Under the right to rectification, you can challenge the accuracy of personal data held about you by an organisation, and ask for it to be corrected. If your data is incomplete, you can also ask the organisation to complete it by adding more detail.
Under article 16 of the UK General Data Protection Regulations (GDPR), individuals have the ‘right to rectification’. This right allows individuals to request that any inaccurate personal data held by businesses or other organisations about them is corrected. Read this guide to find out how you can ask for your data to be corrected.
What is the right to rectification?
How can my data be corrected?
You should contact the organisation holding the inaccurate or incomplete personal data, informing them that you are challenging the accuracy of your data and that you wish for it to be corrected. You should:
clearly state what information you consider to be inaccurate or incomplete
explain how it should be corrected
provide evidence of the inaccuracy, where evidence is available
A request to have your data corrected can be made verbally or in writing; however, it is recommended that you make such a request in writing in order to have a record of the request. If you make a verbal request, you should follow up in writing to explain your concern, give evidence and state your desired solution.
You can consider using the template provided by the Information Commissioner’s Office (ICO) to make a rectification request.
What if the data records a mistake or opinion?
Determining whether data is inaccurate can be difficult if the data refers to a mistake that has subsequently been corrected. It may be possible to argue that the record of the mistake, in itself, is accurate and should be maintained. Where this is the case, the fact that a mistake was made and the correct information should also be included in the individual's data. For example, a medical record should reflect any incorrect diagnoses given to a patient along with the correct diagnosis, to provide an accurate record of the patient’s medical treatment.
Similarly, it can be difficult to determine whether the data in question records an inaccurate opinion as opinions are by nature subjective. Provided that the record clearly shows that the information is an opinion and whose opinion it is (where appropriate), it may be difficult to require an opinion to be corrected for being inaccurate.
What will the organisations do?
When organisations are asked to correct your data, they should take reasonable steps to investigate whether the data is accurate, considering your arguments and any evidence you provide. They should be able to demonstrate that they have done this.
You should then be contacted and the organisation should either:
confirm that your data has been corrected, deleted or amended, or
inform you that they will not correct the data, explaining why they believe the data to be accurate
If an organisation does not correct the data, they should record that you have challenged the data’s accuracy and why, as a matter of good practice.
If an organisation has disclosed your data to others, they must contact the data recipients and inform them that the data has been corrected or completed, unless this is impossible or involves a disproportionate effort. You can ask an organisation to inform you of which recipients have received your data.
Can organisations refuse my request?
Organisations can refuse to comply with a request for correction if they believe that the request is ‘manifestly unfounded or excessive’. For example, a request may be manifestly unfounded if you have no intention to exercise your right to rectification. A request may be excessive if it repeats the substance of previous requests.
Where this is the case, organisations can:
request a reasonable fee to deal with the request, or
refuse to deal with the request
They will need to inform you of this and justify their decision.
How long do organisations have to respond and can they charge a fee?
Organisations generally have one month to respond to your request. In some circumstances (eg if you have made several requests or where proof of ID is required), organisations may need extra time to consider your request and can take up to an extra two months to respond. Organisations should inform you within one month if they need more time and explain why.
While data requests should generally be dealt with and provided free of charge, an organisation may be able to charge a fee in certain, limited circumstances (eg where the organisation finds the request to be manifestly unfounded or excessive).
For more information, read Data protection requests.
What if organisations don’t respond or the response is unsatisfactory?
If an organisation doesn’t respond to your request or you are dissatisfied with their response, you should contact the organisation. If you do not receive a response or remain dissatisfied with the response, you can complain to the ICO. You can also consider seeking enforcement through the courts. For more information, read Data protection requests.