GDPR - References Now Exempt from Disclosure

Under the General Data Protection Regulation (GDPR) individuals are entitled to a copy of the personal data which your organisation holds about them and to certain supplementary information.

If you have ever been responsible for responding to a subject access request (SAR), you will be aware how complicated they can be to handle. Responding to SARs is often a time-consuming and resource-intensive task, in part because of the need to consider whether any exemptions from disclosure apply. The Data Protection Act 2018 (which supports the implementation of the GDPR) provides exemptions from disclosure under a SAR. Many of the exemptions under this new law closely mirror the previous exemptions under the Data Protection Act 1998. However, there are a few key changes. One such change relates to the disclosure of references.

What's Changing? References given in receipt of the SAR were exempt from disclosure under the Data Protection Act 1998. The exemption only applied to references given by the organisation. This meant that the exemption could only be used by the provider of the reference, and not a recipient. The Data Protection Act 2018 has removed this distinction so that any reference provided in confidence is exempt from disclosure under a SAR. This means that if an organisation receives a subject access request, confidential employment references about the individual making the request, whether created by that organisation or received from a third party, will be exempt from disclosure.

Best Practice for Employers Employment references should be marked as 'Strictly confidential - employment reference' in order to seek to ensure that the exemption can be applied by sender and recipient. Care must always be taken when providing references about employees to prospective employers or recruitment agencies. When giving references, you should always remember that:

• There is no legal obligation to provide a reference but any reference provided must be true and accurate.
• The content of a reference may need to be disclosed as part of any litigation involving the employee, regardless of whether the information contained in it might be exempt from a SAR.
• Once given, a reference is outside of your control. There is no certainty therefore that an employer who receives a reference might not share it with the employee in question, perhaps because it is unaware that it might be exempt, or that it intends to disclose the document in order to defend its own position.

For more information, please contact Gareth Edwards in our Employment Law team on 0117 314 5220.