When providing a reference, it is inevitable that ‘personal data’ will be included. It is therefore necessary to have a ‘lawful basis’ for processing this data under the GDPR. The employer will have a lawful basis for processing where that processing is:
1. Necessary for the performance of a contract to which the data subject is party
2. Necessary in the legitimate interests of the employer or a third party
3. Necessary for the employer’s performance of a public task
4. Necessary for the employer to comply with their legal obligations
5. Carried out with the explicit consent of the data subject
Whilst the new employer may require a reference to be provided in order for the individual to commence work, the ‘old’ employer is not party to this contract and therefore cannot rely on this lawful basis for processing as it will not be necessary for the ‘old’ employer to provide a reference for the performance of a contract.
Nor will the reference provider have a legitimate interest in providing the reference – the reference is provided purely in the interests of the employee/new employer. Whilst it might be possible to argue that you are relying on the ‘legitimate interests’ of the new employer as the basis for processing, this is likely to be difficult if you are going beyond a basic factual reference, as it may be hard to satisfy the ‘balancing test’ which must be carried out when relying on this ground.
It may, in rare cases, be necessary for the performance of a public task or for the employer to comply with their legal obligations, such as where the individual is employed in a regulated sector such as financial services or working with vulnerable adults or children.
Given the above, in the majority of cases, the provider of the reference will need to rely on explicit consent of the employee in order to lawfully process the employee’s data in providing a reference.
Whilst it will normally be the case that the employee has consented to the reference being sought, the difficulty comes in determining what information the employee has consented to being included in that reference. For example: does the employee’s consent extend to the provision of absence data or details of disciplinary records? Or does it cover only the dates of employment and position held? Note that if you were to provide absence data which included any sensitive personal data, you would also need to satisfy one of the ‘conditions’ for processing this data – the most likely one in these circumstances being explicit consent.
Therefore in order to ensure that you don’t fall foul of the GDPR, if you intend to provide anything more than a basic factual reference it is sensible to ensure that if you receive a reference request, the employee has explicitly consented to all the data sought in that request being provided. Regardless of the form the reference request takes, and irrespective of any GDPR considerations, it is in any event often better to limit any reference to factual information only – such as dates of employment and position held – in order to avoid the risk of a claim for misrepresentation (from the new employer) or negligent misstatement (from the employee, as a result of any information provided with which the employee does not agree).
Given the above, if you receive a reference request or if you are asking prospective new employees for consent to obtain references, then if you are asking for/providing more than a basic factual reference it is sensible to ask the employee to confirm that you may seek/provide the information requested. The easiest way of doing this is by asking them to sign a declaration on the bottom of the request confirming that they consent to the information in the request being provided.
However, note that our advice remains that, unless you are in a regulated sector, it is safer to provide only names, dates of employment and position held in response to any reference request. If you are in a regulated sector, then we would recommend that any additional information should be limited to the information which you are required to provide as part of that regulated reference, and nothing more.
The only exception to this would be where a reference is agreed under the terms of a settlement agreement – in that case, you could rely on the terms of the settlement as evidence of the employee’s consent to your processing the personal data contained within the agreed reference.
Please contact the employment team with your queries regarding this matter on 0113 849 4000.