At a glance
- The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
- An individual can make a request for rectification verbally or in writing.
- You have one calendar month to respond to a request.
- In certain circumstances you can refuse a request for rectification.
- This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
Preparing for requests for rectification
☐ We know how to recognise a request for rectification and we understand when this right applies.
☐ We have a policy for how to record requests we receive verbally.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for rectification
☐ We have processes in place to ensure that we respond to a request for rectification without undue delay and within one month of receipt.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We have appropriate systems to rectify or complete information, or provide a supplementary statement.
☐ We have procedures in place to inform any recipients if we rectify any data we have shared with them.
What is the right to rectification?
Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.
This right has close links to the accuracy principle of the GDPR (Article 5(1)(d)). However, although you may have already taken steps to ensure that the personal data was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
What do we need to do?
If you receive a request for rectification you should take reasonable steps to satisfy yourself that the data is accurate and to rectify the data if necessary. You should take into account the arguments and evidence provided by the data subject.
What steps are reasonable will depend, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. For example, you should make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than trivial ones.
You may also take into account any steps you have already taken to verify the accuracy of the data prior to the challenge by the data subject.
When is data inaccurate?
The GDPR does not give a definition of the term accuracy. However, the Data Protection Act 2018 (DPA 2018) states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
What should we do about data that records a mistake?
Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individuals data.
If a patient is diagnosed by a GP as suffering from a particular illness or condition, but it is later proved that this is not the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. Whilst the medical record shows a misdiagnosis, it is an accurate record of the patient's medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be rectified.
What should we do about data that records a disputed opinion?
It is also complex if the data in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified.
What should we do while we are considering the accuracy?
Under Article 18 an individual has the right to request restriction of the processing of their personal data where they contest its accuracy and you are checking it. As a matter of good practice, you should restrict the processing of the personal data in question whilst you are verifying its accuracy, whether or not the individual has exercised their right to restriction. For more information, see our guidance on the right to restriction.
What should we do if we are satisfied that the data is accurate?
You should let the individual know if you are satisfied that the personal data is accurate, and tell them that you will not be amending the data. You should explain your decision, and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.
It is also good practice to place a note on your system indicating that the individual challenges the accuracy of the data and their reasons for doing so.
Can we refuse to comply with the request for rectification for other reasons?
You can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If you consider that a request is manifestly unfounded or excessive you can:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case you will need to justify your decision.
You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual without undue delay and within one month. You do not need to comply with the request until you have received the fee.
In more detail – Data Protection Act 2018
There are other exemptions from the right to rectification contained in the DPA 2018. These exemptions will apply in certain circumstances, broadly associated with why you are processing the data. We will provide guidance on the application of these exemptions in due course.
What should we do if we refuse to comply with a request for rectification?
You must inform the individual without undue delay and within one month of receipt of the request about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How can we recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for rectification verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request to rectify personal data does not need to mention the phrase ‘request for rectification’ or Article 16 of the GDPR to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it, or has asked that you take steps to complete data held about them that is incomplete, this will be a valid request under Article 16.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Can we charge a fee?
No, in most cases you cannot charge a fee to comply with a request for rectification.
However, as noted above, if the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
How long do we have to comply?
You must act upon the request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time to respond to a request?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
The circumstances in which you can extend the time to respond can include further consideration of the accuracy of disputed data - although you can only do this in complex cases - and the result may be that at the end of the extended time period you inform the individual that you consider the data in question to be accurate.
However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:
- it is manifestly unfounded or excessive;
- an exemption applies; or
- you are requesting proof of identity before considering the request.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.
Do we have to tell other organisations if we rectify personal data?
If you have disclosed the personal data to others, you must contact each recipient and inform them of the rectification or completion of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.