Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Under the Personal Information Protection Act (PIPA, Article 35), employees (and other data subjects) have the right to confirm whether their information is being processed, and request access to their personal information (including copies). Access requests can be postponed or denied when there is a justifiable ground not to allow access (once the reason for denial/delay no longer exists, any postponements should be lifted).
Employers may deny access to employees in cases:
Employees and other data subjects can request the correction, suspension or erasure of their personal information. Employers must investigate these requests without delay and take measures to correct or erase the personal information unless specifically provided for by other laws. Once the investigation is complete, the employer should notify the individual of the results. In cases where access is postponed or denied, individuals should receive a notice informing them of the delay or denial as well as how they can appeal the decision.
HR Best Practices: Employers and other personal information controllers should prepare a method to allow for data subject access/suspension/ deletion/correction requests and publicly announce the process. When mailing copies of records based on requests, employers can demand a fee and postage.
Note that the exercise of these rights is not generally an issue in the context of human resources, and most often may only become an issue with respect to customer-related information.
