Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under South Africa’s Basic Conditions of Employment Act (1997, Sec. 78)(BCEA), employees have the right to inspect certain records about their employment (kept under the BCEA), including:
- records containing an employee’s: name, occupation, time worked, remuneration paid, date of birth if under 18, and any other prescribed information (BCEA, Sec. 31);
- the particulars of employment provided to an employee when they start employment and when any information changes (BCEA, Sec, 29).
The Protection of Personal Information Act (POPIA, 2013, Ch. 2, Sec. 5) additionally gives individuals the right:
- to be informed that their personal information is being collected;
- to be notified if personal information has been accessed or acquired by an unauthorized individual;
- to establish whether the employer holds personal information pertaining to them;
- to request access to their personal information;
- to request that their personal data is corrected, deleted or destructed;
- to withdraw consent to the processing of their personal information
- to not have personal information processed for purposes of direct marketing via unsolicited electronic communications;
- to not be subject to a decision based solely on the automated processing of personal information intended to provide a profile of them;
- to object to their personal information being processed;
- to restrict the processing of their personal information where: the information’s accuracy is contested; there is no longer a need to retain personal information for achieving the purpose for which the information was collected or processed but the information has to be maintained as proof; the processing is unlawful and restriction is requested instead of deletion/destruction; or, the individual has requested the personal information is transmitted into another automated system; and,
- to submit complaints to the Information Regulator and initiate civil proceedings relating to the alleged interference of their personal information.
Employers must take reasonable steps to notify employees when collecting their personal information (POPIA, Sec. 18 (1)). Employees should be informed in advance of:
- the information that will be collected about them and the source of the data, if it’s not provided directly by the individual;
- the name and address of the employer (i.e. the party responsible for the data collection);
- the reason the data is being collected;
- whether the data collection is voluntary or mandatory;
- the consequences of not providing the requested information;
- any law that requires or authorizes the data collection;
- the transfer of data to other countries or international organizations, and the level of protection the data will receive by the other country or international organization (if applicable);
- the recipient(s), or category of recipients, and the nature/category of the data;
- rights relating to their personal data including the right to: access personal data that has been collected, correct inaccuracies, object to processing, and lodge complaints with the Information Regulator.
When an employer receives an access, correction or deletion request from an employee, the employer must respond within a reasonable timeframe in a reasonable manner and format. When receiving an access request, individuals must be informed of their right to request the correction of any inaccurate data. If a fee will be charged, the individual must be informed in advance.
Requests must be responded to and completed within a reasonable timeframe. Employers can refuse requests in certain cases, such as when it would involve the unreasonable disclosure of a third party’s personal information. When part of a request is denied, the parts of a request that aren’t denied must be disclosed.
HR Best Practices: Employers should establish official procedures and contacts for handling employee requests.
Employees and other data subjects who wish to object to the processing of their personal information or request the correction or deletion of their personal information should be provided forms available in the POPIA Regulations.