Profile information Account settings
Logout
Sign up Log in

Data rectification requests

Article 16 of the UK General Data Protection Regulations (GDPR) gives individuals the ‘right to rectification’. This right allows people to request that any inaccurate personal data concerning them that businesses or other organisations hold be corrected. Read this guide to find out how you can ask for your data to be corrected.

Under the right to rectification, you can challenge the accuracy of any personal data that an organisation holds about you. You can ask for it to be corrected or, if it’s incomplete, completed with the addition of more detail.

You should contact the organisation that holds the inaccurate or incomplete personal data and inform them that you are challenging the accuracy of your data and that you wish for it to be corrected. You should:

  • clearly state what information you consider to be inaccurate or incomplete 

  • explain how it should be corrected

  • provide evidence of the inaccuracy, if such is available

You can make a request to have your data corrected verbally or in writing. However, it is recommended that you make such a request in writing so that you have a record of the request. If you make a verbal request, you should follow up in writing to explain your concern, give evidence, and state your desired solution.

You can use the template provided by the Information Commissioner’s Office (ICO) to make a rectification request.

Determining whether data is inaccurate can be difficult if the data refers to a mistake that has subsequently been corrected. It may be argued that the record of the mistake, in itself, is accurate and should be maintained (as well as the correct version of the data). Where this is the case, the fact that a mistake was made should also be included in the individual's data. For example, a medical record should reflect any incorrect diagnoses given to a patient along with the correct diagnosis and information about the correction made, to provide an accurate record of the patient’s medical treatment. 

Similarly, if data is about an opinion, it can be difficult to determine whether the data records an inaccurate opinion as opinions are inherently subjective. Provided that the record clearly shows that the information is an opinion and whose opinion it is (where appropriate), it may be difficult to require an opinion to be corrected for being inaccurate.

When organisations are asked to correct your data, they should take reasonable steps to investigate whether the data is accurate, considering your arguments and any evidence you provide. They should be able to show that they have done this.

Once the organisation has investigated, they should contact you and they should either:

  • confirm that your data has been corrected, deleted, or amended, or

  • inform you that they will not correct the data, explaining why they believe the data to be accurate

If an organisation does not correct the data, they should record that you have challenged the data’s accuracy and the reasons for your challenge.

If an organisation has disclosed your data to others, they must contact the data recipients and inform them that they have corrected or completed the data, unless this is impossible or involves a disproportionate effort. You can ask an organisation to tell you which recipients have received your data.

Organisations can refuse to comply with a request for correction if they believe that the request is ‘manifestly unfounded or excessive’. For example, a request may be manifestly unfounded if you have no intention to exercise your right to rectification and are just hassling the organisation. A request may be excessive if it repeats the substance of previous requests.

Where this is the case, organisations can:

  • request that you pay a reasonable fee for them to deal with the request, or

  • refuse to deal with the request

They will need to inform you of this and justify their decision.

Organisations typically have one month to respond to your request. In some circumstances (eg if you’ve made several requests or if proof of ID is required), it’s permitted for organisations to take extra time if they need to do so to consider your request. In such situations, they may take up to an extra two months to respond substantially to your request. If they do this, organisations should inform you within one month that they need more time and should explain why. 

Data requests should generally be dealt with and provided free of charge. However, an organisation may be able to charge a fee in some  circumstances. These are limited - for example, if the organisation finds the request is manifestly unfounded or excessive.

For more information, read Data protection requests.

If an organisation doesn’t respond to your request or you’re dissatisfied with their response, you should contact them first to attempt to resolve the situation. If you do not receive a response or are still dissatisfied with the response, you can complain to the ICO. You can also consider attempting to enforce your data protection rights through the courts. For more information, read Data protection requests.