The third article in our series on GDPR rights is about the correction right. See here for previous articles on your right to be informed, and the second on the access right.
Part 3: The right to correct data
The right to correct inaccurate personal information is an existing right. It has always been the case that if you discover an organisation has inaccurate information about you, you have the right to correct it. It also links with the organisation’s responsibility to have accurate and up to date data.
In current UK law this right is set up as being one you have to go to court for, and there are three main aspects to the right. The court can order an organisation to correct inaccurate data, to add an explanatory note where the accuracy is disputed, and notify third parties of the correction if they have disclosed your information.
In practice though you don’t need to go to court as organisations will usually always correct inaccurate data if you tell them about it, and can provide evidence of the correct data. They will also usually allow you to add an explanatory note to information to show you think it is inaccurate.
This is particularly common with credit reference agencies where they have received information directly from a lender who maintains it is accurate, but that the individual claims is inaccurate. (The right to add an explanatory note to your credit file is from the Consumer Credit Act). Organisations may be less likely to voluntarily notify any third parties they have disclosed your information to, unless the third party continuing to have inaccurate information about you would be detrimental, cause harm or pose other risks.
What’s new?
GDPR does not really change the essence of this right and the three key aspects remain. For the UK it is no longer the case that the law requires you to go to court. GDPR allows you to go directly to an organisation to get inaccurate data corrected or add an explanatory note. Organisations also have the direct obligation to notify third parties of the correction, unless this proves impossible or involves disproportionate effort. If you ask, the organisation has to tell you which third parties they have notified.
Some of the GDPR rights are connected. For example, one of the scenarios where you have the new right to have personal information restricted is where you dispute the accuracy of information held about you and the organisation is looking into it. Part 6 in this series of blogs will look at the right to have data restricted.
The UK’s draft Data Protection Bill to implement GDPR is being finalised but the current version maintains exemptions in current law that mean that an organisation may not have to comply with your request in certain circumstances.
The organisation also has to be able to verify your identity before taking action as a result of your request.
Fees and timescales
Under current UK law there are no set timescales for dealing with a correction request, but organisations usually respond without delay. There is no charge for this kind of request.
Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months if the request is complex. If they need to extend the response time, they should tell you within the first month.
If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).
So what does all this mean?
Not a lot has changed with this right. The main change is that you have the right to make correction requests directly to the organisation and to add a supplementary statement.
What is Yoti doing?
All the information you add to your Yoti comes from you or your ID document. If your information changes and you need to update it, currently you will need to delete your account and create a new one to add the up to date information or document. We know that this is not a great solution and we are working hard to improve things. We have several developments underway that we hope will all be in the app by the end of the summer. These developments will let you manually add an address, and change your address and email. In the autumn we hope to have in place the ability for you to replace an outdated ID document.
You can make a correction request to privacy@yoti.com