacy policy, our privacy practices, or if you would like to request access to, or correction of, your personal information, you can contact us at privacy@sparksinteractive.co.nz

 

Diversity & Inclusion Policy

Sparks Interactive supports diversity in the workplace and values the range of ideas and perspectives that come from having a diverse and inclusive environment.

We understand that every individual has different requirements to make work suitable for them. To help employees work in a way that is appropriate and balanced for them, we offer flexible working arrangements – whether this is flexible hours, locations, equipment, or something else that fits in with the wider picture of their life and what is important to them.

A respectful culture is a vital part of an inclusive workplace. At Sparks, employees are expected to play their part in creating a positive environment where people feel valued and confident expressing themselves. 

Sparks has a good retention rate of long-term staff, and maintaining the ideals mentioned in this policy is an important part of continuing this.

 

Workplace Health & Safety Policy

Sparks Interactive (Sparks) is committed to providing a safe and healthy workplace, safe working methods, and the provision of safe equipment. Workplace health and safety is considered by management to be an integral and vital part of the successful performance of any job.  

This policy sets out the responsibilities of Sparks and its employees with the aim that together we can keep the workplace safe and productive. 

In so far as this policy imposes any obligations on Sparks (i.e. those additional to those set out under legislation), those obligations are not contractual and do not give rise to any contractual rights. To the extent that this policy describes benefits and entitlements for employees (i.e. those additional to those set out under legislation), they are discretionary in nature and are also not intended to be contractual. The terms and conditions of employment that are intended to be contractual are set in an employee’s written employment contract. 

Sparks may unilaterally introduce, vary, remove or replace this policy at any time. Sparks, as a person conducting a business or undertaking (PCBU), is committed to: 

  • Integrating workplace health and safety into all aspects of its operations;
  • Identifying hazards, assessing risk and implementing control strategies to minimise risk of injury to people and property;
  • Ensuring that relevant health and safety laws that apply to working conditions and the work environment are observed and enforced;
  • Developing and implementing safe systems of work;
  • Providing adequate safety information, training and supervision;
  • Designing, purchasing, installing and maintaining a safe site and machinery;
  • Ensuring that the workplace under their control is safe and without undue risks to health;
  • Ensuring that the behaviour of all persons in the workplace is safe and without undue risks to health;
  • Attempting to remedy all problems relating to workplace health and safety;
  • Consulting with workers and other parties to address safety issues and improve decision making on workplace health and safety matters; and
  • Supporting and assisting workers in effective injury management and rehabilitation.

All employees and contractors are required to:

  • Adhere to safe work practices, instructions and rules;
  • Immediately report any unsafe work condition or equipment to Sparks;
  • Not misuse, damage, refuse to use, or interfere with anything provided in the interest of workplace health and safety;
  • Perform all work duties in a manner which ensures individual health and safety and that of all other people in the workplace;
  • Encourage fellow employees to create and maintain a safe and healthy work environment; and
  • Co-operate with all other employees to enable the health and safety responsibilities of all employees be achieved. 

Communication and consultation 

We recognise that employee consultation and participation in our safety system is vital and improves decision–making about health and safety matters in the workplace. Consultation is also included in the process of risk assessments and the development of our safe work practices. 

Employees shall be actively involved in the workplace safety system. Suggestions for change and improvements to policies, procedures or safe work practices are encouraged, through reporting to management. Meetings to consult and inform employees on safety issues shall be conducted through staff meetings, as regularly as is necessary. 

Employees shall be made aware of safety issues relating to their jobs on a regular basis. The manner of doing so will vary depending upon the type of information to be conveyed. 

We expect our employees to be committed to working with management in order to effectively manage health and safety on the job. Employees are encouraged to contribute to decisions that may affect their health and safety in the workplace, through contact with management and staff meetings. 

Management shall work in conjunction with employees to review and update this, and other, policies and procedures.

Workplace injuries – rehabilitation and return to work 

Sparks is proactive in its approach to injury management and places strong emphasis on the safe, timely and sustainable return to work program for injured or ill workers. We are committed to:

  • Prompt injury notification;
  • Communication and consultation with all parties to develop an appropriate return to work program;
  • Accountability and responsibility for injury management being clearly understood; • Provision of suitable meaningful activities during the return to work process; and
  • Dispute resolution as required. 

