Data Subject Access Requests: The reference exemption
A current, former or even prospective employee may require details of the data held on them. They may request this by making a Data Subject Access Request (DSAR). These are often made in the context of disciplinary proceedings, grievances, tribunal or court proceedings. When a DSAR is received, the employer has a legal responsibility to handle a request fairly and transparently.
Legal framework
The UK General Data Protection Regulation (GDPR) comprises of two main pieces of legislation: a version of Regulation 2016/679, incorporated into UK law and the parts of Data Protection Act 2018 (DPA) relating to general personal data processing, powers of the Information Commissioner and sanctions.
Individuals’ rights under GDPR
Individuals have several rights in respect of their personal data including:
• To be informed
• To have access
• To request rectification, erasure and restriction of processing.
Exemptions
There are certain circumstances where there is no obligation to comply with a DSAR. One potential exemption relates to a reference given in confidence for employment purposes.
Confidential References
References are frequently, but not always, given in confidence since they often contain information relating to an employee’s performance, conduct or attendance. Where given in confidence they should be expressed as confidential in order to benefit from the exemption from disclosure under a DSAR. The purpose of this exemption from disclosure is to encourage referees to give opinions honestly and without fear of reprisal.
Part two of the Information Commissioner’s Office Employment Practices Code makes recommendations for employers including:
• Publishing a clear policy concerning which employees can provide employer (so not personal) references and in what circumstances.
• Ensuring the employee consents to having a confidential reference written.
When writing a reference, employers should ensure, amongst other things:
• The reference is provided in accordance with any workplace policy.
• Any short factual reference contains a statement confirming that it is standard practice for the employer to provide this sort of reference.
• The reference is truthful.
• Any absence information complies with data protection obligations.
• Any comments made do not contravene the disability discrimination provisions.
• The reference is marked "Private and confidential for the addressee only".
However, all potential referees should be aware that the exemption for disclosing a reference in a DSAR may be overridden in certain circumstances, for instance in a legal dispute where a court may order disclosure.
There is also the inherent risk of being sued for defamation and so the referee needs to honestly believe the information given is correct and provided without malice.
To learn more about references and navigating Data Subject Access Requests and for further advice or assistance please get in touch with the Employment Team.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.