Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
While entities are required to provide individuals with access to their personal information upon request, note that there is an 'employee records exemption' in the Privacy Act, that may apply (Privacy Act 1988, Compilation No. 76 2017). The acts and practices of a regulated entity that is or was an employer of an individual are exempt from complying with Australia’s Privacy Principles (APPs) if the act or practice is directly related to (a) a current or former employment relationship between the entity and the individual and, (b) an employee record held by the entity which relates to the individual.
Examples of personal employee information that would be considered employee records include data relating to: terms and conditions of employment, training, disciplining and resignation, personal and emergency contact details, performance and conduct, taxation, banking and superannuation affairs, remuneration, leave, or trade union membership.
However, if personal information is disclosed to and collected by a third party, the exemption does not apply to the processing of the information by the third party.
Entities are required to provide individuals with access to their personal information upon request under the Privacy Act. Entities should:
- not require an individual to submit personal information requests in a particular way (i.e. you can provide a form or online portal, but individuals can’t be required to use it to request their data);
- verify the individual’s identity before releasing any information;
- provide access or written refusal within a reasonable period (generally 30 days);
- provide access in the manner requested (if reasonable and practicable); and,
- in the event of a refusal, provide written notice explaining the reason why the request was refused and inform them of available compliant mechanisms.
Organizations cannot charge individuals for submitting personal information requests, but can charge individuals for providing access, as long as it’s not excessive (and does not exceed the cost incurred by the individual giving access).
Businesses should verify the identity of the individual before providing any information. There are no formal requirements for how a request is made. Companies can refuse access in certain circumstances, including:
- if access would unreasonably impact the privacy of others;
- when denying access is required or authorized by law or a court order.
Note that there are also limitations in terms of providing access in health records legislation.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.