Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under the Personal Information Protection Act (PIPA, Article 35), employees (and other data subjects) have the right to confirm whether their information is being processed, and request access to their personal information (including copies). Access requests can be postponed or denied when there is a justifiable ground not to allow access (once the reason for denial/delay no longer exists, any postponements should be lifted).
Employers may deny access to employees in cases:
- where prohibited or limited by other acts;
- where access will likely cause damage to the life or body of a third party, or violation of property and other benefits of that third party; or,
- when public institutions have grave difficulties performing certain duties.
Employees and other data subjects can request the correction, suspension or erasure of their personal information. Employers must investigate these requests without delay and take measures to correct or erase the personal information unless specifically provided for by other laws. Once the investigation is complete, the employer should notify the individual of the results. In cases where access is postponed or denied, individuals should receive a notice informing them of the delay or denial as well as how they can appeal the decision.
HR Best Practices: Employers and other Personal Information Controllers should prepare a method to allow for data subject access/suspension/ deletion/correction requests and publicly announce the process. When mailing copies of records based on requests, employers can demand a fee and postage.
Note that generally the exercise of these rights is not a particular issue in the context of human resources, and most often may only become an issue with respect to customer-related information.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.