Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Argentina’s Protection of Personal Data Law No. 25326 gives all individuals the right to request information on the existence of personal databases and the identity of the individuals responsible for those databases. In addition, employees (and other personal data owners) have the right, after providing proof of their identity, to request and obtain the information that is included in a database. In the event that an employee, or other individual, requests access to their personal data, the employer must provide the information within 10 calendar days. In the event of the employee’s death, their successors can request the information.
Information must be provided in a clear manner (free of coding) and, if appropriate, with an explanation, that can be easily understood by the average person. The information must include everything belonging to that individual in the database, even if it wasn’t requested by the individual. If the employee (or other individual) requests it, the information can be provided in writing, electronically, via phone, via image or other appropriate means.
Employees (and other data owners) have the right to have their information corrected, updated and where appropriate, deleted or subject to confidentiality. The employer must make any necessary corrections, updates or deletions within 5 business days after receiving a claim from the individual. While the request is being researched, the file must either be blocked or marked as under review. If the data has been transferred, the employer must notify the third-party of any correction or deletion within 5 business days after the data has been updated or deleted.
Deletion requests can be denied when it could damage the rights or legitimate interests of the employer (or other third parties) or, where there is a legal obligation to retain the data.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Employers should establish official procedures and contacts for employee requests.