Information and Data Protection Office

Make a complaint or report
Information and Data Protection Office > Information > Handling individual data rights

Handling individual data rights

This page explains how controllers must handle requests to correct, delete, restrict or object to the use of personal data under the Freedom of Information and Data Protection Act 2026.

Correction and deletion

  • You must correct personal data if it is inaccurate
  • You must delete personal data if it is held unlawfully or if there is no legal reason to keep it
  • You may refuse to delete data only where retention is required by law

Objections to processing

An individual may object to the use of their personal data on reasonable grounds.

When an objection is received, you must restrict processing while the matter is reviewed.

Restricting processing

Restriction means that personal data may still be held but must not be used until the issue is resolved.

You must follow any binding direction issued by the Information and Data Protection Office.

Accountability

You must keep records of all requests and how they were handled.

You must be able to show compliance with the Freedom of Information and Data Protection Act 2026.