The Right to Access Personal Data: Key Considerations for HR Professionals
Individuals have a heightened awareness of their privacy and the various rights accorded to them under Data Protection Laws. What this means is that, individuals now have greater control over their personal information including who has access to it and for what purpose. One of the fundamental rights enshrined in data protection regulations such as the Data Protection Act 2019 is the right to access personal data. So, what exactly is personal data? The Data Protection Act defines personal data as information relating to an identified or identifiable natural person, this information includes email address, gender, KRA Pin, ID Number, Biometric data etc. that an organization would process for various purposes.
HR professionals play a crucial role in ensuring that this right is upheld within organizations as was seen in ODPC’s decision in the case of Harrison Kisaka vs Faulu Microfinance Bank Limited 2023. Where an adverse report was generated against the applicant from a background check initiated by the Bank as a pre-condition for employment. The applicant aggrieved with the decision sought to get a copy of the adverse report from the source, but the Bank refused to honor this request. The upshot of this decision is that the ODPC ordered the Bank to furnish the applicant with the information requested including the adverse report as it contained his personal data which was used to arrive at a decision.
In this article, we will explore the right to access personal data, the key considerations for HR professionals, and how they can enable this right, including the information they must share with data subjects.
Understanding the Right to Access Personal Data
The right to access personal data, often referred to as a “data subject access request” (DSAR), allows individuals to request access to the personal data that organizations hold about them. This fundamental right empowers individuals to take control of their data, understand how it is processed, and verify its accuracy. HR departments are custodians of a substantial amount of personal data, making it imperative for HR professionals to be well-versed in handling DSARs.
Key Considerations for HR Professionals in enabling DSAR.
- Knowledge of Applicable Laws and Regulations: HR professionals must have a solid understanding of the Data Protection Act 2019 or any other data protection law that their organization is subject to. This knowledge is crucial as it will assist in response to any data subject requests.
- Establishing Clear DSAR Procedures: HR departments should have well-documented procedures in place for handling DSARs. These procedures should outline how to receive, verify, and process requests, as well as the timeline for responding to them.
- Verification of Identity: Verification of the requestor’s identity is critical. HR professionals should establish a secure verification process to prevent unauthorized access to sensitive personal data. This may involve requesting additional identification documents or using multi-factor authentication while being careful to collect only what is necessary to fulfill the purpose of verification.
- Data Inventory and Mapping: HR departments should maintain an up-to-date inventory of personal data they process. Mapping where data is stored, who has access to it, and the purposes for which it is used can expedite the response to DSARs.
- Timely Response: Data protection laws typically require organizations to respond to DSARs within a specific timeframe (e.g., within a maximum of 30 days under the Data Protection Act 2019). HR professionals should be prepared to meet these deadlines and communicate with requestors regarding any necessary extensions.
Enabling the Right to Access Personal Data
To enable the right to access personal data effectively, HR professionals should take the following steps:
- Create a Dedicated DSAR Portal: Setting up a user-friendly DSAR portal can facilitate the submission and tracking of requests. This portal can include request forms, progress updates, and secure channels for communication.
- Conduct Training: Training on how to recognize and appropriately handle DSARs is paramount as it provides guidance on the importance of data protection and the legal obligations associated with responding to such requests.
- Develop Template Responses: Create standardized response templates that include all the necessary information required by law. This may include a summary of the data held, purposes of processing, third-party disclosures, and more. The Data Protection (General) Regulations 2021 has templates that can be adopted by the organization.
- Access to Personal Data: Share a copy of the personal data being processed, including any categories of data, sources, and recipients.
- Purpose of Processing: Explain the purposes for which their data is being processed, such as recruitment, payroll, or benefits administration.
- Data Retention Periods: Inform data subjects of how long their data will be retained and the criteria used to determine retention periods.
- Third-Party Disclosures: Disclose if their data has been shared with third parties and specify the recipients, if applicable.
- Right to Rectification or Erasure: Remind data subjects of their rights to request corrections, deletions, or restrictions on the processing of their data.
The right to access personal data is a fundamental aspect of data protection, and HR professionals are at the forefront of ensuring compliance with this right within their organizations. A clear understanding of applicable laws and implementing systems and procedures to enable data subjects is a crucial tenet in data protection compliance. This proactive approach not only helps organizations comply with the law but also fosters trust and transparency in the workplace.