Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
The Implementing Rules and Regulations of the Data Privacy Act of 2012 outlines how data subjects can access personal data that is being collected and processed (Rule VIII. Rights of Data Subjects, Sec. 34).
Employees should be informed in advance (or, at the next reasonable opportunity) when personal data is collected. Notice should include:
- a description of the personal data that is being collected;
- the purpose(s) the data is being processed;
- the allowable basis of processing (if not based on consent);
- how the data will be processed (scope and method);
- the possible data recipients (or classes of recipients);
- methods used for automated access, whether the same is allowed by the employee, and the extent to which this access is authorized, including (a) information about the logic involved in the processing; (b) the significance of the processing; and (c) potential consequences to the employee;
- the contact information of the Personal Information Controller (i.e. the employer) or representatives;
- how long the data will be stored; and,
- their rights as data subjects (rights to access, correction, objection and right to lodge a complaint to the National Privacy Commission).
Data subjects should also be notified and given an opportunity to withhold consent in case where there are changes or any amendments to the information supplied or declared to the employee.
While data subjects have the right to object to their personal information being collected, this right is limited in the context of employment. An individual’s personal data can continue to be processed for “obvious purposes,” such as when it’s necessary “in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship.”
Individuals also have the right to dispute the accuracy of their data and have it corrected unless the request is unreasonable. They can also request that data be deleted in certain circumstances, such as when:
- the data is incorrect, outdated, illegally obtained or illegally processed;
- the data is being used for a purpose not authorized by the employee;
- personal information is no longer necessary for the original purpose(s) the information was collected; and,
- the individual withdraws consent and there is no other legal ground or overriding interest by the employer.
Generally, data subjects in the Philippines have the right to reasonably request and access:
- the content of their processed personal information;
- how their personal information was obtained;
- the names and addresses of the data recipients;
- information relating to how the data was processed;
- the reasons the data was shared with data recipients (if applicable);
- information relating to automated processes that are or will likely be used to make decisions that may significantly impact the data subject;
- date the individual’s personal data was last accessed/modified; and,
- information relating to the personal information controller (designation, name or identity and address).
HR Best Practices: Employers should establish official procedures and contacts for employee requests. When processing an access request from an employee, make sure not to disclose information connected to other employees.