Sparks will ensure the following positive approach in meeting these objectives, including:

  • Early reporting of injuries;
  • Appropriate and timely medical intervention and return to work planning;
  • Provision of suitable resources and productive duties for the injured worker;
  • Positive support and encouragement during the rehabilitation process; and
  • Review of incidents and accidents to seek preventive measures and continuous improvement. 

Sparks shall work in conjunction with employees to review and update this policy, and other policies and procedures relating to work health and safety as regularly as is necessary.

 

Community Engagement Policy

We want to have a positive social impact as a company, whether that’s in the work we do, the people we work with, or how we make ourselves part of the wider community.

Drupal & technology community involvement

Having built websites on the open source Drupal platform for many years, Sparks is dedicated to being an active part of the Drupal community, particularly within New Zealand. We have committed to sharing our knowledge and work openly, along with supporting Drupal events.

The annual DrupalSouth conference is a big event for the Drupal community in Australia and New Zealand, and Sparks have sponsored and helped organise the conference when it has been held in New Zealand.

Sparks has also taken part in Summer of Tech – a programme that connects technology students and graduates with companies who can offer jobs and help them transition from study to the workplace. 

Support local

As a New Zealand business, we want to work with other like-minded companies – so where we can choose local suppliers who align with our focuses, we make this a priority.

We also want to support local organisations in the work they do – which is why we have built and supported websites for non-profit organisations at a discounted rate. These organisations have included Life Flight, 95bFM, Q Theatre, English Language Partners, KidsCan, and Parkinson’s New Zealand.


 

Environment & Sustainability Policy

Our Environment & Sustainability Policy provides a guide for us to make responsible choices that take into consideration the impact of work on the environment. The policy will be updated as we continue learning about the ways we can become more sustainable as a business. 

Making considerate transport choices

We aim to make sustainable choices when meeting with clients – encouraging virtual meetings if a significant distance would need to be travelled, and suggesting walking to out-of-office meetings if physically reasonable.

When travel is unavoidable, we use carbon offsets to counter the environmental cost of flying (via Air New Zealand) or driving (using a Mevo hire car).

We encourage employees to choose alternative forms of commute to reduce the number of cars on the road. Many employees use public transport, bikes, or their own legs for their commute, and the Sparks offices make this an easier option with the addition of bike storage, showers, and flexible working hours. 

Office sustainability

Both Sparks offices make use of easy-to-access recycling bins for separating waste for recycling.

To reduce unnecessary electricity usage, timers are used for appliances such as heaters and coffee machines.

When replacing or removing office equipment, we aim to keep it out of the landfill – either selling it on so it can be reused, recycling equipment where this is possible or using a certified e-waste disposal service.

Holding others accountable

When procuring suppliers, it’s important that their values and processes support ours. Since sustainability is a responsibility shared between everyone, it’s good to know that those you work with are on the right path.

For example, we feel comfortable knowing our hosting supplier, SiteHost, powers their Auckland data centre with solar panels. 

 

Procurement Policy for Suppliers

When choosing a new supplier to work with, it is important that their values are in line with those we have set out in our various policies at Sparks. 

Our policies outline our principles and processes, and we keep these in mind when procuring suppliers. We can make a copy of these policies available to you on request, and they include:

  • Privacy Policy
  • Diversity & Inclusion Policy
  • Workplace Health & Safety Policy
  • Community Engagement Policy
  • Environment & Sustainability Policy
  • Cyber Security Policy
  • Incident Response Policy

Many businesses produce similar documents, so by viewing these we can confirm if they are working towards the same goals as us, and how they are doing that. If these documents don’t exist, then a simple conversation can help us reach an understanding of what values a potential supplier aligns with.

 

Cyber Security Policy

Security and protection internal policy

Be thoughtful with the way that you access systems and data, as well as with how clients access these.

