The ICO exists to empower you through information.

You can challenge the accuracy of personal data held about you by an organisation, and ask for it to be corrected or deleted. This is known as the ‘right to rectification’. If your data is incomplete, you can ask for the organisation to complete it by adding more details.

How to get your data corrected

To exercise your right you should inform the organisation that you are challenging the accuracy of your data and want it corrected. You should:

  • state clearly what you believe is inaccurate or incomplete
  • explain how the organisation should correct it, and
  • where available, provide evidence of the inaccuracies.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your complaint, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response. 

How should I raise my complaint about how an organisation has handled my information?

You can use the template letter below to help you raise your complaints.

       [Your full address]
   [Your phone number]
                  [The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Data Protection Complaint
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled personal information properly.

[Give details of your complaint, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my complaint to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my complaint to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within 30 days. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully
[Signature]

 

What about data that records a mistake?

It can be complex to decide whether data is inaccurate if it refers to a mistake that has then been put right. An organisation could argue that the fact the mistake was made is an accurate thing to record, so it should record the mistake alongside the correct data.

Example

A doctor finds that a patient has a particular illness and notes it in their medical records. Sometime later, this diagnosis is found to be wrong. It is likely that the medical records should include both the initial diagnosis and the final findings because this gives an accurate record of the patient’s medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be corrected.

What about data that records an opinion?

It is also complex if the data in question records an opinion. Opinions are, by nature, subjective. As long as the record is clear that the data is an opinion and, where appropriate, whose opinion it is, it can be difficult to maintain it is inaccurate and needs to be corrected.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it .

Having done so, if you remain dissatisfied you can make a complaint to the ICO .

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.

What organisations should do

When an organisation is asked to correct data, it should take reasonable steps to investigate whether the data is accurate, and should be able to demonstrate it has done so. To do this it should consider your arguments and any evidence you provide.

The organisation should then contact you and either:

  • confirm it has corrected, deleted or added to the data, or
  • inform you it will not correct the data, and explain why it believes the data is accurate.

If the organisation refuses to correct the data, as a matter of good practice it should record that you have challenged the data’s accuracy and why.

If the organisation has disclosed the data to others, it must contact them and tell them the data has been corrected or completed – unless this is impossible or involves a disproportionate effort. When asked, the organisation must inform you which recipients have received the data.

 When else can the organisation say no?

The organisation can refuse to comply with a request for rectification if it believes that the request is what the law calls “manifestly unfounded or excessive”. In reaching this decision, it can take into account whether the request is repetitive.

 In such circumstances the organisation can: 

  • request a reasonable fee to deal with the request, or
  • refuse to deal with the request.

In either case it will need to tell you and justify its decision.

How long should the organisation take?

An organisation has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.

Can it charge a fee?

An organisation can only charge a fee if it thinks the request is “manifestly unfounded or excessive”. If so, it may ask for a reasonable fee for administrative costs associated with the request.