INFORMATION UPDATE - REFERENCE REQUESTS AND GDPR
As we continue to understand the implications of GDPR and the new Data Protection Act, we consider the situation of an employer receiving a request to provide a reference (“referee”) in respect of a former (or current) employee (“the data subject”).
As we already know, when writing a reference, the referee has a duty of care to both the person requesting the reference (“requestor”) and the data subject. The reference given must be accurate and must not be misleading or defamatory meaning the safest reference is a purely factual one e.g. start date, finish date, job title etc. If an inaccurate or misleading reference is given and it causes the recipient or the data subject to suffer damage, then the referee can be sued for damages.
When a referee provides a reference, they will be processing personal data (and in some cases special categories of data). Under the new Data Protection legislation, processing personal data (and/or Special categories of data) can only be performed:
- for compliance with a legal obligation;
- for the performance of the contract of employment; or in order to take steps at the request of the Data Subject prior to entering into a contract;
- in order to protect vital interest of the Data Subject or other natural person;
- for the performance of a task carried out in the public interest in the exercise of official authority;
- for performance of a legitimate interest; or
- with the consent of the data subject.
Therefore which could you rely on? Generally speaking, only three of these grounds may apply.
Generally, there is no legal obligation to provide a reference, so this lawful ground for processing data to provide a reference could not be relied upon. There are exceptions, for example staff engaged in a business activity regulated by the Financial Conduct Authority or the Prudential Regulatory Authority (e.g. Banking/Financial services industry), where a reference does have to be provided, and in those circumstances, this lawful ground to provide a reference could be relied upon.
Performance of a Contract
A referee will only be able to rely upon this lawful ground to process Personal Data to provide a reference if there is an explicit clause in the contract of employment (which is unlikely) or within a Settlement Agreement or ACAS brokered COT3 agreement.
In light of the above, it is likely the data subject’s explicit and freely given consent will be required to process the personal data to enable a referee to write and disclose a reference. Under the new Data Protection regime, referees cannot rely upon implied consent, or consent set out in a generic contractual clause. Instead, explicit and unambiguous consent is required from the data subject. The data subject is likely to provide consent as it will be in their interests for the reference to be provided.
What does this mean for you as a referee?
Before preparing to provide a reference, you will need to ensure that you have the necessary and appropriate consent from the data subject.
Note: when requesting a reference, it might expedite the process if the requestor submits the reference request with the data subject’s consent.
So what is the best way of dealing with a reference request?
If the reference request is received, and if it is not accompanied by a consent form signed by the data subject, you should write back to the requestor asking them to provide the data subject’s explicit and freely given signed consent. This should be retained for evidential purposes. Alternatively, you could write to the data subject direct and ask if they give their consent, again for evidential purposes, this should be in writing.
Please note, you will need to be very careful about what precisely the consent covers. For example, a data subject may give explicit consent to the provision of a reference, but they may not consent to their absence record being disclosed.
In writing the reference, you should try and give a factual reference and should only address those issues about the data subject’s employment for which the consent has been given.
We can foresee some problem areas, and have the following comments as follows:
How would the referee know the consent was freely given?
The referee wouldn’t know. However, when a referee receives a consent form signed by the data subject, the referee could (in the absence of any knowledge to suggest consent had not been given freely) hold that they provided the reference in all good faith.
Interestingly however, if the new employment is conditional upon receipt of a satisfactory reference, then the data subject arguably is not giving consent freely; they have no choice but to give consent; because if they don’t, they are unlikely to be offered the position applied for.
What if the data subject only consents to data being processed, for the purpose of writing the reference to confirm dates of employment, but nothing else?
From the requestor’s point of view – the reference may not be considered satisfactory and could result in a decision not to appoint the data subject or dismiss the data subject part way through a probationary period.
“Serves the data subject right!” you might think! But a note of caution: before dismissing anyone or withdrawing a job offer, be mindful that the individual might be able to argue a claim under the Equality Act 2010 that the decision to dismiss, or withdraw the job offer, was due to a protected characteristic (gender, race, nationality, age, disability, sexual orientation, religion or beliefs etc.) and therefore a discriminatory act; or due to asserting a statutory right not to give consent.
From the referee’s point of view – providing a factual reference simply confirming dates of employment is straightforward enough and dead easy.
However, a note of caution:
What if the data subject’s employment ended by reason of gross misconduct (theft/fraud issue) but the requester advises that the data subject has applied for a position in the finance department of the requestor, which includes responsibility for cash handling? The referee has a duty of care to the requestor – not telling them this – is the referee being negligent? But the referee also has a duty to the data subject. If the referee does not have explicit and freely given consent to process data and disclose the reason for dismissal, then what does the referee do?
It’s complex – but in this situation, in our view, the referee, will need to carry-out a legitimate aim impact assessment to determine whether providing the personal data about the data subject to the requestor could be a legitimate aim.
In some situations, the referee might be able to rely upon legislation in providing specific references, for example it is an offence, under the Aviation Security Act 1982, as amended by the Aviation and Maritime Security Act 1990, to knowingly give false information, either for the purpose of, or in connection with, an application for an airport security ID pass. In this situation, the referee could seek to rely upon the compliance with a legal obligation to process the personal data in providing the reference.
We can envisage extensive case law and decisions from the Information Commissioner’s Office on this matter in due course, and it will be interesting to see how this develops. We can’t help but ponder….is this the end of references as we know them?