Correction, Blocking, Erasure and Destruction
In a seashell
PIPA includes a right for individuals to have inaccurate personal information corrected, or completed if it is incomplete.
An individual must make a request for correction in writing.
You as an organisation have 45 days to respond to a request.
In certain circumstances you can refuse a request for correction.
This right is closely linked to the organisation’s obligations under the integrity principle of PIPA.
Preparing for requests for correction: checklist
☐ We know how to recognise a request for correction and we understand when this right applies.
☐ We have a policy for how to record requests we receive in writing.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for correction Checklist
☐ We have processes in place to ensure that we respond to a request for correction without undue delay and within 45 days of receipt.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We have appropriate systems to correct or complete information or provide a supplementary statement.
☐ We have procedures in place to inform any recipients if we correct any information we have shared with them.
What is the right to correction?
Under section 19 of PIPA, individuals have the right to have inaccurate personal information corrected. An individual may also be able to have incomplete personal information completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete information.
This right has close links to the integrity of personal information principle of PIPA (section 12). However, although you may have already taken steps to ensure that the personal information was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
What do we need to do?
If you receive a request for correction, you should take reasonable steps to satisfy yourself that the information is accurate and to correct the information if necessary. You should take into account the arguments and evidence provided by the applicant.
What steps are reasonable will depend on the nature of the personal information and what it will be used for. The more important it is that the personal information is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to correct it. For example, you should make a greater effort to correct inaccurate personal information if it is used to make significant decisions that will affect an individual or others, rather than trivial ones.
You may also take into account any steps you have already taken to verify the accuracy of the information prior to the challenge by the individual.
When is information inaccurate?
PIPA does not specify what the definition of “accurate” or “accuracy” is. However, the most commonly accepted meaning of “inaccurate” is “incorrect or misleading as to any matter of fact”. It will usually be obvious when personal information is accurate.
You must always be clear about what you intend the record of the personal information to show. What you use it for may affect whether it is accurate or not. For example, just because personal information has changed doesn’t mean that a historical record is inaccurate – but you must be clear that it is a historical record.
What should we do about information that records a mistake?
Determining whether personal information is inaccurate can be more complex if the information refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individual’s information.
If a patient is diagnosed by a GP as suffering from a particular illness or condition, but it is later proved that this is not the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. Whilst the medical record shows a misdiagnosis, it is an accurate record of the patient’s medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be corrected.
What should we do about information that records a disputed opinion?
It is also complex if the information in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be corrected.
What should we do while we are considering the accuracy of the information?
As a matter of good practice, you should block the use of the personal information in question whilst you are verifying its accuracy.
What should we do if we are satisfied that the information is accurate?
You should let the individual know if you are satisfied that the personal information is accurate, and tell them that you will not be amending the information. You should explain your decision and inform them of their right to make a complaint to PrivCom.
It is also good practice to place a note on your system indicating that the individual challenges the accuracy of the information and their reasons for doing so.
Can we refuse to comply with the request for correction for other reasons?
You can refuse to comply with a request if it is manifestly unreasonable.
To be able to decide if a request is manifestly unreasonable, you must consider each request on a case-by-case basis. You should not have a blanket policy.
You must be able to demonstrate to the individual why you consider the request is manifestly unreasonable and, if asked, explain your reasons to the Commissioner.
What does “manifestly unreasonable” mean?
A request may be manifestly unreasonable if:
the individual clearly has no intention to exercise their right to correction. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unreasonable. You must consider a request in the context in which it is made and you are responsible for demonstrating that it is manifestly unreasonable.
Also, you should not presume that a request is manifestly unreasonable because the individual has previously submitted requests which have been manifestly unreasonable or if it includes aggressive or abusive language.
The inclusion of the word “manifestly” means there must be an obvious or clear quality to it being unreasonable. You should consider the specific situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request will be manifestly unreasonable.
An individual believes that information held about them is inaccurate. They repeatedly request its correction, but you have previously investigated and told them you consider their information to be accurate. The individual continues to make requests along with unsubstantiated claims against you as the organisation.You refuse the most recent request because it is manifestly unreasonable and you notify the individual of this.
What should we do if we refuse to comply with a request for correction?
You must inform the individual without undue delay and within 45 days of receipt of the request about:
the reasons you are not taking action; and
their right to make a complaint to PrivCom.
You should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How can we recognise a request?
PIPA specifies that an individual (applicant) must make a written request to the organisation setting out sufficient detail to enable the organisation, with a reasonable effort, to identify the personal information in respect of which the request is made.
A request to correct personal information does not need to mention the phrase “request for correction” or section 19 of PIPA to be a valid request. As long as the individual has challenged the accuracy of their information and has asked you to correct it or has asked that you take steps to complete the information held about them that is incomplete, this will be a valid request under section 19.
You have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore, you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request and refer them to your privacy notice.
Additionally, it is good practice to have a policy for recording details of the requests you receive. You may wish to check with the applicant that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of all requests.
How long do we have to comply?
You must comply with a request for correction without undue delay and at the latest within 45 days of receipt of the request or (if later) within an additional 30 days if section 20(6) applies.
Can we extend the time for a response?
You can extend the time to respond by a further 30 days if the request is complex or you have received several requests from the individual. You must let the individual know, explain the reason why the extension is necessary and the time when a response from the organisation can be expected.
Can we ask an individual for ID?
Yes. You need to be satisfied that you know the identity of the applicant (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a request does not begin until you have received the requested information. However, you should request ID documents promptly as part of the request acknowledgement.
Do we have to tell other organisations if we correct personal information?
If you have disclosed the personal information to other organisations, you must notify each of the organisations and inform them of the correction or completion of the personal information - unless it would be unreasonable to do so. You must also inform the individual about the organisations to whom their personal information has been disclosed.