Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Employees and job applicants are generally allowed access to their personal data under the Personal Data Protection Act 2012. In addition, employers must generally notify employees prior to data collection/use/disclosure (excluding for evaluative purposes).
Upon request, employers should provide individuals with the personal data about the individual that is under the control of the employer. In addition, employers should provide information as to how the personal data has been or may have been used or disclosed in the year prior to the request. Some data is exempt from this requirement, such as:
- data that would reveal personal data about another individual;
- data that would threaten the safety physical or mental health of an individual;
- opinion data kept solely for an evaluative purpose (such as job candidate reviews);
- data subject to legal privilege;
- personal data, which (based on the opinion of a reasonable person) could harm the competitive position of the organization;
- requests that would: unreasonably interfere with the operations of the organization due to the systemic nature of the requests; be unreasonable or disproportionate to the individual’s interests; not be possible as the data doesn’t exist/can’t be found; is frivolous or vexatious.
If it will take more than 30 days to respond to an access request, inform the employee within 30 days as to when you can respond.
Employers should correct personal data upon an individual’s request unless there are reasonable grounds that the correction should not be made. If a correction is made and the individual consents, the employer should send the updated data to every other organization to which the personal data was disclosed in the last year before the date the correction was made (unless the other company does not need the corrected data for any legal or business purpose).
Employers do not need to correct personal data where:
- the personal data was only kept for an evaluative purpose;
- the data is relating to a legal claim that hasn’t been completed.
When consent was the reason for the personal data collection, employees and applicants can withdraw their consent at a later date. Employers are required to inform the individual of the consequences of the withdrawal, after receiving a request. If a request will take more than 10 days to process, inform the individual when they can expect their data to be deleted.
HR Best Practices: Employers should establish official procedures and contacts for employee access and correction requests. When processing an access request from an employee, make sure not to disclose information connected to other employees.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.