by Marcus Fowler*
First Published in ARt+LAW newsletter in September 2000
Ever wondered what happens to your personal details once you send them through the Internet? For any artist, the opportunity for self-promotion through the world wide web is a tempting one. Maybe you’ve entered an online film competition, registered a poem, or perhaps given permission to display your artwork online through a promotional website. But once the information is passed in, what, if any obligation does the online business have when it comes to your personal data?
The Federal Government is wary of consumer concerns about privacy, particularly if those concerns are hindering the growth of business online. To combat this, the Privacy Amendment (Private Sector) Bill 2000 was introduced into Federal Parliament in April. Under the new law, private sector organisations will be allowed to develop their own codes of conduct to regulate the “collection, holding, use, correction, disclosure or transfer of personal information”, as well as develop their own complaints handling mechanisms. An organisation means an individual, body corporate, partnership, any other unincorporated association, or a trust.
This covers all types of personal information which is not publicly available, with the exception of employee records, personal information already in existence when the amendments take effect, state government contractors, and the transfer of non-sensitive personal information between “related bodies corporate” (businesses with a shared controlling interest). However, a major exemption for small businesses means that the majority of professional arts practitioners, arts businesses and organisations will be exempt from the new law.
National Privacy Principles (NPPs)
The Privacy Act 1988 (Cth) only applies to the processing and use of personal information in the federal public sector. However, if the self-made code doesn’t provide at least the same level of protection as outlined by the National Privacy Principles (NPPs), then the Privacy Commissioner has the power to reject that code and a default regulatory scheme, incorporating the NPPs, will apply.
The National Principles for the Fair Handling of Personal Information were developed by the Privacy Commissioner in 1997. They set out minimum standards for the handling of personal information - these include provisions relating to:
• the collection of personal information (must be collected lawfully, fairly and be necessary for one or more of the organisation’s “legitimate functions or activities”);
• the use and disclosure of personal information (generally can only be used for the purpose it was originally taken);
• the accuracy of personal information (must take reasonable steps to keep it “accurate, complete and up to date”);
• security of personal information (must take reasonable steps to protect information from misuse, loss, modification or disclosure);
• openness on what sort of information is kept by the organisation and why, and how it is collected, held, used and disclosed;
• the right to access and correct personal information; and
• the transfer of personal information to a third party.
So where does this leave the average artist whose privacy has been breached? Take, for example, a painter who wants to showcase their work through an online gallery, but wishes to keep their contact details confidential - what action can they take if those details are then passed on to a potential buyer, or sold to a mailing list? A writer may wish to post a short story anonymously online given sensitive, or possibly defamatory subject matter - what action can be taken if the online business then discloses their identity, contrary to the writer’s instructions?
Enforcement
An organisation interferes with the privacy of an individual if it breaches its own approved privacy code, or, if the organisation is not self-regulated, it breaches a National Privacy Principle. Regardless of what applies, the first target of complaint generally has to be the organisation itself. If you’re not satisfied with how this is handled, the complaint may then be taken to the Privacy Commissioner (where no approved code of conduct), or to an independent adjudicator (such as the Telecommunications Ombudsman) if one has been appointed to administer an approved code.
The adjudicator or Privacy Commissioner may then make a determination ordering anything from changing recorded information, to paying damages. The determination can be enforced by an order of the Federal Court or Federal Magistrates Court.
The small business exception
If a business has an annual turnover of $3,000,000 or less, it is defined as a “small business” and is exempt from the operation of the new law. This includes not-for profit arts organisations, such as incorporated associations and companies limited by guarantee. The exemption means that many private businesses, such as low earning Internet-based organisations, will have no obligation to abide by the new privacy law.
However, the new privacy law will still apply to a small business if it:
• provides a health service and holds any health information;
• discloses personal information about another to anyone else for a benefit service or advantage;
• provides a benefit, service or advantage to collect personal information about another; or
• is a contracted service provider for a Commonwealth contract.
This means that if the private organisation you are dealing with, for example, a gallery, sells, or gains any other advantage from providing your personal details to another, then that business will still be subject to the new rules.
Still, there is no obligation that organisations publicise whether they fall under the legislation. Even once consumers are made aware of the new law itself, they will still have to establish whether it actually applies to the business they are dealing with. The end result of the legislation threatens to be even more confusion about what, if any, rights exist over the handling of your personal information in the online marketplace.
For more information on the Privacy Amendment (Private Sector) Bill 2000 visit the website of the House of Representatives Standing Committee on Legal and Constitutional Affairs at www.aph.gov.au/house/committee/laca/. The Committee released their Advisory Report on the Bill on June 26. The text of the Bill can be accessed at www.aph.gov.au/legis.htm.
*Marcus Fowler was a Arts Law Solicitor in 2000
