Question? Call Us +44 330 122 8239

Employment References & GDPR

Employment references are exempt from disclosure under GDPR. They can't be shared with the applicant as part of a Data Subject Access Request.

This is one of the myths that perpetuate around GDPR and one which is worrying if a widely held view.

This is a view which often seems to be held on the basis of one paragraph in the schedules of the Data Protection Act 2018 which sets out some of the exemptions which can be applied to Data Subject Rights.

The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of … employment (or prospective … employment) of the data subject

paragraph 24, Schedule 2, Data Protection Act 2018

This represents a change from the previous Data Protection Act 1998 which had a similar exemption which could only be applied by the organisation providing the reference, not the one receiving it.

The change, however, has sometimes been interpreted as the closure of a loophole allowing all organisations to withold references on a blanket basis, which it is not.

The loophole has been addressed to ensure both the employer receiving the reference and the employer providing it have equal opportunity to apply an exemption if it lawfully applies.

It is important to understand that the exemption is not an unqualified one and applies only in specific circumstances.

The ICO’s published guidance on exemptions says:

Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis.

If an exemption does apply, sometimes you will be obliged to rely on it (for instance, if complying with GDPR would break another law), but sometimes you can choose whether or not to rely on it.

In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.

i..e. there is no blanket exemption to references and organisations are expected to consider other means of disclosure such as an overview or a redacted copy before withholding it and all requests must be considered on a case by case basis.

This means considering a number of factors such as who the reference is from and its contents (not just whether it is adverse or not).

Organisations need to ensure this process considers the test of ‘quality of confidence’ as well as whether the information was provided with the expectation of confidentiality.

If they cannot prove a reference was provided in confidence e.g. from a statement in or alongside the reference an organisation will be expected to contact the referee and ask for their views on disclosure (note it is their views not their consent).

Organisations should aim to ensure they have the audit trail to prove that full or limited disclosure was considered before any refusal and that they do this on a case by case basis.

The scenarios in which a reference can be completely withheld will be limited and would, most likely, include:

  1. Where the reference has been provided in confidence i.e. an employer who decides to withhold a reference under this exemption will be expected to be able to evidence that the reference has been provided in confidence and that it fits the tests of ‘necessary quality of confidence’ and containing information which has been disclosed in circumstances importing an obligation of confidence.
  2. Where the decision to withhold has been made to protect the rights and freedoms of an individual – normally the referee.

Many routine references will contain trivial information or information already known to the applicant so may fail the quality of confidence test and should be disclosed in redacted form to protect the rights of others (e.g. information which may indirectly identify a witness to a disciplinary matter).

An organisation may sometimes have a duty of confidence to an individual but never to a large company (at least in Data Protection terms as confidential information about a company may also include proprietary or commercial information which may meet the quality of confidence test).

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email

Be in the know

You'll be the first to know about new events, information governance trends and tips to enhance the value of your data when you sign up for Fidabona emails.

Upcoming Events

2022 January

Week 5

Mon 27
Tue 28
Wed 29
Thu 30
Fri 31
Sat 1
Sun 2
Mon 3
Tue 4
Wed 5
Thu 6
Fri 7
Sat 8
Sun 9
Mon 10
Tue 11
Wed 12
Thu 13
Fri 14
Sat 15
Sun 16
Mon 17
Tue 18
Wed 19
Thu 20
Fri 21
Sat 22
Sun 23
Mon 24
Tue 25
Wed 26
Thu 27
Fri 28
Sat 29
Sun 30
Mon 31
Tue 1
Wed 2
Thu 3
Fri 4
Sat 5
Sun 6
  • No Events

  • No Events

  • No Events

  • No Events

  • No Events

  • No Events

Social media
jQuery(function($){ $(document).on('click','.elementor-location-popup a', function(event){ elementorProFrontend.modules.popup.closePopup( {}, event); }); });
@font-face { font-display: block; font-family: Roboto; src: url( format("woff2"), url( format("woff") } @font-face { font-display: fallback; font-family: Roboto; font-weight: 600; src: url( format("woff2"), url( format("woff") } @font-face { font-display: fallback; font-family: Roboto; font-weight: 700; src: url( format("woff2"), url( format("woff") } #sib-container input:-ms-input-placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; } #sib-container input::placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; } #sib-container textarea::placeholder { text-align: left; font-family: "Helvetica", sans-serif; color: #c0ccda; }
Your subscription could not be saved. Please try again.
Your subscription has been successful.


Subscribe to our newsletter and stay updated.

window.REQUIRED_CODE_ERROR_MESSAGE = 'Please choose a country code'; window.EMAIL_INVALID_MESSAGE = window.SMS_INVALID_MESSAGE = "The information provided is invalid. Please review the field format and try again."; window.REQUIRED_ERROR_MESSAGE = "This field cannot be left blank. "; window.GENERIC_INVALID_MESSAGE = "The information provided is invalid. Please review the field format and try again."; window.REQUIRED_MULTISELECT_MESSAGE = 'Please select at least 1 option'; window.translation = { common: { selectedList: '{quantity} list selected', selectedLists: '{quantity} lists selected' } }; var AUTOHIDE = Boolean(0);

We use Sendinblue as our marketing platform. By Clicking above to submit this form, you acknowledge that the information you provided will be transferred to Sendinblue for processing in accordance with their terms of use

jQuery(function($){ $(document).on('click','.elementor-location-popup a', function(event){ elementorProFrontend.modules.popup.closePopup( {}, event); }); });


We're excited you'd like to come along!

However, we need to tell you something important before you do:

How we use the personal data you provide when booking to attend an event.

In short, we ask for your name, email, the organisation you represent and phone number. For paid events we also collect billing information to process your order. We use this information to manage the event and your attendance by sending you email and SMS (if you provide a mobile number) confirmations and reminders about the event and any replays which are available. For some events we may invite you to complete optional surveys to either help us tailor the event beforehand or get feedback from you after the event is over.

The information you provide will be transferred to our Webinar platform provider where we use analytics to help measure the effectiveness of our webinars e.g. record whether you attend the event and how long you attended for. We also store your information in our CRM where it may be combined with publicly available information about you or the organisation you represent (such as that from LinkedIn or Companies House) and your communications with us. This combined picture will be used to help identify which of our services may be of interest to the organisation you represent; so, yes, we may market to you but only in your professional capacity and only in a targeted way once we know more about how our services may be of benefit to the organisation you represent. Above all, we promise to stop when you tell us to.

Please see our Website Privacy Notice for more information.

fidabona celebrates
Subscribe to get 15% discount