Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under Russia’s Labour Code and the Personal Data Law, employees are guaranteed the protection of personal information stored by the employer, including the right to:
- receive complete details about the processing of their personal information and the personal information held by their employer;
- free access to their personal information, including copies of records (except in cases that are specified by federal law);
- choose representatives for the protection of their personal information;
- access medical information that is relevant to their personal information with the aid of a medical specialist of their choice;
- demand the correction or exclusion of incorrect or incomplete personal information that was processed in violation of the Labour Code. In instances where the employer refuses to exclude or correct the employee’s personal information, that employee has the right to inform the employer in writing about the disagreement, as well as the reasons for the disagreement. Under the Personal Data Law (Art. 20), if a request is refused by the employer, the employee should be informed in writing of the reason for the refusal within 30 days of the receipt of the request (or date of appeal). In addition, a link to the relevant law, which is the basis for the refusal, should be included;
- demand that employers inform third parties of incorrect or incomplete information that needs to be updated or excluded; and, the right to
- appeal to the court about inactions or illegitimate actions that the employer has taken, related to the processing and protection of an employee’s personal information.
Upon request, employees (and other data subjects) have the right to receive certain information relating to the processing of their personal data, including (The Federal Law No. 152 of July 27, 2006 on Personal Data, Art. 148):
- confirmation that their personal data is being processed by the employer;
- the legal grounds and purposes for processing the personal information;
- the purposes and methods used to process personal data;
- the name and location of the data controller (employer), along with information about third-parties who may have access or receive the personal data;
- personal data that has been processed about the employee (or other data subject) and the source of the personal data (except where provided by law);
- the processing time and retention period of the personal data;
- how employees (and other data subjects) can exercise their rights relating to the data;
- information on any cross-border data transfers;
- the name and address of third parties who process the personal data on behalf of the employer (if applicable); and,
- any other legally required information.
HR Best Practices: Prior to processing employee data, provide employees with details about the processing of their personal information. Ensure processes are in place to respond to employee access requests.