Correction of personal data
(1) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.
(2) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall —
(a) correct the personal data as soon as practicable; and
(b) subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
(3) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.
(4) When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.
(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
(7) An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.