Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under South Africa’s Basic Conditions of Employment Act (1997, Sec. 78)("BCEA"), employees have the right to inspect certain records about their employment (kept under the BCEA), including:
The Protection of Personal Information Act (POPI, 2013, Ch. 2, Sec. 5) additionally gives individuals the right:
Employers must take reasonable steps to notify employees when collecting their personal information (POPI, Sec. 18 (1)). Employees should be informed in advance of:
When an employer receives an access, correction or deletion request from an employee, the employer must respond within a reasonable timeframe in a reasonable manner and format. When receiving an access request, individuals must be informed of their right to request the correction of any inaccurate data. If a fee will be charged, the individual must be informed in advance.
Requests must be responded to and completed within a reasonable timeframe. Employers can refuse requests in certain cases, such as when it would involve the unreasonable disclosure of a third party’s personal information. When part of a request is denied, the parts of a request that aren’t denied must be disclosed.
HR Best Practices: Employers should establish official procedures and contacts for handling employee requests.
Employees and other data subjects who wish to object to the processing of their personal information or request the correction or deletion of their personal information should be provided forms available in the POPI Regulations.