Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
General Data Protection Law
Employers are expected to provide individuals with clear information about how their data will be processed under the Brazilian General Data Protection Law (LGPD). This information should ideally be provided in a separate or highlighted notice of data processing. These details should be provided and available in a clear manner and include:
- the reason the data is being processed;
- the type and duration of the processing (with consideration given to commercial/industry secrets);
- the identity of the data controller (i.e., the employer);
- the controller’s contact information;
- information relating to how personal data may be shared (including international transfers) and the reason it may be shared;
- the responsibilities of the individuals who will process the data;
- the name and contact information of the Data Protection Officer; and,
- the employee’s rights as it relates to their data.
Data subjects have a number of rights relating to their personal data under the LGDP, including the right to:
- request confirmation of the processing of personal data;
- request access to their personal data;
- request that personal data is corrected and/or updated;
- request the anonymization, blocking or elimination of personal data that is unnecessary, excessive or processed in violation of the law;
- request the transfer of personal data to another service provider;
- request the deletion of personal data that was previously processed with their consent;
- request the identification of public and private entities to which the employer (or other company) disclosed personal data or, when a shared database containing their personal data was used; and,
- object to the processing of personal data.
That said, there are currently no regulations on how these rights can be exercised. The data protection authority is expected to issue more detailed requirements and insights in the future.
HR Best Practices: Create a clearly defined process to give employees the ability to review and correct their personal data. When information can’t be shared or deleted due to legal requirements, employees should be informed of this in advance of the collection. In the future, the data protection authority is expected to issue regulations and model clauses, including insight on how individuals can exercise their access rights.