数据保护与隐私法
英国GDPR、2018年数据保护法、ICO执行和数据主体权利。
简介
数据保护立法规范组织如何收集、存储和处理个人信息。
核心原则
Lawfulness, Fairness and Transparency — Personal data must be processed lawfully, fairly, and in a transparent manner. There must be a lawful basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
Purpose Limitation — Data must be collected for specified, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes.
Data Minimisation — Only personal data that is adequate, relevant, and limited to what is necessary for the stated purpose should be collected.
Accuracy — Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation — Personal data must not be kept for longer than is necessary for the purposes for which it is processed.
Integrity and Confidentiality — Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Accountability — The data controller is responsible for, and must be able to demonstrate, compliance with the data protection principles.
Data Subject Rights — Individuals have rights including access (Subject Access Request), rectification, erasure ('right to be forgotten'), restriction of processing, data portability, and objection to processing.
关键法规
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003
Freedom of Information Act 2000
重要判例
Vidal-Hall v Google
[2015] EWCA Civ 311
R (Bridges) v Chief Constable of South Wales Police
[2020] EWCA Civ 1058
常见情景
Making a Subject Access Request (SAR)
Under Article 15 UK GDPR, you have the right to obtain confirmation of whether your personal data is being processed and a copy of that data. The organisation must respond within one calendar month. The request is free. If the organisation fails to comply, you can complain to the ICO.
Company suffers a data breach
Under Article 33 UK GDPR, a personal data breach must be reported to the ICO within 72 hours if it is likely to result in a risk to individuals' rights and freedoms. Affected individuals must also be notified without undue delay if the risk is high. Failure to report can result in significant fines.
Receiving unwanted marketing emails
Direct marketing by email requires consent under the Privacy and Electronic Communications Regulations 2003 (PECR), unless the 'soft opt-in' exception applies. You have the right to object to direct marketing at any time. Complaints can be made to the ICO.