- POPIA includes a right for data subjects to have inaccurate, incomplete or out of date personal information corrected, completed, or deleted.
- An data subject must make a request for rectification in writing using the prescribed form online, or paper-based.
- You must respond to a request as soon as reasonably practicable.
- The data subject may request that you provide, to his or her satisfaction, credible evidence in support of the information being correct or deleted.
- In certain circumstances you can refuse a request for rectification.
- This right is closely linked to the responsible party’s obligations under the information quality condition of POPIA.
Preparing for requests for rectification
☐ We know how to recognise a request for rectification and we understand when this right applies.
☐ We understand when we can refuse a request and are aware of the information we need to provide to data subjects when we do so.
Complying with requests for rectification
☐ We have processes in place to ensure that we respond to a request for rectification as soon as reasonably practicable.
☐ We are aware of the circumstances when we can extend the time limit to respond to a request.
☐ We have appropriate systems to rectify or complete information, or provide a supplementary statement.
☐ We have procedures in place to inform any recipients if we rectify any information we have shared with them.
- What is the right to rectification?
- What do we need to do?
- When is information inaccurate?
- What should we do about data that records a mistake?
- What should we do about data that records a disputed opinion?
- What should we do while we are considering the accuracy?
- What should we do if we are satisfied that the data is accurate?
- Can we refuse to comply with the request for rectification for other reasons?
- What does manifestly unfounded mean?
- What does excessive mean?
- What should we do if we refuse to comply with a request for rectification?
- How can we recognise a request?
- Can we charge a fee?
- How long do we have to comply?
- Can we extend the time for a response?
- Can we ask an data subject for ID?
- Do we have to tell other organisations if we rectify personal information?
Under Section 24 of POPIA data subjects have the right to have inaccurate personal information rectified. An data subject may also be able to have incomplete personal information completed or deleted. This may involve providing a supplementary statement to the incomplete data.
This right has close links to the infomation quality condition of POPIA. However, although you may have already taken steps to ensure that the personal information was accurate when you obtained it, this right imposes a specific obligation to reconsider the accuracy upon request.
If you receive a request for rectification you should take reasonable steps to satisfy yourself that the information is accurate and to rectify the information if necessary. You should take into account the arguments and evidence provided by the data subject.
What steps are reasonable will depend, in particular, on the nature of the personal information and what it will be used for. The more important it is that the personal information is accurate, the greater the effort you should put into checking its accuracy and, if necessary, taking steps to rectify it. For example, you should make a greater effort to rectify inaccurate personal information if it is used to make significant decisions that will affect an data subject or others, rather than trivial ones.
You may also take into account any steps you have already taken to verify the accuracy of the information prior to the challenge by the data subject.
POPIA does not give a definition of the term accuracy. However, general practice is that personal information is inaccurate if it is incorrect or misleading as to any matter of fact. Data subjects have the right to request independent assurance that the information id correct.
Determining whether personal information is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the data subjects information.
If a patient is diagnosed by a GP as suffering from a particular illness or condition, but it is later proved that this is not the case, it is likely that their medical records should record both the initial diagnosis (even though it was later proved to be incorrect) and the final findings. Whilst the medical record shows a misdiagnosis, it is an accurate record of the patient's medical treatment. As long as the medical record contains the up-to-date findings, and this is made clear in the record, it would be difficult to argue that the record is inaccurate and should be rectified.
It is also complex if the information in question records an opinion. Opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. The record must show clearly that the information is an opinion and, where appropriate, whose opinion it is, and that the opinion is disputed by the data subject. If the data subject so requests, you must take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
Under Section 14(6) a data subject has the right to request restriction of the processing of their personal information where they contest its accuracy and you are checking it. As a matter of good practice, you should restrict the processing of the personal information in question whilst you are verifying its accuracy, whether or not the data subject has exercised their right to restriction.
Where processing of personal information is restricted, you must inform the data subject before lifting the restriction on processing.
You should let the data subject know if you are satisfied that the personal information is accurate, and tell them that you will not be amending the data. You should explain your decision, inform them of their right to request assurance or make a complaint to the Information Regulator; and their ability to seek to enforce their rights through a judicial remedy.
You must place a note on your system indicating that the data subject challenges the accuracy of the data and their reasons for doing so.
If an exemption applies, you can refuse to comply with an objection (wholly or partly). Not all of the exemptions apply in the same way, and you should look at each exemption carefully to see how it applies to a particular request.
A data subject must make request in writing, or online, using the prescribed form (Form 2). The data subject can give the form to anyone who is part of your organisation and does not have to be to a specific person or contact point. Best practice would to have the data subject use an online form that is directed to the information officer.
It is recommend that you keep a log of the date and time requests are received and processed through to completion.
You cannot charge a fee to comply with a request for rectification.
You must comply with a request for rectification as soon as reasonably practicable, and if necessary, after receipt of:
• any information requested to confirm the requester’s identity.
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend the time to respond if the request is complex or you have received a number of requests from the data subject. You must let the data subject know within one month of receiving their request and explain why the extension is necessary.
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for. You may not keep a copy of a data subject's identity document.
You must let the data subject know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.
If you have disclosed the personal information to others, you must contact each recipient and inform them of the rectification or completion of the personal information - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the data subject about these recipients.
Recipient includes a natural or legal person, public authority, agency or other body to which the personal information are disclosed.