The GDPR reference exemption
New legislation. Amongst other things, the GDPR gives employees the right to access the personal data that their employer holds. The GDPR was enshrined into our domestic law by the Data Protection Act 2018(DPA) , which received Royal Assent on 23 May 2018. The previous Data Protection Act 1998 has now been repealed. However, whilst the new DPA gives the GDPR effect in the UK, it also specifies several exemptions.
Right to refuse. One of these exemptions relates to confidential employment references. This is set out in Schedule 2 which states that: “The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of the education, training or employment (or prospective education, training or employment) of the data subject” . This means that you can refuse to disclose a confidential employment reference to a data subject, regardless of whether you provided or received it.
Why the change? This provision has been included in the new DPA to correct an anomaly which existed under the old legislation. Although it contained a similar exemption, it only applied where the employee made a request to the employer that had provided the confidential employment reference; it didn’t apply to the recipient. Therefore, the individual could get around the exemption by making a subject access request to the employer that had received the reference.
Tip. If you receive a request to access a confidential employment reference that you’ve given or received, you can choose to ignore the exemption under the new DPA and disclose it anyway - if you’ve nothing to hide, there’s no problem. Also, it’s important to note that whilst this exemption exists, it does not prevent an employee asking the courts to order the disclosure of a reference during legal proceedings.