Handling employment references alongside GDPR
GDPR is now over a year old. The aim of the GDPR was to increase the protection of individuals’ personal data. Employees are better informed than ever of their data protection rights, with employers receiving an increased number of subject access requests from their employees.
Providing a reference about an employee to a prospective employer, will generally involve the disclosure and therefore the processing of personal data and so will accordingly need to be compliant with GDPR. It is important to note that, except in certain specifically regulated sectors, an employer is under no obligation to provide a reference and employers can generally decline to do so, however companies should be consistent in their approach or else the possibility of discrimination or victimisation claims may arise.
Responding to a request - lawful basis for processing
When responding to a reference request, employers will need to consider and document their lawful basis for processing the personal data of the employee. This is central to the concept of 'fair and lawful processing' which is at the heart of data protection legislation. In an employment context the lawful grounds or conditions which should usually be relied upon will be either that the processing is necessary for the performance of the contract with the employee or that it is necessary to fulfil a legal obligation. However neither of those fit easily with the provision of a reference. Consent is an additional ground.
Most commentators on data protection and indeed the Information Commissioner suggest however that in most cases any consent given by employees will not be valid because of the imbalance in the power relationship. However the situation is arguably different in the case of references where it is the employee who wishes the reference to be given and they are not in any way under pressure from the current employer such as might invalidate any consent given. It may be possible, when responding to a reference request, to base the processing on the backstop condition of the 'legitimate interests' of the employer or, more likely those of the third party prospective employer seeking to ensure that they appoint a suitable candidate but depending upon the scope of the reference the ability to rely upon this ground may be uncertain. In those circumstances most employers responding to a request for a reference may accordingly want to rely on the data subject’s consent to process the data contained within the reference. In order to be GDPR compliant such consent will have to be unambiguous and clearly documented.
There are two ways an employer can document a data subject’s consent. Firstly, at an exit interview they can ask the employee for their consent to retain information and process it for the purposes of providing future references and record this in a suitable format. Secondly, the current employer could put the onus on the prospective employer and make sure that they document and produce the employee’s consent to the current employer providing a reference. Employers will want to keep a copy of the evidence of consent in order to be able to demonstrate their lawful basis for processing. Any consent form used should document precisely what the data subject has consented to their former employee disclosing.
Accessing reference content
Interesting, however, under the previous data protection legislation, individuals were not entitled access to a confidential employment reference written about them, either from the author of the reference (the ex-employer), or from the recipient of the reference (the new or prospective employer). In order for ex-employers to refuse disclosure (should they wish to do so), the reference should clearly state that it is confidential, intended for the attention of the recipient only and that the author does not give permission for it to be disclosed to the subject. This protection was however undermined by the fact that the employees could then apply to the recipient employer for a copy of that reference which was not able to rely upon the same exemption.
Under the GDPR employees still have the right to make subject access requests. However, the loophole in the previous legislation has been closed and personal data held by either the giver or the recipient of a reference may be withheld where it consists of a reference given or to be given in confidence for the purposes of the:
• Education, training or employment, or prospective education, training or employment, of the data subject.
• Placement, or prospective placement, of the data subject as a volunteer.
• Appointment, or prospective appointment, of the data subject to any office.
• Provision, or prospective provision, by the data subject of any service.
The author of a reference owes a duty of care to both the subject of the reference and the reference recipient. The reference must be true, accurate, fair and must not give a misleading impression. Most job offers are conditional upon receipt of satisfactory employment references. Clearly, an unfavourable reference can harm an individual’s future employment prospects and result in the prospective employer withdrawing an offer or dismissing an employee during their probationary period.
If a reference is revealed to an employee and the individual believes the ex-employer had provided a negligent reference, they could bring a claim in the county court and request that the court orders disclosure of the reference.