What is the right to rectification?
Under Article 16 of the UK GDPR, individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed- this will depend on the purposes for the processing. This right has close links to the Accuracy Principle of the UK GDPR (Article 5,1,D). Although you may have already taken steps to ensure that the personal data was accurate when it was obtained, this right imposes a specific obligation to reconsider accuracy upon request.
How to recognise a request
The UK GDPR does not specify how to make a valid request. Therefore: an individual can make a request for rectification verbally or in writing. This can be made to any part of the organisation and does not have to be a specific person or contact point.
A request to rectify personal data does not need to mention the phase `request for rectification` or Article 16 of the UK GDPR to be a valid request. As long as the individual has challenged the accuracy of their data and has asked you to correct it or has asked for you to complete the data held about them that is incomplete, this will be a valid request under Article 16.
We have a legal responsibility to identify that an individual has made a request and handle it accordingly.
When is data inaccurate?
UK GDPR does not give a definition of the term accuracy. However, the data protection act 2018 states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact.
When a patient makes a request for rectification, we will ask them to
- State clearly what they believe is inaccurate or incomplete.
- Where available, provide evidence of the inaccuracies.
When we are asked to correct/amend data, we will take reasonable steps to investigate whether the data is accurate and will be able to demonstrate we have done so. To do this we will consider the individuals reasons and any evidence they provide.
We will then contact the individual and either:
- Confirm it has been corrected, deleted, or amended, or
- inform the individual we cannot change the data and explain why we believe the data is accurate.
If a patient provides the incorrect information?
If an individual makes a request to remove consultation information where they have purposely misled a clinician, this will be rejected. A discussion may be had with the surgery regarding the addition of a note to explain the incorrect information being added to the original consultation if this is deemed appropriate.
For example, CKMP receive a request under Right to Rectification. It becomes apparent the patient gave false information to the clinician at the time of the consultation in order to take paid time off of work. Some substantial time later he asked for this information to be removed from his record. This is not something that can be removed under right to rectification as it was an accurate picture of the patient’s presenting condition. A note could be added, explaining that the patient had misled the clinician and suggesting that the consultation notes be viewed as inaccurate as a result.
You should let the individual know if you are satisfied that the personal data is accurate, and tell them that you will not be amending the data. You should explain your decision, and inform them of their right to make a complaint to the ICO or another supervisory authority; and their ability to seek to enforce their rights through a judicial remedy.
It is also good practice to place a note on your system indicating that the individual challenges the accuracy of the data and their reasons for doing so.
How long do we have to comply?
You must comply with a request for rectification without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receipt of:
- any information requested to confirm the requester’s identity
You should calculate the time limit from the day you receive the request (whether it is a working day or not) until the corresponding calendar date in the next month.
Example
An organisation receives a request on 3 September. The time limit will start from the same day. This gives the organisation until 3 October to comply with the request. If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond. This means that the exact number of days you must comply with a request varies, depending on the month in which the request was made.
Example
An organisation receives a request on 31 March. The time limit starts from the same day. As there is no equivalent date in April, the organisation has until 30 April to comply with the request. If 30 April falls on a weekend, or is a public holiday, the organisation has until the end of the next working day to comply.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
Do we need to inform other organisations if we rectify personal data?
If you have disclosed the personal data to others, you must contact each recipient and inform them of the rectification or completion of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individual about these recipients.
The UK GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Additional Information
Additional guidance can be found by clicking the links below:
Amending patient and service user records – NHS Transformation Directorate (england.nhs.uk)
Appendix 1
Receiving a request to rectify personal data – OOH
Appendix 2
- REQUEST FOR RECTIFICATION OF A HEALTH RECORD
| Date of Request | Patient Name | |||||||||||
| Date of Birth | NHS Number | |||||||||||
| Are you the Patient? | Yes/No | Contact Number | ||||||||||
| If no, please indicate your name and relationship to the patient | ||||||||||||
| Please note, we must have written and signed consent from the patient giving permission for you to make this request on their behalf. (if this form is for you, you do not need to provide further consent) | ||||||||||||
| Date of Error | Area of concern (please indicate) | |||||||||||
| Diagnosis | Consultation | Medication | ||||||||||
| Personal Details | Other (please specify) | |||||||||||
| Please explain your reason for this request:
|
||||||||||||
| Date of Error | Area of concern (please indicate) | |||||||||||
| Diagnosis | Consultation | Medication | ||||||||||
| Personal Details | Other (please specify) | |||||||||||
| Please explain your reason for this request:
|
||||||||||||
| Date of Error | Area of concern (please indicate) | |||||||||||
| Diagnosis | Consultation | Medication | ||||||||||
| Personal Details | Other (please specify) | |||||||||||
| Please explain your reason for this request:
|
||||||||||||
| Date of Error | Area of concern (please indicate) | |||||||||||
| Diagnosis | Consultation | Medication | ||||||||||
| Personal Details | Other (please specify) | |||||||||||
| Please explain your reason for this request:
|
||||||||||||
| Signature | Print Name | |||||||||||
Appendix 3
How to Rectify Personal data – OOH
Change Register
| Date | Version | Name | changes |
| 17/08/23 | 1.0 | TC | SOP created |