Data protection issues for references
The main data protection issues that you should consider when writing a reference are described in the sections below:
- Access rights to references
- Disclosing sensitive data in references
- Transferring personal data outside the EEA in references
Under the Data Protection Act there are different rights of access to references for the author and the subject. The writer of a reference has no legal obligation to disclose the contents of a reference if the subject makes a subject access request. However, the recipient of the reference may disclose, even if the reference was given in confidence. For this reason, it is best to assume that any reference you write will be accessible by the subject and, therefore, do not write anything that you would not be happy for the subject to see. Where practicable you should show the reference you write to the subject before you send it. It is also good practice to check the reference with another colleague who has had dealings with the subject.
These issues are described in more detail in the sections below:
- Confidential references provided by the University
- Confidential references received by the University
- Internal references
- Student application forms and references
Confidential references given by the University for staff or students, which includes references on its behalf written by staff either in their formal capacity or as part of a standard procedure, are exempt from subject access requests where the references relate to:
- education, training or employment of the data subject
- appointment of the data subject to any office
- provision by the data subject of any service
This means that the University has absolute discretion to refuse to release confidential references written on its behalf if requested to do so in a subject access request or as part of a request. However, this does not mean that the University cannot release all or part of a confidential reference. In fact, advice from the Information Commissioner indicates that openness on the part of the originator of the reference would be the best practice and the University Records Management Policy (PDF-131KB) states that "except where there is good reason not to, our information is essentially open."
Once the reference has been received by another organisation or individual, the reference ceases to be exempt from data subject access and, consequently, could be accessed by the data subject through the receiving organisation. Consequently, since confidential references might be disclosed to the data subject in certain circumstances, staff who are writing references should be aware of the acceptable form and content of references as described in the section Guidelines for writing references. A checklist of the key points is given in Checklist for writing references.
Guidance for academic staff on writing references for students is given in the publication Writing References for Students - A Guide for Academic Staff which is available on loan from the Centre for Staff Training and Development (CSTD).
Confidential references received by the University are not exempt from subject access requests. However, in deciding whether to disclose information, it is necessary also to consider the data privacy rights of the referee. Information contained in or about a confidential reference need not be provided if the release of the information would identify an individual referee unless:
- the referee has given his or her consent
- the identity of the referee can be protected by anonymising the information
- it is reasonable in all the circumstances to release the information without consent
In considering whether it is reasonable in all the circumstances to comply with a request, the Information Commissioner suggests that the University, as data controller, should take account of factors such as:
- whether the referee was given express assurances of confidentiality
- any relevant reasons the referee gives for withholding consent
- the potential or actual effect of the reference on the individual
- the fact that a reference must be truthful and accurate and that without access to it the individual is not in a position to challenge its accuracy
- that good employment practice suggests that an employee should have already been advised of any weaknesses
- any risk to the referee
The University cannot refuse to disclose information from a confidential reference without giving a reason.
If disclosure of a reference would identify only the organisation that had given the reference rather than a specific individual, disclosure would not be a problem.
If a subject access request is received for information contained in a confidential reference that has been sent or received internally, it will be treated in the same way as a reference from an external referee. Internal references are not exempt from subject access. In fact, the Information Commissioner has recommended that universities should treat such internal references as "management data" rather than references and, as such, be prepared to disclose information from the reference in the event of a subject access request.
The application forms that students fill in to apply for a place at the University are personal data and, as such, can be shown to the student in a fairly informal way. However, there will be references associated with the application and, these should not be disclosed without a formal subject access request.
Student application forms must not be shown to anyone other than the student without the student's explicit consent. This includes parents, spouses, and sponsors.
Sometimes, you will feel it is necessary to mention an individual's sensitive personal data in a reference. For example, if a student has been given extra time in examinations because of dyslexia but is applying for a job where writing quickly and under pressure is one of the main requirements, you might want to mention this. You should always obtain explicit consent from the data subject before such sensitive personal data is disclosed. Please seek advice from the IMPS office when dealing with such cases.
There is no compulsion to disclose sensitive personal data in a reference. You must use your judgement as to whether the information is relevant, and therefore whether it is fair to disclose it. Again, you should contact the IMPS office if you need advice.
If a reference contains sensitive information you should mark it as Confidential, though this will not guarantee that it will not be disclosed in the event of a subject access request. Also, it is good practice always to mark references as Confidential in case they contain sensitive personal data.
You need to be careful not to inadvertently disclose sensitive personal data in a reference. For example, employers often ask for details of sickness absence and you might be tempted to explain the subject's absence record by making reference to a disability or illness. It is possible that the subject has not mentioned this to the prospective employer. In such circumstances it is particularly important that you follow the general advice of discussing the contents of the reference with the subject if possible. You must always have the explicit consent of the subject before disclosing any sensitive personal data. If consent cannot be obtained you should refuse to provide the information unless it is material.
If a student requests a reference be written and sent to a non-EEA country, the request itself will indicate their consent to the transfer of personal data outside the EEA.
Read further guidance
- Telephone: +44 (0) 118 378 8981
Find out if you need to do a DPIA here: