This is one of the myths that perpetuate around GDPR and one which is worrying if a widely held view.
This is a view which often seems to be held on the basis of one paragraph in the schedules of the Data Protection Act 2018 which sets out some of the exemptions which can be applied to Data Subject Rights.
This represents a change from the previous Data Protection Act 1998 which had a similar exemption which could only be applied by the organisation providing the reference, not the one receiving it.
The change, however, has sometimes been interpreted as the closure of a loophole allowing all organisations to withold references on a blanket basis, which it is not.
The loophole has been addressed to ensure both the employer receiving the reference and the employer providing it have equal opportunity to apply an exemption if it lawfully applies.
It is important to understand that the exemption is not an unqualified one and applies only in specific circumstances.
The ICO’s published guidance on exemptions says:
i..e. there is no blanket exemption to references and organisations are expected to consider other means of disclosure such as an overview or a redacted copy before withholding it and all requests must be considered on a case by case basis.
This means considering a number of factors such as who the reference is from and its contents (not just whether it is adverse or not).
Organisations need to ensure this process considers the test of ‘quality of confidence’ as well as whether the information was provided with the expectation of confidentiality.
If they cannot prove a reference was provided in confidence e.g. from a statement in or alongside the reference an organisation will be expected to contact the referee and ask for their views on disclosure (note it is their views not their consent).
Organisations should aim to ensure they have the audit trail to prove that full or limited disclosure was considered before any refusal and that they do this on a case by case basis.
The scenarios in which a reference can be completely withheld will be limited and would, most likely, include:
- Where the reference has been provided in confidence i.e. an employer who decides to withhold a reference under this exemption will be expected to be able to evidence that the reference has been provided in confidence and that it fits the tests of ‘necessary quality of confidence’ and containing information which has been disclosed in circumstances importing an obligation of confidence.
- Where the decision to withhold has been made to protect the rights and freedoms of an individual – normally the referee.
Many routine references will contain trivial information or information already known to the applicant so may fail the quality of confidence test and should be disclosed in redacted form to protect the rights of others (e.g. information which may indirectly identify a witness to a disciplinary matter).
An organisation may sometimes have a duty of confidence to an individual but never to a large company (at least in Data Protection terms as confidential information about a company may also include proprietary or commercial information which may meet the quality of confidence test).