(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
(7) An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.
PART VI
CARE OF PERSONAL DATA
Accuracy of personal data
23. An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data—
- (a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
- (b) is likely to be disclosed by the organisation to another organisation.
Protection of personal data
24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Retention of personal data
25. An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that—
- (a) the purpose for which that personal data was collected is no longer being served by retention of the personal data; and
