Our Observations

The 6 globally shared principles of Protection of Information every art business needs to know

05 July 2021

The 6 globally shared principles of Protection of Information every art business needs to know

If you're an art business selling art online or interacting with clients and prospects via e-mail lists, you need to be aware of the rules regarding privacy protection practices around the globe.

We've done the research and made it easier for you by summarising the key principles shared in common across the various acts and codes. 

Use these 6 points as a guide:

 

1. Awareness

Give notice to website visitors and content viewers right upfront if you are collecting and storing personal information, so that they then make their choice based on awareness, before any personal information is collected from them.

If you are not sure, you should check with your website provider if your site is using cookies or collecting personal information, and update your terms of use accordingly.

Typically notice is presented in the form of a banner upon login or on a Website informing visitors that cookies are being used and that clicking to enter constitutes agreement to the terms of use.

In practical terms, the primary means of providing privacy notice to Web site visitors is the privacy statement. For simple sites that set no cookies or receive no user input, such a statement is easy to draft. The more complex and interactive the site, the more work it will take to craft a statement that covers all the bases. Here are the main points that need to be covered:

  • Identify who is collecting the data.

  • Describe the type of data collected and how it is collected - for example Automated Logging; Web Bugs and Beacons; Cookies (distinction should be made between session cookies, and persistent cookies). 

  • Detail how the data may be used.

  • If the data might be shared with any third party, identify those potential recipients.

  • If personal information is captured but not shared, explain the security measures in place to ensure the confidentiality of the data.


2. Choice

This means the user is provided with options and is able to make a free choice about whether personal information is collected from them, and if so, how it can be used.

There is information that may be required to complete a transaction on a site, such as gaining access, or making a purchase, and then there is information that is considered for secondary use, such as adding them onto a mailing list in order to market to them directly in future, or to share their information with third parties.

The principle here is that you provide easy to understand choices. These are best when presented as an OPT IN rather than an OPT OUT.


3. Consent

Linked to choices, consent means honouring the choice made. The core principle here is that a person's Yes is yes and No is no. So for example if someone fills in a form to participate in an activity or buy something from you online, before you can use their contact information in future to communicate with them, you need to provide the mechanism for them to give consent - such as a check box "You may e-mail me about special events or related offers" or an opt-in form in which people specifically request to be included on a mailing list .

It is important to be specific about the kind of communication they are consenting to, and ensuring you target only the people who are interested, because once they opt out, you cannot contact them again. Keep a list of those which have opted out, and be sure they are not accidentally re-added to your active list after they have requested to be removed.


4. Access and Participation

If you need the person who's information you have, to very the accuracy of the information and be able to contest if it is inaccurate, then you need to be able to implement such processes securely, otherwise the process of providing access in support of privacy could inadvertently lead to privacy breaches.

If you do not have a high level of assurance that you are giving online access to the appropriate person - such as multiple factor authentication, then rather use human participation and review. 

When it comes to e-commerce ensure the Payment Provider which stores the customer's banking and card details is well known and has the appropriate levels of security. 


5. Security

The principle here is that data must be accurate and secure. To assure data accuracy, you should take reasonable steps, such as only use reputable sources of data, preferably getting it directly from the client or prospect. You should also cross-reference data against multiple sources, provide consumer access to data and destroy old data that cannot be verified. 

Security involves both technical and managerial measures to protect against loss, unauthorised access, destruction, and dissemination of personal data. Managerial measures include internal measures that limit access to data and ensure that those individuals with access do not use sensitive data for unauthorised purposes. You should have a means to track activity such as copying or downloading of information and have staff sign internal policies which make it clear what your business allows and does not allow, and the consequences of breach. 

Technical security measures include:

  • Limiting access through passwords and database security 

  • Storing data on secure servers that cannot be accessed via the Internet or modem

  • Encryption of data during transmission and storage (Secure Sockets Layer, or SSL, is considered acceptable when submitting information via a Web site - but note that, unless the client system has a digital certificate or other authentication upon which the server can rely, SSL may not be acceptable for disclosure from server to client).


6. Enforcement

Your organization may subscribe to an industry code of practice or privacy seal program, both of which may include dispute resolution mechanisms and consequences for failure to comply with program requirements. A private action against your organization is also a possibility if the organization is found to be responsible for a breach of privacy that caused harm to an individual. Class-action lawsuits have also been brought, alleging privacy invasion. 

You will need to familiarise yourself with the relevant acts in your country as well as the countries in which you operate, If you operate online, you need to understand of all of them.