Employee Data Privacy

Do individuals have the right to access their personal information? 

Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.

Data subjects in Malaysia have the right to request access to their personal data and have it corrected when it’s inaccurate, incomplete, misleading or outdated. Employees must be informed of their right to request both access and correction to their personal data.

Employers are required to respond to access and correction requests within 21 days of receipt of the request. Employers may take a one-time extension of 14 days to respond provided that the employer (a) notifies the employee before the expiration of the 21-day period; (b) informs the employee of the reason for the extension, and (c) complies with the request to the extent possible before expiration of the 21-day period.

Once an employee's (or other data subject’s) request for correction is completed, the employer must provide a copy of the corrected data to the employee and, in cases where the information was disclosed to a 3rd party, provide that 3rd party with the corrected information (this is only necessary if the data was provided to the 3rd party within the last 12 months and the 3rd party is likely still processing the personal data).

In cases where an employee’s data access or correction request is refused, the employer must notify the employee within 21 days. The employee must also be notified if there is a delay in complying with a request.

Employee Access Requests

Employers can refuse access requests if:

• the identity of the individual making the request cannot be verified;
• the employer isn’t given enough information to identify the information that is requested;
• the burden/expense of providing access outweighs the risks to the employee’s privacy;
• the employer can’t comply with the request without revealing others’ personal data (unless the other individuals consent or it’s reasonable to comply without consent of the other individuals);
• another data user controls the data;
• it would violate a court order;
• it would disclose confidential commercial information; or,
• the data is regulated by another law.

Employers (and other data users) are not subject to employee access requests when the personal information is being processed for: the assessment/collection of taxes, duties or other similar impositions; the prevention/detection of a crime; or, the apprehension/prosecution of offenders.

Employee Correction Requests

Employers can deny an employee’s personal data correction request when not satisfied that the data is incorrect. In addition, employers can refuse correction requests if:

• the identity of the individual making the request cannot be verified;
• the employer isn’t given enough information to ascertain how the relevant personal data needs to be corrected;
• the employer is not satisfied that the personal data is inaccurate, incomplete, misleading or outdated;
• the employer is not satisfied that the requested correction is accurate, complete, not misleading, or up-to-date;
• another data user controls the data.