You can limit the way an organisation uses your personal data if you are concerned about the accuracy of the data or how it is being used. If necessary, you can also stop an organisation deleting your data. Together, these opportunities are known as your ‘right to restriction’.
How you can ask an organisation to restrict the use of your data
To exercise your right to restriction, you should:
- make your request directly to the organisation, and
- say what data you want restricted and why.
If you want to, you can make a request for restriction at the same time as you raise another objection.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
When you can ask an organisation to restrict the use of your data
You can ask organisations to temporarily limit the use of your data when they are considering:
- a challenge you have made to the accuracy of your data, or
- an objection you have made to the use of your data.
You may also ask an organisation to limit the use of your data rather than delete it if:
- the organisation processed your data unlawfully but you do not want it deleted, or
- the organisation no longer needs your data but you want the organisation to keep it in order to create, exercise or defend legal claims.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organisation]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
What organisations should do?
The organisation must take appropriate steps to restrict the use of your data. These could include:
- temporarily moving your data to another system
- making it unavailable to users, or
- temporarily removing it from a website, if it has been published.
If the organisation has shared the data with others, it must contact each recipient and inform them of the restriction – unless this is impossible or involves a disproportionate effort. It must also inform you about these recipients if you ask.
When can an organisation use restricted data?
The organisation should store the restricted data securely and should not use the data unless:
- it has your consent to do so
- the data is needed for legal claims
- its use is to protect another person’s rights, or
- its use is for reasons of important public interest.
Once the organisation has investigated your complaint, it may decide to lift the restriction and continue using your data. You should be informed before the restriction is lifted.
When can the organisation say no?
If it believes that a request is, as the law states, “manifestly unfounded or excessive”, an organisation can:
- request a reasonable fee to deal with the request, or
- refuse to deal with the request.
In either case it will need to tell you and justify its decision.
How long should the organisation take?
An organisation has one calendar month to respond to your request. In certain circumstances the organisation may need extra time to consider your request and can take up to an additional two months. If it is going to do this, it should let you know within one month that it needs extra time and the reason why. For more information, see our guidance on Time Limits.
Can it charge a fee for this?
An organisation can only charge a fee if the request is “manifestly unfounded or excessive”. It may then ask for a reasonable fee to cover administrative costs associated with the request.