Tel: 0345 644 8955 (TPS Registered)

How Should Employers Deal with References Post-GDPR?

Just recently one of my clients accepted the resignation of an employee who had been offered another job. He had been less than satisfactory during his brief employment, and they were gearing up to deal with it formally, though he wasn’t aware of that. So, they accepted his resignation and duly completed a reference form from the prospective employer. The reference was quite balanced, and in my view, they erred on the side of generosity.

It turned out to be one of those instances where - for whatever reason - the new employer withdrew the job offer. The employee immediately blamed my client and demanded to see the reference it had provided.

When you provide a reference about an employee to a prospective employer, it will generally involve the disclosure and processing of personal data and so you will need to be compliant with the data protection law.

Consider and document the lawful basis for processing the personal data of the employee. In the context of employment, the lawful grounds which will usually be relied upon will be either that the processing is necessary for the performance of the contract with the employee or that it is necessary to fulfil a legal obligation. That doesn’t really fit easily with the provision of a reference.

You can also use consent as the basis. Post-GDPR it’s generally accepted that in most cases consent is not genuine because the employee doesn’t have the same negotiating power as the employer. But it may be said to be different in the case of references where it is the employee who wishes the reference to be given and they are not in any way under pressure from the current employer such as might invalidate any consent given.

In those circumstances you may want to rely on the data subject’s consent to process the data contained within the reference. In order to be GDPR compliant such consent will have to be unambiguous and clearly documented. Any consent form used should document precisely what the data subject has consented to their former employee disclosing.

Under the Data Protection Act 1998 (DPA) employees had rights of subject access to personal information held by their current or former employer and this could, in principle, include references given by current or former employers. There was an exemption whereby an employer who provided a confidential reference could refuse to disclose this to the employee. However, employees could then apply to the recipient employer for a copy of that reference which was not able to rely upon the same exemption.

Under the GDPR and DPA 2018, employees still have the right to make subject access requests, but personal data held by either the giver or the recipient of a reference may be withheld where it consists of a reference given or to be given in confidence for the purposes of the following.

  • Education, training or employment, or prospective education, training or employment, of the data subject.
  • Placement, or prospective placement, of the data subject as a volunteer.
  • Appointment, or prospective appointment, of the data subject to any office.
  • Provision, or prospective provision, by the data subject of any service.

Even though access to a confidential reference is even more limited, an employee who is unhappy with the content of a reference may be able to rely upon exercising his enhanced data subject rights including the right to restrict processing, erasure, object and rectification. The GDPR requires that any consent given to processing must be as easy to withdraw as it was to provide so employers should be aware of any notification of withdrawal of consent and alter their practice accordingly in respect of any employee.

You will recall that - assuming the worst - my client’s outgoing employee demanded to see the reference that had been provided. In this case the reference was not only fair, accurate and objectively justified, it was nowhere near bad enough to account for a job offer being withdrawn. We decided to disclose it so that the employee could see for himself what had been said.

If you have HR queries and problems, get in touch!

Sign up for our free resources and free weekly tip - subscribe here.

Phone 0345 644 8955
LinkedIn Russell HR Consulting


Although every effort has been made to ensure the accuracy of the information contained in this blog, nothing herein should be construed as giving advice and no responsibility will be taken for inaccuracies or errors.

Copyright © 2019 all rights reserved. You may copy or distribute this blog as long as this copyright notice and full information about contacting the author are attached. The author is Kate Russell of Russell HR Consulting Ltd.

Got any HR queries?

Contact us