Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486), data subjects have the right to access and correct their personal data, with few exceptions. Employees, former employees and job applicants can ask whether the employer holds their personal data and can request a copy of the personal data that the employer maintains on them. Employers must respond to data and correction requests in writing within 40 days after receiving a data access request and, specify any fees that the employee would be charged.
Prior to collecting personal data, HR teams should explicitly provide information relating to an individual’s right to access and correct their personal data, and provide the contact details (name or title, and address, etc.) of the individual to whom they can submit requests (see Consent article for additional requirements). This should be provided through a Personal Information Collection Statement.
If a data request cannot be completed in 40 days, employers must notify the individual in writing and explain why the request could not be complied with before the deadline. In addition, the employer should provide whatever information they are able to provide within the 40-day period and follow up with the remainder of the requested information as soon as practical.
Once the data is updated, the individual should be sent a copy of the corrected data. Corrections should also be given to third parties if the data has been provided in the previous 12 months and the third party is likely still processing the personal information.
Employers can refuse to comply with an access or correction request in cases including where:
When a request is denied, the employer must inform the individual of the refusal in writing within 40 days of receipt, provide the reasons for the refusal, and the name and address of any additional relevant data controllers (if applicable).
In cases where a job applicant is requesting data, employers can temporarily refuse to comply where:
Requests can also be temporarily denied in cases where there is an ongoing employment-related evaluative process where an employee has a right to appeal once a final decision is made (for example, ongoing disciplinary proceedings).
HR Best Practices: Employers should provide employees and applicants with Personal Information Collection Statements prior to collecting any personal data. When processing an access or correction request from an employee: