What happens when you’re considering the Data Protection legislation and you feel like you’ve gone down the rabbit hole and landed in Wonderland?

Any future employer is going to want a reference from us setting out how long we employed the employee for and other information about their job role (even if its limited to that).  When we give that reference, we’re ‘processing’ personal data, so we need to comply with usual data protection principles in relation to that data.

In order to comply with the principle that processing of the data is lawful, fair and transparent we have to comply with the one of the regulations in Article 6(1) of the GDPR.  Let’s look at our options:

1. The data subject has given us their We don’t normally get people’s permission although there will be examples where somebody has asked you to give them a reference, such as to their mortgage provider.  The problem with consent is it can be withdrawn and clearly if the person was upset about what you had written in the reference and the response was negative, this could become problematic.
2. Processing is necessary for the performance of a contract. Is it really necessary for the employment contract to give a reference?  Can we shoehorn into this one?
3. It is necessary for compliance with a legal obligation the employer is subject to – other than in specific industries there is no legal obligation on the employer to provide a reference, it is a voluntary matter, although by custom and practice most employers do. Again, is it a stretch to rely on this?
4. It is necessary for the purposes of the legitimate interests pursued by the controller (this one is not available to public authorities). What would be the legitimate interest?  You could argue that all employers have a legitimate interest in verifying information about potential employees and that each employer cooperating with the other in society equals functioning of the system, but again that seems to be stretching things.

Processing the data without one of these lawful processing conditions is a breach of the GDPR and could lead to enforcement action (theoretically – how likely it is in reality is another matter).

This leaves me advising anybody that it would be sensible to include in your privacy notice to staff that you intend to give a reference about them to future employers when they leave, if you haven’t already covered that off, and to amend your practice around giving of references so that you obtain written consent from the individual before you issue a reference about them, to be on the safe side.

If the reference was going to include special categories of data (sensitive personal data in old money), for example health information (I’m thinking here about answering those questionnaire type references where you’re asked what somebody’s attendance has been), you would need to have explicit consent from the employee to complete that question.

You may think I am worrying about nothing but who is going to complain?  The practical reality is that a complaint of this nature is likely to come from somebody you’re in dispute with in any event.  The employee who perceives that they cannot get a new job because the quality of the reference you’re giving about them, might be looking for an avenue of readdress and somebody who is seeking to claim you’re victimising them in relation to raising a discrimination issue.