Employment References and GDPRA UK Employer Guide

Employment references sit at the intersection of HR practice and data protection law. Every time an employer gives, requests, or stores a reference, personal data is being processed. Since the UK GDPR came into effect alongside the Data Protection Act 2018, employers need to understand exactly how these rules apply to reference handling. Getting it wrong can lead to ICO enforcement action, compensation claims, or simply a loss of trust from candidates and employees.

This guide covers the key data protection considerations for UK employers dealing with employment references, with specific reference to the legislation and ICO guidance that applies.

References Are Personal Data

An employment reference almost always constitutes personal data under Article 4(1) of the UK GDPR. Personal data means any information relating to an identified or identifiable natural person. A reference typically contains the individual's name, job title, dates of employment, and often subjective opinions about their performance or character. All of this is personal data.

Importantly, the ICO has confirmed that both factual information and opinions expressed about an individual in a reference count as that individual's personal data. This means that a manager's view that an employee "performed well under pressure" or "had occasional issues with timekeeping" is the subject's personal data, not merely the referee's private opinion.

It is also worth noting that the reference may contain personal data about the referee themselves, such as their name, job title, and contact details. This means that multiple individuals' data protection rights can be engaged by a single reference.

"If information in a reference is about an identifiable individual, it is their personal data, regardless of whether it is fact or opinion." — ICO guidance on employment references

Giving References: What Employers Need to Know

Lawful Basis for Providing a Reference

When an employer provides a reference, they are processing personal data and need a lawful basis under Article 6(1) of the UK GDPR. In most cases, the appropriate lawful basis is legitimate interests under Article 6(1)(f). The employer has a legitimate interest in supporting the smooth functioning of the labour market, and the former employee has an interest in being able to secure new employment. A balancing test should still be carried out, but for standard factual references, legitimate interests will normally apply.

Consent under Article 6(1)(a) is sometimes cited but is generally not the best basis. The ICO has noted that consent must be freely given, and in the employment context, the power imbalance between employer and employee can make genuine consent difficult to establish. Relying on consent also gives the individual the right to withdraw it at any point, which could create practical difficulties mid-process.

No Obligation to Provide a Reference

There is no general legal obligation for an employer to provide a reference in the UK. The main exceptions are in regulated sectors: the Financial Conduct Authority (FCA) requires regulated firms to provide references for certain roles under the Senior Managers and Certification Regime (SM&CR), and similar obligations exist in some other regulated industries.

For most employers, providing references is discretionary. However, if you do choose to provide one, the accuracy principle under Article 5(1)(d) of the UK GDPR requires that the personal data you include is accurate and, where necessary, kept up to date. Providing a reference that contains inaccurate information could expose you to claims under both data protection law and the common law of negligent misstatement, as established in Spring v Guardian Assurance plc [1995] 2 AC 296.

Relevance and Proportionality

When drafting a reference, employers should only include information that is relevant to the purpose and proportionate to the role in question. Sharing detailed medical history, protected characteristics, or unsubstantiated allegations goes beyond what is necessary. Ask yourself: would the individual reasonably expect this information to be shared with a prospective employer? If the answer is no, leave it out.

Requesting References: The Data Protection Angle

When you request a reference about a candidate, you become a data controller for the personal data you receive. Under Articles 13 and 14 of the UK GDPR, you must inform the candidate about how you will process their data, including the fact that you intend to seek references.

Privacy Notices and Transparency

Your recruitment privacy notice should clearly state that you will seek references as part of the hiring process. Be specific about when you will do so (for example, post-offer only) and who you will contact. If you plan to approach referees the candidate has not named, this should be disclosed. The transparency principle under Article 5(1)(a) of the UK GDPR requires that individuals are informed about processing in a clear and accessible way.

Lawful Basis for Requesting References

The lawful basis for requesting references will typically be legitimate interests under Article 6(1)(f). The employer has a legitimate interest in verifying a candidate's employment history and suitability before making a hiring decision. Again, consent is possible but not ideal for the same reasons discussed above: the power imbalance in recruitment means consent may not be freely given.

Where references are a regulatory requirement (such as under FCA rules), the lawful basis may instead be legal obligation under Article 6(1)(c), or public interest under Article 6(1)(e) for public sector employers carrying out their official functions.

Storing and Retaining References

The storage limitation principle under Article 5(1)(e) of the UK GDPR requires that personal data is kept for no longer than necessary. For references, this means having a clear retention policy that distinguishes between successful and unsuccessful candidates.

