Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Data subjects in Malaysia have the right to request access to their personal data and have it corrected when it’s inaccurate, incomplete, misleading or outdated. Employees must be informed of their right to request both access and correction to their personal data.
Employers are required to respond to access and correction requests within 21 days of receipt of the request. Employers may take a one-time extension of 14 days to respond provided that the employer (a) notifies the employee before the expiration of the 21-day period; (b) informs the employee of the reason for the extension, and (c) complies with the request to the extent possible before expiration of the 21-day period.
Once an employee's (or other data subject’s) request for correction is completed, the employer must provide a copy of the corrected data to the employee and, in cases where the information was disclosed to a 3rd party, provide that 3rd party with the corrected information (this is only necessary if the data was provided to the 3rd party within the last 12 months and the 3rd party is likely still processing the personal data).
In cases where an employee’s data access or correction request is refused, the employer must notify the employee within 21 days. The employee must also be notified if there is a delay in complying with a request.
Employers can refuse access requests if:
Employers (and other data users) are not subject to employee access requests when the personal information is being processed for: the assessment/collection of taxes, duties or other similar impositions; the prevention/detection of a crime; or, the apprehension/prosecution of offenders.
Employers can refuse correction requests if:
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Employers should establish official procedures and contacts for employee requests.