Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Generally, individuals do not have the right to access personal information under United States law. That said, several states have laws giving employees the right to access their personnel files. Under the Fair Credit Reporting Act (FCRA), applicants and employees have the right to access their personal information in the file maintained by a background check company (consumer reporting agency). Separately, under the Health Insurance Portability and Accountability Act (HIPAA), participants in employer-sponsored HIPAA-covered group health plans have the right to access their personal health information (PHI) maintained by the plan.
At the state level, the California Privacy Rights Act, effective January 1 2023, includes a “right to know” and the right to “specific pieces of personal information.” Note that this right does not require employers to produce whole records or documents (there are other laws in California giving employees the right to certain HR documents).
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other employees. Processors and sub-processors should establish official procedures and contacts for employee requests.