In practice, the issue of data protection and references is sometimes overlooked by both employers and employees.
However from a data protection point of view, providing information about an employee in a reference would amount to processing personal data under the GDPR. As such, employers need to make sure that they have a lawful basis for processing such data.
ICO guidance recommends that employers have a clear reference policy stating in what circumstances references are given and how requests are to be handled. It suggests that such policies are brought to staff’s attention. The guidance also suggests that employers do not to provide references unless an employee consents.
In some sectors, such as in financial services, it can be a regulatory requirement to provide a reference in which case an employer will have a lawful basis for providing one.
In other cases, employers should have clear evidence of a lawful basis for responding to a reference request especially since an employment relationship may have come to an end at the time of processing. Such evidence may well already be available if, for example, the employee had previously consented to providing a reference or has done so an exit interview.
If in doubt, it is best to get the employee’s explicit consent.
At Markel Law we regularly comment on SME related matters.
Follow this link to find out more about Markel Law and how we can assist your business.
You must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual