Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Companies are required to provide employees and other individuals with access to their personal information upon request. Employees are given this right under the Privacy Act and employment laws. Entities should:
Organizations cannot charge individuals for submitting personal information requests, but can charge individuals for providing access, as long as it’s not excessive (and does not exceed the cost incurred by the individual giving access).
Businesses should verify the identity of the individual before providing any information. There are no formal requirements for how a request is made. Companies can refuse access in certain circumstances, including:
Note that there are also limitations in terms of providing access in health records legislation.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.