The ICO exists to empower you through information.

Control measure: Processes are in place to allow people to challenge the accuracy of information held about them and to have it corrected, where appropriate.

Risk: If people can't challenge inaccuracies, inaccurate information may be processed. This may breach UK GDPR article 5(1)(d).

Ways to meet our expectations:

  • Document how to handle rectification requests in sufficient detail in policies, including who oversees the request process and how.
  • Have a process to determine whether information is inaccurate, and how to correct it quickly or document the inaccuracy, if you can’t rectify it.
  • Ensure policies have appropriate document and version control.
  • Communicate policies to staff and make policies readily available for them to refer to.
  • Keep policies up-to-date, particularly with any changes to data protection law.

Options to consider:

  • Include specific processes for erasure requests within your policy about how to handle individual rights.
  • Use reliable indexes, file content pages, and descriptions of documents to help locate paper records quickly.
  • Use appropriate search functionality and metadata to help locate electronic records quickly.

 

Control measure: Processes are in place to inform third parties quickly if inaccurate information has been shared with them.

Risk: If third parties aren't informed quickly when inaccuracies are identified, they may process inaccurate information further. This may breach UK GDPR article 5(1)(d).

Ways to meet our expectations:

  • Have a process to inform third parties about any request for rectification, if you have shared inaccurate personal information with them.
  • Document responsibilities and processes for rectification requests in contracts with processors.
  • Document responsibilities for rectification requests in sharing agreements with other controllers. 
  • Measure performance and compliance metrics or key performance indicators for rectification requests (eg the number of requests received and the time taken to inform third parties).

Options to consider:

  • Include specific processes for rectification requests within your policy about how to handle individual rights.
  • Track the number or percentage of requests where you identified inaccurate information, and feed this into data quality processes or staff awareness exercises.

 

Control measure: The quality of information held in records or systems is reviewed regularly to ensure it is adequate for its purpose.

Risk: If the information processed is not checked regularly, it may be inadequate or poor quality. This may breach UK GDPR article 5(1)(c).

Ways to meet our expectations:

  • Complete data quality reviews to confirm that information is still accurate, adequate and not excessive for the purpose you are processing it for.
  • Take appropriate actions to resolve data quality issues and update processes and staff after reviews.

Options to consider:

  • Document data quality reviews in your internal audit programme.
  • Use standard formats or system validation rules to ensure you collect quality information.
  • Set up automated alerts for information that doesn’t meet data quality requirements. 
  • Generate system reports of missing or incorrectly formatted information and report to senior managers regularly.

 

Control measure: There are ongoing awareness campaigns and training for staff to emphasise the importance of good data quality, and feedback is given following data quality checks.

Risk: If staff are not aware about the importance of data quality, data quality issues may continue or worsen. This may breach UK GDPR articles 5(1)(c-f), 5(2), and 32.

Ways to meet our expectations:

  • Train new staff on data quality at induction and refresh training periodically.
  • Communicate data quality issues to staff to raise awareness (eg using posters, team meetings, reminder emails, and newsletters).
  • Provide feedback quickly to relevant staff on findings from data quality reviews.

Options to consider:

  • Review data quality training content regularly to keep it up-to-date.
  • Communicate regular data quality reminders or run data quality awareness campaigns covering common issues.