Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Employees and job applicants are generally allowed access to their personal data under the Personal Data Protection Act 2012 (PDPA, Sec. 21). In addition, employers must generally notify employees prior to data collection/use/disclosure (excluding for evaluative purposes).
Upon request, employers should provide individuals with the personal data about the individual that is under the control of the employer. In addition, employers should provide information as to the the personal data has been or may have been used or disclosed in the year prior to the request. Some data is exempt from this requirement, such as:
Organizations can charge a reasonable fee to process access requests in order to cover the incremental costs associated with responding to a request.
Access should be provided to employees as soon as reasonably possible. If it will take more than 30 days to respond to an access request, inform the employee within 30 days as to when the response will be provided (employers should provide access at the soonest possible time).
Employers should correct personal data upon an individual’s request unless there are reasonable grounds that the correction should not be made. If a correction is made, the employer should send the updated data to every other organization to which the personal data was disclosed in the last year before the date the correction was made.
Employers do not need to correct personal data where:
Note that organizations cannot charge a fee to process a correction request.
If it will take more than 30 days to respond to a correction request, inform the employee in writing within 30 days as to when the correction can be made (information should be corrected at the earliest feasible time).
The Ministry of Communications and the Personal Data Protection Commission (PDPC) have passed amendments to the existing Personal Data Protection Act 2012. These amendments will take effect in phases, starting in February 2021. The enhanced PDPA includes additional access requirements, including that:
If the amendments are passed these requirements may impact employers in the future.
HR Best Practices: Employers should establish official procedures and contacts for employee access and correction requests. When processing an access request from an employee, make sure not to disclose information connected to other employees.