Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Individuals generally have the right to access and correct their personal information. To access a file, the person must make a written request to the organization holding the information. The request requirements vary slightly between the provinces, but the request must generally sufficiently demonstrate the individual’s entitlement to access the file and provide information sufficient for the organization to identify the relevant record.
There are some exceptions to accessing personal information, and these vary between the provinces. Examples include: where the information would likely reveal personal information about a third party (unless the third-party consents); information that reveals confidential commercial information, and/or information subject to a legal privilege; and, information that can reasonably be expected to threaten the safety of an individual. These exceptions have been narrowly interpreted by privacy commissioners.
Quebec’s “Act to Modernize Legislative Provisions Respecting the Protection of Personal Information” (Law 25) includes the right to access and rectify personal information. It also includes, effective September 2023, the right to request that links to personal information be de-indexed (or re-indexed) if failing to do so would: 1) cause an employee serious injury in relation to their right to have their reputation or privacy respected; 2) the injury is clearly greater than the public’s interest in knowing the information or than any person’s right to freely express themselves; and 3) the de-indexation (or re-indexation) requested does not exceed what is necessary for preventing the perpetuation of the injury.
In addition, effective September 2023, Quebec’s Law 25 will give employees a mobility right (i.e., the right to request that computerized personal information that has been collected from them be communicated to them in a commonly used technological format as well as to any person or body authorized by law to collect this information). This right does not extend to information created or inferred from personal information and companies are not under any obligation to communicate this information if doing so raises serious practical difficulties.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.