At a glance
- Individuals have the right to have personal data rectified.
- You can rectify personal data if it is inaccurate or incomplete.
- You must rectify any inaccurate personal data that relates to the individual without undue delay, and in any event within one month.
- When should we rectify personal data?
- What do we need to do to comply?
- What if the request is manifestly unfounded or excessive?
- How long do we have to comply?
- When can we limit the provision of information?
You must rectify inaccurate personal data when it becomes apparent, or, if an individual requests it. If personal data is identified as inaccurate as a matter of fact, or incomplete, you must seek to amend this by rectifying or completing the data. If you are unable to correct it, you could provide a supplementary statement to rectify personal data which is inaccurate if appropriate. In circumstances such as policing, you can keep accurate records of allegations made, even if the allegations are unfounded.
The right to rectification applies, in particular, to matters of fact. For example, there may be inaccuracies in the details of a criminal conviction held on the Police National Computer. An individual may receive a copy of their criminal record and request that an incorrect entry for Grievous Bodily Harm is corrected to Actual Bodily Harm, or vice versa, to reflect the correct conviction. The controller may restrict the right to rectification if, for example, it obstructs an investigation, such as a request to rectify the content of a witness statement.
If you need to maintain personal data for the purposes of evidence, you must restrict its processing (instead of rectifying it). There is further information in the next section about restricting the processing of personal data.
If this happens, an individual may raise a complaint with the Information Commissioner.
An individual can make a request for rectification verbally or in writing. Therefore, it is good practice to have a policy for recording details of the requests you receive, including those made by telephone or in person. You may wish to check with the requester that you have understood their request as this can help avoid later disputes. We also recommend that you keep a log of verbal requests.
If you have reasonable doubts about the identity of an individual, you can request more information to confirm their identity. You can put dealing with the request on hold until you receive further information to establish their identity.
Your request for verification should be reasonable and proportionate, taking into consideration the nature of the personal data you hold and your relationship with the individual.
If you have disclosed the personal data in question to third parties, you must inform them of the rectification. The third parties also have to rectify the information they hold. You must also inform the competent authority (if any) where the inaccurate personal data originated from.
If you refuse a request for rectification, you must tell the individual, informing them of their right to raise a complaint with the Information Commissioner or taking matters to court.
If requests are manifestly unfounded or excessive, in particular because they are repetitive, you can:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
You have to be able to demonstrate how a request is manifestly unfounded or excessive.
You must respond to the request without delay and at the latest within one calendar month, from the first day after the request was received.
If you receive a request on 30 June the time limit will start on 1 July and the deadline will be 1 August.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.
For practical purposes if a consistent number of days is required (eg for a computer system), you should adopt a 28-day period to ensure compliance is always within a calendar month.
If you receive a request for rectification, you must inform the individual in writing whether you have granted the request; and if you have refused, the reasons why, as well as the process for raising a complaint with the Information Commissioner or taking matters to court.
You may limit the provision of information to:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security; or
- protect the rights and freedoms of others.
You need to justify any restriction you apply as necessary and proportionate. Again, you should also consider whether refusal or rectification in itself prejudices an ongoing investigation, as it may well indicate to an individual that you are processing their personal data.
You still need to inform the individual about their right to raise a complaint with the Information Commissioner or take matters to court.
In addition, you should keep a record of your decisions and provide this reasoning to the Information Commissioner, if required.