PDPA Series: Access & Correction Obligation


Individuals have the right to have access to their own personal data and to make any corrections, if the data is inaccurate, incomplete, misleading or not up-to-date.

  • The organisation upon request, must provide the personal data of the individual used or disclosed within a year (before the date of request).
  • The response must be made within 30 days of the request; or to provide an estimate of when the access or correction can be made.

In addition, the organisation will be required to correct any error or omission in the individual’s personal data upon the request. The corrected data will have to be sent to the other organisation (which the personal data was disclosed).


  • Opinions need not require alteration, including professional and expert opinions.
  • If the request is for information that does not exist or cannot be found, access cannot be granted (because there is nothing to access).

Just an extra word of caution, should you receive a request for access & correction, before you provide the data, a proper verification of the requestor must be made. Although access & correction needs to be granted, but we must always be careful to provide the data to the verified individual that owns his/her personal data.

Also, consider defining a formal procedure on how to handle requests for access & correction. The best practice is to ask the individual to submit a request personally via email or online submission. The date of the request must be logged down so you will not miss the deadline of 30 days.