Monday, June 30, 2008

Art societies and art galleries - data protection, privacy and you

Four questions for you - and your art society and/or art gallery:
  1. Does your art society and/or art gallery understand that it has to protect personal data relating to individuals?
  2. Are the administrators 'data protection aware'?
  3. Do they process personal information about individuals in a secure way?
  4. Are the officers of your art society / managers of your art gallery aware of their legal responsibilities under data protection legislation?
RHS Tulip #1
8"x8"coloured pencils on Arches HP
copyright Katherine Tyrrell

We all hear from time to time about the activities of fraudsters - but do we ever stop to think about how they get hold of identity information and how they might get hold of yours?

You might be taking appropriate action to safeguard your identity online and at home. But are you sure that the organisations which you give your personal data are equally careful?

Mailing lists - whether actual addresses or e-mail addresses - are bread and butter fodder for fraudsters. Organisations which engage in fraud buy and sell mailing lists all the time - and they're always on the look out for weaknesses in data protection.

In Europe, unlike the USA, there is a strict legal regime about data protection. Broadly speaking, if an individual can be identified from the data then it's personal data and is protected.

This regime is about to get a lot more strict in the UK with the introduction of the new Criminal Justice Act - this introduces new civil penalties for serious beaches of data protection principles. The new legislation gives the Office of the Information Commissioner the power to impose substantial fines on any organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

Data protection is an area where art societies and art galleries have no option but to behave in a strictly professional and business-like way. But the sad fact is that at present rather too many don't.

It's clear to me that more than a few art societies, art galleries and other art-related organisations covered by the legislation are completely unaware of their legal obligations concerning the protection of the personal data of their members. If they're unaware, then it's very unlikely that their administrative process also comply with European data protection legislation.

Art organisations and problems with data protection

The reason I'm raising this issue today is because at the weekend I became aware of yet another art organisation which has failed to protect personal data.

Here are some examples of the sorts of failures to protect personal data which I've come across in recent times. I'm not naming the individual art societies or galleries because frankly lax practice seems to be pretty widespread and it seems invidious to name one and not others.
  • An email sent to me about an event by an organisation acting on behalf of an art society disclosed its complete mailing list and all the e-mail addresses on it to everybody on that mailing list.
  • Another art society recently sent me its handbook. It contained every member's name, address, telephone number and e-mail address. Apart from the fact that I don't need all of this information, it represents a fraudster's dream come true.
  • An art society had a laptop stolen recently. It contained all the personal contact details of all its members. The data was not encrypted.
  • A fourth (and fifth and sixth and seventh....) art society lists the home addresses and telephone numbers of all its members in the brochure for its annual exhibition.
The conclusion I've come to is that a number of organisations are being run by people who have no contact with the wider business world and/or awareness of data protection obligations. They simply do not know what's required or about any changes in data protection legislation.

However, I'm afraid that rationales such as "we've always done it like this and it's always been OK before" and "we're just amateurs, we don't know about these things" are no legal defence and simply do not excuse what is happening.

Ultimately, what we're talking about here is data protection and privacy - and these are matters which will be coming within the jurisdiction of criminal law in the UK in the very near future.

This blog post aims to raise awareness of this issue. If all those reading it asked their own art societies and art galleries (and themselves) the questions I am posing then maybe we might see the basics being addressed rather better than they are at present.

Data protection - what are the basics?

Unlike the USA, the right to privacy is a highly developed area of law in Europe and data protection legislation has been around for a very long time.

10 years ago an effort was made to harmonize it so that the same principles applied across all member states of the European Union (see links below for more details). The European Directive on the protection of personal data provided the basis for all national legislation.

In the UK, the Data Protection Act 1998 required all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure of information which can be used to identify an individual person.

Two sites provide accessible information about the Data Protection Act covers and what it means.
The Act states that anyone who processes personal information must comply with eight principles.........All organisations must make sure that they comply with the Data Protection Act.

But what are the eight principles for processing personal information?
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection
Information Commissioner's Office: Personal Data - the basics
More detail about Data protection

This is the Data protection Guide and Guidance. This is the place to start if you or your organisation need to review what's required and then set about implementing their requirements/recommendations if you've not done so already.

The overall priority is that personal data should not be accessible to people who don't need to know it and that personal data should not be published.

These are some particularly relevant sections
Some practical suggestions - do's and don'ts

Any Art Society or organisation dealing with personal data can usefully start by considering the following when devising a potential policy and practical rules for handling personal data:

Personal data includes anything which is linked to an individual eg home address, telephone number, email address etc.

