Privacy FAQs: If a company receives a data access request from an employee, will it have to share with them performance reviews and other notes and comments in their HR file that implicate other employees?

May 10, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a company receives a data access request from an employee, will it have to share with them performance reviews and other notes and comments in their HR file that implicate other employees?

Possibly.

The CCPA requires that a business provide a California resident with the “specific pieces of personal information it has collected about that” individual.1  There are two main exceptions to this right.  Information does not need to be disclosed to an employee if it would “restrict” a business’s ability to [c]omply with federal, state, or local laws” or if it would interfere with the “rights and freedoms of other consumers."2

With regard to the first exception, if the access request of one California employee would require an employer to disclose information about a second employee for which the employer has a legal obligation of confidentiality the request could be refused.  While that may protect some information that an employer maintains about its other employees, an employer is not mandated by law to keep much of the information that it collects about its other employees confidential

With regard to the second exception, the language suggests that a company could object to an access request from one employee that would require the production of information relating to a second employee based upon the supposition that the disclosure would interfere with the “rights and freedoms” of the second employee to privacy.  It is important to note, however, that the term "consumer" is defined within the CCPA as including only "a natural person who is a California resident."3  As a result, on its face this exception would allow an employer to refuse to honor an access request that would interfere with the rights and freedoms of another California employee; it would not necessarily allow the company to refuse to honor an access request that would disclose information about an employee who was the resident of a different state or country.

In comparison, the European GDPR contains a broader exception to rights of access that allows a controller to refuse an access request if honoring it would “adversely affect the rights and freedoms of others” – regardless of their nationality or residency.4


1. Cal. Civil Code 1798.110(a)(5), (b).

2. Cal. Civil Code 1798.145(a)(1), (j)

3. Cal. Civil Code 1798.140(g) (emphasis added). 

4. GDPR, Article 15(4).