You should use:

  • Strong, varied passwords for your devices and accounts (the Sector password policy is a good basis for passwords)
  • A secure password management system (do not store your passwords physically, and ensure your password management system is also protected by a password and/or TFA)
  • Secure and trusted internet connections only (office and home internet rather than public wi-fi). Clients shouldn’t be given access to the main office wi-fi - instead, they can use the guest wi-fi.
  • Common sense when it comes to potential spam or scam material – if something seems off with an email or other communication, don’t interact with it.

Physical devices and systems

We should all keep an eye on the physical security of Sparks offices. This can include:

  • Making sure office access is locked when no one is in the office
  • Locking your computer when you are away from it
  • Having a strong password for your computer in case of physical theft or loss
  • Shredding and disposing of documents and sensitive information
  • Being aware of who can see potentially sensitive information on your screen

These same concepts should also apply when you are working away from the office.

Problems and incidents

If you identify a potential cyber security issue, you should report it to Sparks’ privacy officer on privacy@sparksinteractive.co.nz, who can work out the next steps to take. Refer to the Sparks Incident Response Policy for more on resolution times and how we resolve different types of issues.

 

Cyber Security Policy

In our Cyber Security Policy, we give an overview of the principles and processes that govern our approach to cyber security, particularly the safety of your data. The specifics of these processes are detailed in our internal policy.

Protecting your data

All Sparks staff are expected to maintain SafeStack certifications in privacy and security, and to uphold the principles covered in these certifications. This supports our daily efforts to maintain good cyber security practices, with an assigned privacy officer overseeing this and acting as an escalation point if an issue arises.

When we collect information from you, we aim to collect only what is necessary and to collect it in a secure manner. For example, if you contact us on our website it will be over a secure https connection and we have processes in place to monitor what happens on our website.

The information we hold about our customers is stored and kept secure in line with the Privacy Act 2020. Information we hold is minimal and for the purposes of contacting and billing customers – this is stored within trusted accounting software and in our secure internal wiki.

Notification of security issues

In the case that Sparks becomes aware of a potential security issue, our assigned privacy officer will notify named contacts immediately upon confirmation of an issue that may affect them, or as soon as practically possible.

If you wish to notify us of a potential security issue, we welcome you to contact the Sparks privacy officer with details of the issue. You can contact our privacy officer at privacy@sparksinteractive.co.nz , and our general contact information can also be found at sparksinteractive.co.nz/contact

Incident Response Policy

Sparks endeavour to resolve any incident related to your website in the shortest time frame possible, while providing clear and ongoing communication to keep you involved in the process.

Sparks’ incident management process is outlined in the Service Level Agreement (SLA) we have with individual clients – if you don’t have an SLA yet and wish to know more, we are happy to supply an example SLA document at your request.

In general, our support response involves:

  • Categorising the priority level of the incident or request – ranging from P1 (e.g. the website is unavailable or a security breach is suspected) to P5 (no interruption to agreed services, e.g. a new feature request)
  • Updating you on the incident or request within the time frame allotted by the priority level
  • Beginning work on resolving the incident or request if the process is straightforward
  • Creating an action plan for you to agree on, in cases where resolving the incident or request is more complex and time consuming
  • Resolving the incident or request within the resolution time frame allotted by the priority level
  • Keeping you up to date throughout the resolution process
  • Creating a full incident report for major P1 incidents 

Security of your website

We closely monitor security updates released by the Drupal security team and review their impact as they are released.

If a security update is critical, we will deploy it on your website within 48 hours of the update’s release – unless a different approach has been decided on in an agreed action plan.

In most cases, standard Drupal updates will be deployed on your website as part of frequent ‘health checks’ we perform as part of your SLA (this is approximately monthly).

These monthly health checks also include checking your website logs and user accounts for unusual activity, so this allows us to detect potential incidents that may need looking into further.

Information security incidents

Sparks’ specific process for detecting security incidents (beyond the logging and checks undertaken as part of monthly health checks) is in active development and will be added to this policy in the near future.

A data breach, compromise or loss would generally be treated as a P1 incident with immediate notification to the named contact. With a P1 incident such as this, significant resources are dedicated to resolving the incident as soon as feasibly possible, with frequent progress updates and an incident report produced as part of this process.