Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Companies are required to provide employees and other individuals with access to their personal information upon request. Employees are given this right under the Privacy Act and employment laws. Entities should:
- not require an individual to submit personal information requests in a particular way (i.e. you can provide a form or online portal, but individuals can’t be required to use it to request their data);
- verify the individual’s identity before releasing any information;
- provide access or written refusal within a reasonable period (generally 30 days);
- provide access in the manner requested (if reasonable and practicable); and,
- in the event of a refusal, provide written notice explaining the reason why the request was refused and inform them of available compliant mechanisms.
Organizations cannot charge individuals for submitting personal information requests, but can charge individuals for providing access, as long as it’s not excessive (and does not exceed the cost incurred by the individual giving access).
Businesses should verify the identity of the individual before providing any information. There are no formal requirements for how a request is made. Companies can refuse access in certain circumstances, including:
- if access would unreasonably impact the privacy of others;
- when denying access is required or authorized by law or a court order.
Note that there are also limitations in terms of providing access in health records legislation.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.