Download this section as a print-friendly PDF document.
The two principal aims of a reference are to provide facts and opinions as to a candidate's suitability and therefore this necessarily involves not only data protection but also legal implications in the provision and receipt of references. Detailed guidance on these is available in the University's Guidance Note on References.
References given by the University, including, references written by employees in their formal capacity, or as part of a standard procedure, (e.g. as Head of Department, as part of a promotions exercise) are exempt from subject access requests where those references relate to:
• Education, training or employment of the data subject
• Appointment of the data subject to any office
• Provision by the data subject of any service
The University has the absolute discretion to refuse to release references written on its behalf if requested to do so in, or as part of, a subject access request. However, the fact that the exemption is discretionary means that the University may still choose to provide references written on its behalf under a subject access request.
19.2.1 References received by the University are not exempt from the right of access, but consideration must be given to the data privacy rights of the referee. Information contained in, or about, a reference need not be provided in response to a subject access request if the release of this information would identify an individual referee unless:
• The identity of the referee can be protected by anonymising the information
• This referee has given his/her consent, or
• It is reasonable in all the circumstances to release the information without consent
19.2.2 In considering whether it is reasonable in all the circumstances to comply with a request, the ICO suggests that the account should be taken of factors such as:
• Whether the referee was given express assurances of confidentiality
• Any relevant reasons the referee gives for withholding consent
• The potential or actual effect of the reference on the individual
• The fact that a reference must be truthful and accurate and that without access to it the individual is not in a position to challenge its accuracy
• That good employment practice suggests that an employee should have already been advised of any weaknesses; and
• Any risk to the referee
In cases where a reference discloses the identity of an organisation, but not an identifiable individual, as referee, disclosure will not breach data privacy rights.
There may be circumstances where a reference is written on behalf of a data subject by an individual in one department of the University, to be used by an individual in the same or another department of the University. It should be noted that the ICO considers internal references to be 'management data' rather than references and that therefore disclosure may be required.
Where an individual refuses to consent to disclosure of a disability in a reference, the referee must decide if they can write a reference under those circumstances, reflecting their duty of care to both the individual and the person or organisation requesting the reference. If a referee feels that they cannot meet their duty of care to either party under those circumstances, they should inform the individual that they will be unable to write a complete reference without referring to the disability, and that this would not be in the best interests of either the individual, the person or organisation requesting the reference, or the University which is providing the reference. If consent is still unforthcoming, no reference should be written.