Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Data subjects have the right to request the disclosure of their personal information under the Amended Act on the Protection of Personal Information (2016). Upon request from the principal (i.e. the employee), employers are expected to disclose the personal data that is held by the company without delay except when the data falls into one of the following exceptions:
- when there is a possibility of harming an individual’s life, body, fortune or other interests/rights;
- when disclosure violates other laws or regulations; or,
- when informing the data subject would harm the rights or legitimate interest of the business operator (the employer).
In the event that an employee’s data access request is denied, the employer is responsible for informing the individual without delay.
Individuals have the right to request corrections, additions and deletions to fix their inaccurate personal data. “Personal information handling business operators” must make these corrections without delay, unless there is a legal limitation. Once the data has been corrected, the individual must be informed and provided with the contents of the update. Alternatively, if a decision is made to not make the correction, the employee must be informed of that decision.
When individuals identify that their data is being mishandled in violation of the privacy provisions, they can request that the employer stops processing or deletes their information (they can also request that their data is no longer provided to a third party). This right is being expanded by the 2020 Revisions to the Amended Act on the Protection of Personal Information, expected to go into effect in spring 2022. Under the 2020 Revisions, the scope of when requests are allowed is being broadened (For example, a request can be made when a data controller no longer needs the individual’s personal data).
Companies should make the updates requested unless it’s a large expense or it’s difficult to comply with the request and alternative actions have been taken to protect the individual. Individuals should be informed of any actions taken or if no action will be taken.
HR Best Practices: Employers should establish official procedures and contacts to handle employee requests, including corrections and deletions (where possible). When processing an access request from an employee, make sure not to disclose information connected to other employees.