Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Hong Kong’s Personal Data (Privacy) Ordinance (Cap. 486), data subjects have the right to access and correct their personal data, with few exceptions. Employees, former employees and job applicants can ask whether the employer holds their personal data and can request a copy of the personal data that the employer maintains on them. Employers must respond to data and correction requests in writing within 40 days.
Prior to collecting personal data, HR teams should explicitly provide information relating to an individual’s right to access and correct their personal data, and provide the contact details (name or title, and address, etc.) of the individual to whom they can submit requests (see Consent article for additional requirements). This should be provided through a Personal Information Collection Statement.
If a data request cannot be completed in 40 days, employers must notify the individual in writing and explain why the request could not be complied with before the deadline. In addition, the employer should provide whatever information they are able to provide within the 40-day period and follow up with the remainder of the requested information as soon as practical.
Once the data is updated, the individual should be sent a copy of the corrected data. Corrections should also be given to third parties if the data has been provided in the previous 12 months and the third party is likely still processing the personal information.
When can employers refuse or temporarily deny requests?
Employers can refuse to comply with an access or correction request in cases including where:
- they can’t verify the identity of the individual;
- the data is unable to be disclosed without providing personal information on another individual (unless that other individual has given consent to the employer to share this information);
- compliance is prohibited by law; or, where
- it’s unreasonable to comply with the request.
In cases where a job applicant is requesting data, employers can temporarily refuse to comply where:
- the employer has received the request prior to making a hiring decision about the role, and the applicant will have a right to appeal later against the hiring decision; or,
- an employer receives a personal reference from a third-party individual (unless the person who provided the reference gives consent) and the applicant has not yet received written notice as to whether they have been accepted/rejected from a job (for references received after Dec. 20, 1996).
Requests can also be temporarily denied in cases where there is an ongoing employment-related evaluative process where an employee has a right to appeal once a final decision is made (for example, ongoing disciplinary proceedings).
HR Best Practices: Employers should provide employees and applicants with Personal Information Collection Statements prior to collecting any personal data. When processing an access or correction request from an employee:
- reply within 40 days of receipt of the request;
- specify the fees (if any) that the employee will be charged for providing a copy of the personal data; and,
- redact information connected to other employees and third parties (unless consent is obtained).
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.