  • Do collect only what is needed. Personal data capable of identifying individuals should only ever collected if it is needed and should only ever be used for the purpose for which it is collected.
  • Do explain why you are collecting personal data and the safeguards. Make sure you identify to the individual the reasons why you need to collect data, what it may be used for, who needs access to it and how you safeguard personal data. Identify how you are going to publicise the existence of a data protection/privacy policy. It's a good idea to link to a formal statement of the data protection / privacy policy on the organisation's website.
  • You MUST get written consent of an individual BEFORE you publish their personal data or or pass it on to anybody else. You cannot assume this and it's not good practice to make it difficult for people to tell you. Best practice is to assume a default that it cannot be published and cannot be passed on.
  • Do keep personal data only for so long as it is needed. Data protection policies need to address what records must be archived, what should be destroyed and how often.
  • Do keep all personal data secure - paper files as well as digital ones.
  • Do make sure that personal data is only ever accessible to those with a 'need to know'.
  • Do train people. Make sure all people handling personal data know and understand basic practices for protecting data.
  • Do not publish personal data without consent in a brochure, leaflet, catalogue, mailing list, email distribution lists etc. without the consent of the person concerned. Do look at what practices you now need to change as a result.
  • Do not assume consent. You cannot assume consent - and your data practices need to assume consent will be withheld by some people - like me! (I have a simple principle which is that I don't assume other people know how to look after my personal data so I always provide the absolute minimum and always refuse permission for it to be shared with any third parties).
  • Do not send out an e-mail to a mailing list without first checking that each recipient ONLY sees their own e-mail address.
  • Do not record financial details - if you can avoid it. These need extra security and you need to find out first how to encrypt them.
  • Do not record personal data on a laptop. If you do then additional security provisions are required (eg encryption and/or use of a password to access data)
  • Do not give personal data away. It's not yours to give - even if it's another art society member who is asking.You need a system which safeguards the personal data of all those people who do not want it to be shared. Default should always be 'do not share'. You can act as a postbox for anybody wanting to contact a third party.
  • Do not sell personal data - it's not yours to sell.
  • Do not exchange personal data for some benefit - it's not yours to give away. - even to a sponsor.
  • Do not leave responsibility for dta protection vague. Identify who is responsible for leading on data protection - policy development and implementation. Identify the minimum to expect people to know and understand.
Q: What security measures should I have in place to protect personal information on laptops?
Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted. The level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device was lost or stolen, you may need to seek specialist technical advice. In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure their staff are properly trained in these. If it is brought to the Commissioner's attention that laptops that have been lost or stolen have not been protected with suitable encryption he will consider using his enforcement powers.
A data protection checklist - questions to ask your art society, your art gallery and yourself
  1. Are you aware that you have a legal responsibility to protect all personal data which can identify an individual?
  2. Do you know and understand the eight principles of data protection?
  3. Have you implemented the eight principles in the way you process and store the personal data of members or people on your mailing list?
  4. Have the people handling personal data been trained in data protection?
  5. Have you ever sold the mailing list to a third party?
  6. Where can I find a copy of your data protection/ privacy policy?
If you live in the USA this doesn't apply to you. You have to be your own data protection unit! Nevertheless the general principles are sound and it's reasonable to expect that organisations will follow them - so why don't you ask the questions anyway?



  1. Beautiful tulip, Katherine particularly the lustre, the form and the thinness and delicacy of the petals.

  2. Thank you for bringing this up. I try my best to stay in line with things.

    Recently a London gallery sent an offer of an exhibition which I didn't accept because they wanted to run a group show with invites sent to their list and each artist's list. However, one "benefit" of this show was that each artist would then be given the entire mailing list! Meaning the gallery's and each of our lists distributed to everyone.

    This was such a violation of trust for people who joined my mailing list that I simply couldn't believe it was being suggested. Needless to say I didn't respond.

  3. Oh, and a question: how do I encrypt my email address book on a laptop? I have no idea. I think I follow all the rules but don't know about encryption.

  4. Canada has two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

    The Privacy Act took effect on July 1, 1983. This Act imposes obligations on some 150 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. The Privacy Act gives individuals the right to access and request correction of personal information about themselves held by these federal government organizations.

    Individuals are also protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) that sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.

    The official Act can be read here

    I have stepped down from the board of an art association locally and one of the reasons was precisely this - lack of privacy policies. In fact I had to remind them again last week after having an email sent out to me with the emails of everyone in the association on the send to list.

  5. Thanks for the references Jeanette - most helpful

    That's two artists now who have dissociated themselves from organisations who are not respecting the privacy of individuals (viz email addresses) - plus me who thinks the same and says it or puts it in writing to the organisations concerned.

    That's making a bit of a theme I think.........

    Anybody else who has taken a stand on the question of privacy?

    Anybody who now thinks they might if they a breach of privacy by an organisation they know?

    Anybody - or any organisation - who has another perspective on this matter?

  6. Tina - you can encrypt a database in the latest version of Access

    See this brief explanation from

    Encrypting Access Databases

    I always used to use Access for labels for mailing my regular big mail-outs - plus you can import contact databases into Word to use as mailing lists - it's very good if a bit difficult to get your head round at first.

    There are also specialised contact database software packages - which will have varying levels of offers in relation to security. You'll recall that I had a post recently about Which is the best e-mail newsletter software?

  7. I just love your tulip Katherine! It absolutely glows at the tips!

  8. My 'database' is actually my Mac Address Book program, so I guess I can't see how I can encrypt that? I might see if it can somehow be password protected maybe. I also use Flick, which uses Filemaker files for data.


COMMENTS HAVE BEEN SUSPENDED AGAIN due to very silly ignorant people who leave spam comments without realising they have no benefit for them.

Please feel free to comment on my Facebook Page as my blog posts are always posted there (but please note anonymous comments are not published and I block and report spammers to Google and on Facebook)

Note: only a member of this blog may post a comment.