If you have ever been responsible for responding to a subject access request (SAR), you will be aware how complicated they can be to handle.
Responding to SARs is often a time consuming and resource intensive task, in part because of the need to consider whether any exemptions from disclosure apply.
The Data Protection Act 2018 (which supports the implementation of the GDPR) provides exemptions from disclosure under a SAR. Many of the exemptions under this new law closely mirror the previous exemptions under the Data Protection Act 1998. However, there are a few key changes. One such change relates to the disclosure of references.
Under the Data Protection Act 1998, references given by an organisation were exempt from disclosure on receipt of a SAR.
The exemption only applied to references given by the organisation. This meant that the exemption could only be used by the provider of the reference, and not a recipient.
The Data Protection Act 2018 has removed this distinction so that any reference provided in confidence is exempt from disclosure under a SAR. This means that if an organisation receives a subject access request, confidential employment references about the individual making the request, whether created by that organisation or received from a third party, will be exempt from disclosure.
Employment references should be marked as "Strictly confidential - employment reference" in order to seek to ensure that the exemption can be applied by sender and recipient.
Care must always be taken when providing references about employees to prospective employers or recruitment agencies. When giving references, you should always remember that: