Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Employee Notification Requirements
Under the Nigeria Data Protection Regulation, employees and other data subjects have specific rights relating to accessing their data. Before collecting personal employee data, employers should inform data subjects of:
- the employer’s identity and contact information;
- the Data Protection Officer’s contact information;
- the purpose(s) of processing the employee’s personal data as well as the legal basis for processing the information;
- what the employer or third-party’s legitimate interest(s) are in the personal information;
- if applicable, the recipients or categories of recipients of the personal information;
- when data is being transferred internationally, the fact that data will be transferred to another country (or international organization) and whether that country is deemed to have adequate protections by the Nigerian Agency (the data protection authority);
- how long the data will be stored or how that period will be determined;
- the right to request access, rectification, restriction and erasure of personal data; along with the right to data portability;
- the right to withdraw consent to have their personal data processed at any time on a go-forward basis;
- the right to lodge a complaint with the authorities;
- when the personal data collection is due to a statutory or contractual requirement; or, necessary to enter into a contract; and, whether providing the personal information is optional as well as the consequences of not providing that personal data; and,
- when applicable, the existence of automated decision-making (such as job applicant filtering tools) along with information about the logic involved in the automated decision-making process, and the significance/potential consequences to the data subject.
When employee personal data may be processed for a different purpose than it was originally intended; employers should inform employees of the new purpose in advance (and provide any other relevant information).
Employers are responsible for acting on and responding to requests from employees, job applicants and other data subjects, relating to their personal data. Before responding to requests, controllers should confirm the identity of the individual making the request.
Employees have the right to request that their personal information is deleted and employers should delete the information in cases where:
- the original purpose of the data collection/processing has been fulfilled and is no longer necessary;
- the employee withdraws their consent to the processing (if consent was used as the basis to process the personal data);
- the employee objects to the processing and there is no overriding legitimate grounds to process the personal data;
- the data has been unlawfully processed; or,
- the data must be deleted to comply with a Nigerian legal obligation.
Employees have the right to request that the processing of their personal data is restricted when:
- the accuracy of the data is questioned (until the accuracy has been verified by the employer);
- the processing is unlawful and the employee has objected to the deletion of the unlawfully processed personal data;
- the employer no longer requires the data to be processed, but it’s required by the employee to establish/exercise/defend legal claims; or,
- the employee objected to the personal data being processed and the employer is investigating whether the employer’s grounds for processing overrides the employee’s.
HR Best Practices: Employees (and other data subjects) have the right to have inaccurate personal data corrected and completed (The Regulation, 3.1 (8)). In cases where a request is denied or not completed, the employee must be informed of the reason for the delay/denial within one month. Generally, requests must be responded to free of charge, except when unfounded or excessive (such as repetitive requests).