Do individuals have the right to access their own personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Data subjects have the right to request and obtain confirmation as to whether their personal data is being processed. Where that is the case, individuals must be able to access their personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to: request rectification or erasure of personal data; request restriction of processing data concerning the data subject; or, to object to such processing;
- the right to lodge a complaint with a supervisory authority.
Every person may directly request that the data be corrected, completed, clarified, or erased. Requests can be sent directly to the data controller or to any other actor in the chain of processing. Processors and sub-processors are obligated to inform the data controller of requests and can only proceed with the request under data controller’s instructions. Therefore, the processor shall, whenever possible, assist the data controller with data subjects’ requests.
As a general rule, the access request shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee may be charged taking into account the administrative costs of providing the information or taking the action requested.
Requests must be answered within one month of receipt of the request. Any delay should be justified and shall accompany the request response. The format of the response should be based on the means used to make the request, unless otherwise requested by the data subject. In other words, if a request is emailed, the response should be via email unless the individual requests a mailed letter.
Note that under the Irish Data Protection Act employers are not allowed to require job applicants, current employees or independent contractors to make an access request or provide personal data that was obtained through an access request.
Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject. However, a reasonable proof of identity is always recommended.
Every person may contact its data protection authority within the European Economic Area (particularly if the right of access has been denied).
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.