Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486), data subjects have the right to access and correct their personal data, with few exceptions. Employees, former employees and job applicants can ask whether the employer holds their personal data and can request a copy of the personal data that the employer maintains on them. Employers must respond to data and correction requests in writing within 40 days after receiving a data access request and, specify any fees that the employee would be charged.
Prior to collecting personal data, HR teams should explicitly provide information relating to an individual’s right to access and correct their personal data, and provide the contact details (name or title, and address, etc.) of the individual to whom they can submit requests (see Consent article for additional requirements). This should be provided through a Personal Information Collection Statement.
If a data request cannot be completed in 40 days, employers must notify the individual in writing and explain why the request could not be complied with before the deadline. In addition, the employer should provide whatever information they are able to provide within the 40-day period and follow up with the remainder of the requested information as soon as practical.
Once the data is updated, the individual should be sent a copy of the corrected data. Corrections should also be given to third parties if the data has been provided in the previous 12 months and the third party is likely still processing the personal information.
When can employers refuse or temporarily deny requests?
Employers can refuse to comply with an access or correction request in cases including where:
they can’t verify the identity of the individual;
- the data is unable to be disclosed without providing personal information on another individual (unless that other individual has given consent to the employer to share this information or, it’s possible to anonymize the identities of other individuals);
- compliance is prohibited by law;
- the request isn’t written in Chinese or English;
- the information that’s (within reason) necessary to locate the personal data requested is not provided by the individual making the request;
- there have been two or more similar requests from the individual and, it’s unreasonable given the circumstances to comply with the request;
- the employer isn’t satisfied that the personal data to which the request relates is inaccurate;
- the employer isn’t satisfied that the requested correction is accurate;
- information held by the requestor is not accurate or has not been provided by the requestor and, the information is necessary (within reason) to ascertain whether the personal data is inaccurate; or, where
- another data controller controls the processing of the personal data and this prohibits the employer from complying with the request.
When a request is denied, the employer must inform the individual of the refusal in writing within 40 days of receipt, provide the reasons for the refusal, and the name and address of any additional relevant data controllers (if applicable).
In cases where a job applicant is requesting data, employers can temporarily refuse to comply where:
- the employer has received the request prior to making a hiring decision about the role, and the applicant will have a right to appeal later against the hiring decision; or,
- an employer receives a personal reference from a third-party individual (unless the person who provided the reference gives consent) and the applicant has not yet received written notice as to whether they have been accepted/rejected from a job (for references received after Dec. 20, 1996).
Requests can also be temporarily denied in cases where there is an ongoing employment-related evaluative process where an employee has a right to appeal once a final decision is made (for example, ongoing disciplinary proceedings).
HR Best Practices: Employers should provide employees and applicants with Personal Information Collection Statements prior to collecting any personal data. When processing an access or correction request from an employee:
- reply within 40 days of receipt of the request;
- specify the fees (if any) that the employee will be charged for providing a copy of the personal data; and,
- redact information connected to other employees and third parties (unless consent is obtained).