Stronachs Logo


Following the introduction of the GDPR and the Data Protection Act 2018, one of the changes that has often been overlooked by employers has been the impact on the provision of references. Providing a reference about an employee to a prospective employer, will generally involve the disclosure and therefore the processing of personal data and so will accordingly need to be compliant with data protection law.

It is important to note that, except in certain specifically regulated sectors, an employer is under no obligation to provide a reference and employers can generally decline to do so, however organisations should be consistent in their approach or else the possibility of discrimination or victimisation claims may arise. 

Responding to a request - lawful basis for processing

When responding to a reference request, employers will need to consider and document their lawful basis for processing the personal data of the employee. This is central to the concept of “fair and lawful processing” which is at the heart of data protection legislation.  In an employment context the lawful grounds or conditions which should usually be relied upon will be either that the processing is necessary for the performance of the contract with the employee or that it is necessary to fulfil a legal obligation. However neither of those fit easily with the provision of a reference.  Consent is an additional ground. Most commentators on data protection and indeed the Information Commissioner suggest however that in most cases any consent given by employees will not be valid because of the imbalance in the power relationship. However the situation is arguably different in the case of references where it is the employee who wishes the reference to be given and they are not in any way under pressure from the current employer such as might invalidate any consent given.  It may be possible, when responding to a reference request, to base the processing on the backstop condition of the “legitimate interests” of the employer or, more likely those of the third party prospective employer seeking to ensure that they appoint a suitable candidate but depending upon the scope of the reference the ability to rely upon this ground may be uncertain. In those circumstances most employers responding to a request for a reference may accordingly want to rely on the data subject’s consent to process the data contained within the reference. In order to be GDPR compliant such consent will have to be unambiguous and clearly documented.

There are two ways an employer can document a data subject’s consent. Firstly, at an exit interview they can ask the employee for their consent to retain information and process it for the purposes of providing future references and record this in a suitable format. Secondly, the current employer could put the onus on the prospective employer and make sure that they document and produce the employee’s consent to the current employer providing a reference. Employers will want to keep a copy of the evidence of consent in order to be able to demonstrate their lawful basis for processing.  Any consent form used should document precisely what the data subject has consented to their former employee disclosing. In addition to this, if the prospective employer is located out-with the EEA then the data subject will have to consent to their data being transferred in that way.

Special categories of Information

Prospective employers may want to know about an employee’s sickness or reasons for periods of absence. Under the GDPR health data falls under a special category of data and requires different grounds for processing but this does not apply where there has been “explicit, unambiguous consent” from the data subject. This is an even higher bar than standard consent.  It is recommended however that any reference requests relating to an employee’s health are treated with extreme caution and that very specific consent is in place before any such disclosure is made.

Disclosure of references

Previously under the Data Protection Act 1998 (DPA) employees had rights of subject access to personal information held by their current or former employer and this could, in principle, include references given by current or former employers. However, there was an exemption whereby an employer who provided a confidential reference was permitted to decline to disclose this to the employee.  This protection was however undermined by the fact that the employees could then apply to the recipient employer for a copy of that reference which was not able to rely upon the same exemption.

Under the GDPR and DPA 2018, employees still have the right to make subject access requests. However, the loophole in the previous legislation has been closed and  personal data held by either the giver or the recipient of a reference may be withheld where it consists of a reference given or to be given in confidence for the purposes of the:
• Education, training or employment, or prospective education, training or employment, of the data subject.
• Placement, or prospective placement, of the data subject as a volunteer.
• Appointment, or prospective appointment, of the data subject to any office.
• Provision, or prospective provision, by the data subject of any service.

Increased rights of employees

Even though access to a confidential reference may have been made more difficult, an employee who is unhappy with the content of a reference it suspects is being given by a current or former employer may be able to rely upon exercising their enhanced data subject rights including the right to restrict processing, erasure, object and rectification. The GDPR also requires that any consent given to processing must be as easy to withdraw as it was to provide so employers will need to be alive to notification of withdrawal of consent and alter their practice accordingly in respect of any particular employee.  Employees will retain the right to complain to the Information Commissioner if they think their rights under the legislation have been infringed and they also now have enhanced rights to seek compensation from the employer giving a reference if they suffer material or non-material damage as a result of infringement of their data protection rights.

As a result of these developments and the  additional risks arising we are likely to see even more employers adopting a policy of providing purely factual references or at least strict  restrictions on the nature of the information which may be disclosed.  In any event all employers should carefully review their reference policy and procedure to ensure risks are adequately managed.

If you have any queries about any of the issues raised above please do not hesitate to contact a member of the Stronachs Employment Team.

Eric Gilligan, Partner and Ross Michie, Trainee Solicitor

Chambers Leading Firm 2019

Contact Info

28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845


Camas House, Fairways Business Park,
Inverness IV2 6AA
Tel: + 44 1463 713225