It is no secret that most employers will at some point provide references about existing or former employees. The legal landscape surrounding references in an employment context has developed since the introduction of the GDPR, as the GDPR introduced more issues that employers need to be aware of when providing a reference. An employment reference is always guaranteed to contain personal data, for example health data when disclosing how many days absent from work an employee was and for what reasons. Under the GDPR health related data is considered ‘special category data’ and therefore requires extra safeguarding when it comes to processing.
Employers therefore need to be mindful of the GDPR when it comes to providing references in an employment context; including considering on what legal basis the processing of personal data is now taking place.
In reality, most employees are unaware of what their former employee has written about them. Sometimes there may be little or no reason to request a copy of the reference; however there may be circumstances where an employee is engaged in dispute with their former employer and requests to see a copy of their personnel file, a reference is undoubtedly going to be part of the package. While the DPA 2018 does not remove the right of the data subject to make a request for a copy of their personal data by way of a subject access request, Schedule 2 of the Act provides an exemption for employers. This exemption allows employers to withhold ‘confidential employment references’. Under the old legislation, there was an exemption in relation to references, but this only allowed the reference provider to lawfully refuse to disclose the reference. The GDPR has expanded on this and now allows both the references provider and recipient to refuse to disclose a reference, giving greater flexibility to employers.
However, even though the DPA 2018 may have strengthened the position for employers, it has not weakened the position of employees or data subjects. Access to confidential references may be harder to obtain but this does not stop an employee exercising their right to complain to the Information Commissioner if they believe that their rights have been infringed. The GDPR and the DPA will also compensate those who have suffered non-material damage for a breach. Employers should therefore consider carefully their reference policy to ensure that risks are mitigated and managed effectively.