Guide to Data Protection Act for Data Controllers

Individual rights

The right to rectification

At a glance

  • The fourth data protection principle (the data accuracy principle) requires that data controllers ensure personal data is accurate and, where necessary, up to date.

  • The DPA includes, indirectly, a right for individuals to have inaccurate personal data rectified or completed if it is incomplete, insofar as the data controller is convinced of the validity of the request. Although there is no explicit legal obligation for the data controller to act on a direct request for rectification from an individual, as a matter of fairness derived from the first data protection principle, and also as a consequence of the fourth data protection principle (data accuracy), data controllers should correct inaccurate data and update outdated data without undue delay.

  • An individual can complain to the Ombudsman, who may issue an order for rectification, blocking, erasure or destruction of the data in question where the complaint is upheld.

  • In certain circumstances a request for rectification can be refused.  

Checklist

Preparing for requests for rectification

  • We know how to recognize a request for rectification and we understand when this right applies.
  • We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for rectification

  • We have processes in place to ensure that we respond to a request for rectification without undue delay.
  • We have appropriate systems to rectify or complete information, or provide a supplementary statement.
  • We have procedures in place to inform any recipients if we rectify any data we have shared with them. 

 In brief

What is the right to rectification?

Under sections 14 and 43 of the DPA individuals have the right to complain to the Ombudsman and have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

However, you may have already taken steps to correct inaccurate data when an individual brought it to your attention.

This right has close links to the fourth data protection principle (the data accuracy principle) in Schedule 1 of the DPA which requires that data controllers keep the personal data they are processing accurate and, where necessary, up to date. See more on the fourth data protection principle here.

In some circumstances the right to rectification may also be linked with the individual’s right to stop or restrict the processing

What do you need to do?

If you receive a request for rectification you should take reasonable steps to satisfy yourself whether the data is accurate and to rectify or update the data, if necessary. You should take into account the arguments and evidence provided by the data subject.

What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. For example, you should make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than trivial ones.

You may also take into account any steps you have already taken to verify the accuracy of the data prior to the challenge by the data subject.

You are not obligated to correct inaccurate personal data, unless you are ordered to do so by the Ombudsman. However, it makes sense to do so when possible. 

When is data inaccurate?

Section 2 of the DPA defines inaccuracy of data as follows:

“inaccurate”, in relation to personal data, includes data that are misleading, incomplete or out of date 

What should you do about data that records a mistake?

Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individual’s data. Indeed, in some cases it may be necessary to preserve inaccurate or incomplete personal data, for example as part of record of audit, or record of complaints handling. 

Example

If a patient is diagnosed by a GP as suffering from a particular illness or condition, but it is later proved that this is not the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. While the medical record shows a misdiagnosis, it is an accurate record of the patient's medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it may be difficult to argue that the record is inaccurate and should be rectified. 

What should you do about data that records a disputed opinion? 

Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified. 

Can you keep processing data while you are considering their accuracy?

If an individual tells you that personal data is inaccurate or (where applicable) out of date, you should verify whether that is true. As a matter of best practice, you should restrict the processing of the personal data in question while you are verifying its accuracy, whether or not the individual has exercised their right to restriction.

The same approach should be practiced while the complaint is under investigation by the Ombudsman, until she has reached conclusions in the matter. 

What should you do if you disagree with the request for rectification?

While in regard to a request for access under section 8 of the DPA (see here for the right to access) you can refuse to act if the request is manifestly unfounded or excessive, the DPA does not provide for reasons for refusing a request for rectification.

You should let the individual know if you are satisfied that the personal data is accurate, and tell them that you will not be amending the data. You should explain your decision, and inform them of their right to complain to the Ombudsman, and their ability to seek to enforce their rights through a judicial remedy.

It is best practice to place a note on your system or file indicating that the individual challenges the accuracy of the data and their reasons for doing so.

What are the exemptions to the right to rectification?

The DPA recognizes the following exemptions (see here for exemptions) from the right to rectification:

  • Section 18: exemption relating to national security;
  • Section 24: exemption relating to information available to the public by the Act;
  • Section 25: exemption relating to disclosure required by the Act or made in connection with legal proceedings; and
  • Section 26: exemption relating to personal, family or household affairs.

How can you recognize a request for rectification?

The DPA does not specify how to make a request for rectification. An individual can make a request for rectification verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.

A request to rectify personal data does not need to mention the phrase ‘request for rectification’ or the fourth data protection principle of the DPA to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it, or has asked that you take steps to complete data held about them that is incomplete, this will be a valid request.

This presents a challenge as any of your employees could receive a valid verbal request. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.

Additionally, it is best practice to have a policy for recording details of the requests you receive in a log, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. 

Can you charge a fee for responding to a request for rectification?

No, you cannot charge a fee to comply with a request for rectification. 

While in regard to a request for access under section 8 of the DPA (see here for the right to access) you can charge a reasonable fee if the request is manifestly unfounded or excessive because it would divert your resources unreasonably, the DPA does not provide for any fee to be charged in connection with a request for rectification.

How long do you have to comply with a request for rectification?

The DPA does not set any procedures or timelines for your response to a request for rectification. Instead it anticipates that the individual complains to the Ombudsman who may then investigate and issue an order where appropriate. 

Can you ask an individual for ID when they make a request for rectification?

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.

You should let the individual know without undue delay that you need more information from them to confirm their identity. 

Do you have to tell other organisations if you rectify personal data?

If you have disclosed the inaccurate personal data to third parties, you should contact each third party and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these third parties.

The DPA defines a third party as follows: 

“third party”, in relation to personal data, means any person other than -

(a) the data subject;

(b) the data controller; or

(c) any data processor or other person authorised to process data for

the data controller or data processor. 

 If the Ombudsman makes an order for data rectification, she may order you to notify third parties to whom the data has been disclosed of the rectification, if it is considered reasonable practicable.

You will remain responsible for the accuracy of any processing conducted by your processors. 

Relevant provisions

Data Protection Act (2021 Revision)

Schedule 1, part 1, paragraph 4: Fourth data protection principle – Data accuracy

Section 14: Rectification, blocking, erasure or destruction

Section 43: Complaints to the Ombudsman

Section 45: Enforcement orders

Data Protection Regulations, 2018:

Regulation 3: Fees for requests

Previous Next