Under the General Data Protection Regulations (GDPR) individuals are entitled to a copy of the personal data which an organisation holds about them. Anyone has the right to make a subject access request (SAR), which is a written request to a company or organisation asking for access to the personal information it holds on them.
As a company or organisation, if you’ve ever been responsible for responding to a SAR, you will know how complicated they can be to handle. Responding to a SAR can be a time consuming and resource intensive task, in part because of the need to consider whether any exemptions from disclosure apply.
The Data Protection Act 2018 (which supports the implementation of the GDPR) provides exemptions from disclosure under a SAR. Many of the exemptions under this relatively new law closely mirror the previous exemptions under the Data Protection Act 1998. However, there have been a few key changes and one such change relates to the disclosure of references.
What’s changed since the introduction of GDPR?
Under the Data Protection Act 1998, references given by an organisation were exempt from disclosure on receipt of a SAR. However, this exemption only applied to references given by an organisation and could only be used by the reference provider. The exemption was therefore not applicable to the recipient (the party receiving the reference).
This meant that the recipient organisation would have to simultaneously manage the SAR alongside the need to protect information relating to the author of the reference and would need to balance the interests and levels of harm to both parties.
Over time, this perceived legal quirk had an adverse effect on referencing. Organisations increasingly scaled back the content of their references, limiting the information they provided to dates of employment and position held. Performance would rarely be commented on by larger organisations, due to the perceived risk of litigation by the subject of the reference. As a result, the ability to assess whether an individual performed adequately in their role was significantly impeded.
The Data Protection Act 2018 has now removed this distinction. This means any organisation that receives a SAR may now legitimately withhold any employment references about the individual making the request if they feel the reference was provided to them in confidence. This exemption applies whether the organisation was the creator or the recipient of the reference. Of course, the exemption doesn’t mean the recipient of a reference cannot or should not release the content of a reference to the requesting individual should they wish to do so; however, it does give the recipient a means of evaluating the request in respect of both data protection law and the context in which the information was provided.
The obvious benefit of this change in the UK’s data protection legislation is that organisations can now provide more meaningful references, within acceptable legal boundaries.
Obtaining an employment reference
Employment references enable any prospective employers to verify information about an individual’s previous employment with an organisation, such as information about what role they held, the length of employment and details about their conduct.
Whilst employers are under no legal obligation to provide a reference (unless there is a regulatory obligation to provide one), it is worth noting that if an employer does choose to provide one, the content of the reference provided should always be accurate, fair and non-discriminatory.
Validating an individual’s employment details can give greater confidence the person is competent to perform the role for which they are being recruited and can help mitigate the risk of making a poor hiring decision. However, organisations in receipt of references are reminded of the need to continue to be mindful of the protection it owes to the author of the reference. They may wish to consider either redacting the reference to protect the author’s identity or withholding it. If they do wish to release a copy to the individual to whom it relates, they may wish to consider seeking consent from the author of the reference, prior to doing so.
Best practice for providing references
Care should always be taken when providing references about employees to prospective employers or recruitment agencies.
You should always clearly mark them as “Strictly confidential – employment reference”. This will ensure a reference exemption could be applied by the author or recipient in the event of a SAR being made to your company or the recipient organisation. When providing references, always remember:
· You are not legally obliged to provide a reference, but any reference provided must be true and accurate.
· The content of a reference you provide may need to be disclosed as part of any litigation involving an employee, regardless of whether the information contained in it might be exempt from a SAR.
· Once you have provided a reference, the information given is outside of your control. There is no certainty the employer who receives it will not share it with the employee in question; they may be unaware of any exemption, and could also intend to disclose the document in order to defend its own position if needed.
Whilst we hope this information provides some clarity and is useful to your organisation, it does not constitute legal advice and Vero recommend organisations take appropriate legal and data protection advice prior to responding to any data subject rights requests and / or releasing a copy of an employment reference to the data subject.
Let us help you!
If you would like to find out more about our reference services, please get in touch and we’ll be pleased to help.