The ICO has issued new guidance on data subject access requests, which offers clarity on the enforceability of some settlement agreement provisions…
A data subject access request (DSAR) is a formal request submitted by an individual to an organisation, requiring the organisation to disclose what, if any, personal information relating to the individual they have collected, stored, and used. If a worker submits a DSAR to their employer, their employer must respond to this without delay, and within one month of receipt of the request at the latest – save for in circumstances where the DSAR is particularly complex, or a number of requests have been submitted by the same worker, in which case the time limit can be extended by up to two months.
Some employers include provisions in their settlement agreements stating that departing employees must withdraw any outstanding DSARs and promise not to pursue or submit any further DSARs. From the employer’s point of view, this is another way of achieving the “clean break” sought by the settlement process and means that the employer will not have to expend the sometimes-considerable administrative effort of dealing with a former employee’s request. However, the enforceability of such provisions has come into question, as they would appear to restrict an individual’s statutory data rights.
The Information Commissioner’s Office (ICO) has published a new DSAR Q&A, which acts as guidance for employers on their responsibilities regarding DSARs from workers. Of particular interest is the following on the relationship between DSARs and settlement agreements:
“People have the right to obtain a copy of their personal information from you. This right cannot be overridden by a settlement or non-disclosure agreement. If a settlement agreement you have made with a worker limits their right of access, then it is likely this part of the settlement agreement will be unenforceable under data protection legislation. Signing a settlement or non-disclosure agreement does not waive a worker’s information rights”.
The ICO guidance is pretty unambiguous on the question as to whether a settlement agreement can be used to restrict future DSARs – it is highly likely that any settlement agreement provisions which seek to limit a worker’s right to make a DSAR will be unenforceable.
It is less clear what the ICO’s view is for DSARs that have already been submitted at the time of completion of the settlement agreement. It remains open to an employer to request that a worker withdraw their DSAR – but there is nothing that an employer can do to compel the worker to do so, nor to stop the worker from resubmitting a previously withdrawn DSAR following the completion of a settlement agreement.
However, under the UK General Data Protection Regulation, an employer can refuse to comply with a DSAR if it is manifestly unfounded or manifestly excessive. A DSAR will be manifestly unfounded where it is malicious in intent and is being used to harass the employer, with no real purpose other than causing disruption. The ICO use an example of an employee submitting a DSAR with the aim of pressuring their employer into offering an improved settlement package as manifestly unfounded. Such tactics are relatively common in settlement negotiations; but the problem that many employers face is that employees may have multiple motives for raising a DSAR, some of which may be legitimate, making it difficult for the employer to be certain that the ICO would classify the DSAR as malicious in intent.
Whether a DSAR is manifestly unfounded will depend on the particular circumstances and context, and we would always recommend obtaining legal advice before deciding to reject a DSAR.
If you require any legal advice on a DSAR that you have received, or would like help with drafting a settlement agreement, please get in touch at [email protected]
