What is the right to rectification?
Under the right to rectification, you can challenge the accuracy of any personal data that an organisation holds about you. You can ask for it to be corrected or, if it’s incomplete, completed with the addition of more detail.
How can my data be corrected?
You should contact the organisation that holds the inaccurate or incomplete personal data and inform them that you are challenging the accuracy of your data and that you wish for it to be corrected. You should:
-
clearly state what information you consider to be inaccurate or incomplete
-
explain how it should be corrected
-
provide evidence of the inaccuracy, if such is available
You can make a request to have your data corrected verbally or in writing. However, it is recommended that you make such a request in writing so that you have a record of the request. If you make a verbal request, you should follow up in writing to explain your concern, give evidence, and state your desired solution.
You can use the template provided by the Information Commissioner’s Office (ICO) to make a rectification request.
What if the data records a mistake or an opinion?
Determining whether data is inaccurate can be difficult if the data refers to a mistake that has subsequently been corrected. It may be argued that the record of the mistake, in itself, is accurate and should be maintained (as well as the correct version of the data). Where this is the case, the fact that a mistake was made should also be included in the individual's data. For example, a medical record should reflect any incorrect diagnoses given to a patient along with the correct diagnosis and information about the correction made, to provide an accurate record of the patient’s medical treatment.
Similarly, if data is about an opinion, it can be difficult to determine whether the data records an inaccurate opinion as opinions are inherently subjective. Provided that the record clearly shows that the information is an opinion and whose opinion it is (where appropriate), it may be difficult to require an opinion to be corrected for being inaccurate.
What will the organisations do?
When organisations are asked to correct your data, they should take reasonable steps to investigate whether the data is accurate, considering your arguments and any evidence you provide. They should be able to show that they have done this.
Once the organisation has investigated, they should contact you and they should either:
-
confirm that your data has been corrected, deleted, or amended, or
-
inform you that they will not correct the data, explaining why they believe the data to be accurate
If an organisation does not correct the data, they should record that you have challenged the data’s accuracy and the reasons for your challenge.
If an organisation has disclosed your data to others, they must contact the data recipients and inform them that they have corrected or completed the data, unless this is impossible or involves a disproportionate effort. You can ask an organisation to tell you which recipients have received your data.
Can organisations refuse my request?
Organisations can refuse to comply with a request for correction if they believe that the request is ‘manifestly unfounded or excessive’. For example, a request may be manifestly unfounded if you have no intention to exercise your right to rectification and are just hassling the organisation. A request may be excessive if it repeats the substance of previous requests.
Where this is the case, organisations can:
-
request that you pay a reasonable fee for them to deal with the request, or
-
refuse to deal with the request
They will need to inform you of this and justify their decision.
How long do organisations have to respond and can they charge a fee?
Organisations typically have one month to respond to your request. In some circumstances (eg if you’ve made several requests or if proof of ID is required), it’s permitted for organisations to take extra time if they need to do so to consider your request. In such situations, they may take up to an extra two months to respond substantially to your request. If they do this, organisations should inform you within one month that they need more time and should explain why.
Data requests should generally be dealt with and provided free of charge. However, an organisation may be able to charge a fee in some circumstances. These are limited - for example, if the organisation finds the request is manifestly unfounded or excessive.
For more information, read Data protection requests.
What if organisations don’t respond or the response is unsatisfactory?
If an organisation doesn’t respond to your request or you’re dissatisfied with their response, you should contact them first to attempt to resolve the situation. If you do not receive a response or are still dissatisfied with the response, you can complain to the ICO. You can also consider attempting to enforce your data protection rights through the courts. For more information, read Data protection requests.