Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under South Africa’s Basic Conditions of Employment Act (1997, Sec. 78)("BCEA"), employees have the right to inspect certain records about their employment (kept under the BCEA), including:
- records containing an employee’s: name, occupation, time worked, remuneration paid, date of birth if under 18, and any other prescribed information (BCEA, Sec. 31);
- the particulars of employment provided to an employee when they start employment and when any information changes (BCEA, Sec, 29).
The Protection of Personal Information Act (POPI, 2013, Ch. 2, Sec. 5) additionally gives individuals the right:
- to be informed that their personal information is being processed;
- to request that their personal data is corrected, deleted or destructed;
- to object to their personal information being processed;
- to submit complaints to the Regulator and initiate civil proceedings relating to the alleged interference of their personal information.
Employers must take reasonable steps to notify employees when collecting their personal information (POPI, Sec. 18 (1)). Employees should be informed in advance of:
- the information that will be collected about them and the source of the data, if it’s not provided directly by the individual;
- the name and address of the employer (i.e. the party responsible for the data collection);
- the reason the data is being collected;
- whether the data collection is voluntary or mandatory;
- the consequences of not providing the requested information;
- any law that requires or authorizes the data collection;
- the transfer of data to other countries or international organizations, and the level of protection the data will receive by the other country or international organization (if applicable);
- the recipient(s) and the nature/category of the data
- rights relating to their personal data including the right to: access personal data that has been collected, correct inaccuracies, object to processing, and lodge complaints with the Regulator.
When an employer receives an access, correction or deletion request from an employee, the employer must respond within a reasonable timeframe in a reasonable manner and format. When receiving an access request, individuals must be informed of their right to request the correction of any inaccurate data. If a fee will be charged, the individual must be informed in advance.
Requests must be responded to and completed within a reasonable timeframe. Employers can refuse requests in certain cases, such as when it would involve the unreasonable disclosure of a third party’s personal information. When part of a request is denied, the parts of a request that aren’t denied must be disclosed.
HR Best Practices: Employers should establish official procedures and contacts for handling employee requests.
Employees and other data subjects who wish to object to the processing of their personal information or request the correction or deletion of their personal information should be provided forms available in the POPI Regulations.