Free HR webinar on pitfalls and quick tips
HR Solutions recently presented a webinar on job references and compliance with modern data protection laws. You can watch the ‘Job References and GDPR’ webinar recording on-demand, via our webinar library.
Job references are contended with right at the start of an employee’s life in your organisation and they come back around again at the end when they leave. No one wants to stumble at the first hurdle, or fall at the last! So, here are some common pitfalls and quick fixes to help you keep in line with the new data protection laws.
‘What do these have to do with references?’, I hear you say!
When you are obtaining a reference you are going to be collecting personal data. Not only about the candidate but potentially about the referees themselves too!
Whenever you are obtaining personal data, the individual needs to be provided with certain information about how you will be looking after this. We tend to call the form that this information comes in, a ‘privacy statement’.
So, you should ensure that you have a privacy statement that is appropriate for candidates and that they are provided with this by no later than the point at which you obtain the personal data. If you display this information on a website instead of issuing it to each person, ensure you are actively directing candidates to this in some way. (Remember this is something that your employees should have too!)
Getting a reference
When you are getting a reference for a new starter, don’t ask for consent!
The GDPR requires you to have a legal basis (or a legal reason) which allows you to obtain and process personal data in the first place. There are six possible ones and only one of these is consent. However, consent cannot be used if there is an imbalance of power. An imbalance of power occurs when:
- The employer can rely on another legal basis
- The data subject may fear adverse consequences by refusing – e.g. not being offered a job!
When getting a reference, employers will always be able to rely on ‘legitimate interest’ as their legal basis. Sometimes other legal basis could be used, for example in sectors such as finance and education, there may be a ‘legal obligation’ to obtain a reference.
Plus there will always be a fear of refusing where a candidate is hoping for a job with you. Indeed there will always be an imbalance of power between an employer and their candidates (and almost always with employees too). So there is no need to use reference consent forms for new starters!
If you receive a reference about a candidate which was not given ‘in confidence’ and you find out something new about them, the you must advise the candidate.
Perhaps peculiarly, they do not need to be told exactly what was said, but they must be informed of ‘the categories of personal data concerned’ (e.g. ‘trade union membership’, ‘health’, ‘beliefs’, ‘disciplinary record’ etc). They must be told this within a reasonable period, but within 1 month of you receiving the information at the latest.
References for leavers
Here you will be needing consent. It is rare that employers would ever be able to rely on anything other than ‘consent’ when they are asked to provide a reference for a leaver. For consent to be properly valid, any forms used to demonstrate this need to ensure that they contain all the required details and meet the necessary conditions. For more information on getting this right, you can review the Information Commissioner’s Office (ICO) guide;and existing subscribers of our HR Knowledge Base can sign in and view our guidance page on Consent
Alternatively, a tip that may work for you is to consider issuing leavers with a reference as part of your leaver process. Then they are free to share this with whoever they like and you don’t have to worry about obtaining and recording consent!
If an organisation contacted you and told you that they have consent from your former employee to contact you for a reference – we would advise some caution. As discussed, they probably shouldn’t be relying on consent themselves – so their data protection might not be what it ought. So consider asking them to put your ex-employee in touch with you so you can get your own consent.
If you receive a reference form which has lots of boxes as standard, be wary – it might not be GDPR compliant.
‘Minimisation’ is 1 of the 6 key principles. It means employers should only ask for and should only provide information about a candidate which is relevant and necessary. So don’t feel obliged to complete these if you are concerned the information being asked for is irrelevant. Instead, feel free to respond how you normally would, explaining this is your Company’s standard form of response.
Exemptions – employment references given in confidence
Where an employment reference is given in confidence, the Data Protection Act 2018 creates an exemption from:
- The right to be informed (privacy information)
- The right to make a subject access request.
In short this means that in the UK, if an employment reference is given in confidence and the employee makes a subject access request, both the company who issued it and the company who received it would be exempt from having to provide a copy – which is a change from the Data Protection Act 1998!
However, the ICO say: ‘you should not routinely rely on exemptions; you should consider them on a case-by-case basis’ and ‘you should justify and document your reasons for relying on an exemption’. So if you do use this protection, it may still be wise not to routinely avoid complying with subject access requests etc.
A common myth surrounding the GDPR is that it won’t apply after Brexit because it is EU law. Where it is an EU law, the Data Protection Act 2018 is UK legislation which implements the GDPR into UK law. Plus various provisions have been made to ensure this remains enforced post-Brexit. So we will still be bound by the same rules!