In practice, the issue of data protection and references is sometimes overlooked by both employers and employees.
However from a data protection point of view, providing information about an employee in a reference would usually amount to processing personal data under the GDPR. The term ‘processing’ applies to a comprehensive range of activities. It includes the initial obtaining of personal information, the retention and use of it, access and disclosure and final disposal. As such, employers need to make sure that they have a lawful basis for processing such data.
ICO guidance recommends that employers have a clear reference policy stating in what circumstances references are given and how requests are to be handled. It suggests that such policies are brought to staff’s attention. The guidance also suggests that in general, employers should not provide confidential references unless an employee has consented. This guidance was written before GDPR came into force but is still relevant.
In some industries, such as in financial services, it can be a regulatory requirement to give a reference in which case an employer will have a lawful basis in providing one.
In other cases, employers should have clear evidence of a lawful basis of responding to a reference request especially since an employment relationship may have come to an end at the time of processing. Such evidence may well already be available if, for example, the employee had previously consented to providing a reference or has done so at an exit interview.
If in doubt, it is best to get the employee’s explicit consent.