Retention Periods

• Unsuccessful candidates: The ICO recommends retaining recruitment records for a maximum of six months after the end of the recruitment exercise. This allows time for any discrimination claims under the Equality Act 2010, where the time limit for bringing a claim to an employment tribunal is three months (extendable in certain circumstances).
• Successful candidates: References for hired employees can be retained for the duration of employment plus a reasonable period afterwards. What counts as "reasonable" depends on the nature of the role, but six to twelve months post-employment is a common approach.
• Regulated sectors: FCA-regulated firms must retain SM&CR references for a minimum of six years, overriding the general guidance.

Security Measures

Article 5(1)(f) of the UK GDPR requires that personal data is processed with appropriate security. References should be stored in systems with appropriate access controls, so that only HR personnel and relevant hiring managers can view them. Storing references in unsecured shared drives, printing them and leaving them on desks, or forwarding them by unencrypted email all create unnecessary data protection risk.

Document your retention policy in your Record of Processing Activities (ROPA) under Article 30 of the UK GDPR, and make sure it is actually followed in practice. A policy that exists on paper but is not implemented offers no protection.

Subject Access Requests and References

This is one of the most misunderstood areas of reference data protection. Under Article 15 of the UK GDPR, individuals have the right to access their personal data. This right extends to references, but the rules differ depending on whether you gave or received the reference.

References You Receive

If you have received a reference about a candidate or employee, that reference is subject to their right of access. If the individual makes a Subject Access Request (SAR), you must consider disclosing the reference to them. Many employers wrongly believe that all references are exempt from SARs. This is not the case.

References You Give

The exemption is narrower and more specific than many employers realise. Schedule 2, Part 4, paragraph 24 of the Data Protection Act 2018 provides that confidential references given by an employer are exempt from the right of subject access. This means that if you write a confidential reference and the subject asks you (as the author) for a copy, you can decline to provide it under this exemption.

However, the exemption only applies to the organisation that gave the reference. Once a reference has been received by another employer, it is no longer protected by this exemption. The receiving organisation must treat it as the individual's personal data and consider disclosure if a SAR is made.

In practice, this means a candidate can submit a SAR to the organisation that received their reference and is likely to see it, even if the original author could have refused to disclose it.

Practical Considerations for SARs

When responding to a SAR that includes reference data, you should consider whether disclosing the reference could identify the referee and, if so, whether that identification could cause them serious harm or distress. Under Section 45(4) of the Data Protection Act 2018, you are not obliged to disclose personal data if doing so would involve disclosing information about another individual who can be identified from it, unless that individual has consented or it is reasonable to comply without consent.

In many cases, the referee's identity will already be known to the subject (they often nominated the referee themselves). Where this is the case, redaction is less likely to be necessary. Where the referee's identity is not known, or where disclosure could lead to adverse consequences for the referee, you may redact identifying details while still disclosing the substance of the reference.

Data Minimisation and References

The data minimisation principle under Article 5(1)(c) of the UK GDPR requires that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This principle has direct implications for both what you ask for in a reference request and what you include when providing one.

What Information Do You Actually Need?

For the vast majority of roles, a factual reference covering dates of employment, job title, and reason for leaving is sufficient. Many employers reflexively ask for detailed character assessments, sickness absence records, and disciplinary history without considering whether this information is genuinely necessary for the hiring decision.

• Standard roles: Factual confirmation of employment dates, job title, and whether the individual is eligible for re-hire is typically proportionate.
• Regulated roles (e.g., FCA SM&CR): More detailed references covering conduct, capability, and fitness and propriety are required by regulation and are therefore justified.
• Safeguarding roles: Roles involving children or vulnerable adults may justify more detailed enquiries, including asking about any disciplinary action related to safeguarding concerns.
• Sickness absence: Requesting sickness absence data is problematic because it may reveal information about disability or health conditions, which constitutes special category data under Article 9. Avoid requesting this unless there is a specific, documented justification.

Before sending a reference request, review your template and remove any questions that are not genuinely necessary for the specific role you are recruiting for. A one-size-fits-all approach to reference requests is difficult to reconcile with the data minimisation principle.

Practical Steps for GDPR-Compliant Reference Handling

Bringing all of this together, here are the concrete steps every UK employer should take to ensure their reference handling complies with data protection law:

1. Update your privacy notice. Include a clear statement that you process personal data as part of giving and receiving employment references. State the lawful basis you rely on and who the data may be shared with.
2. Document your lawful basis. Record in your ROPA the lawful basis for providing references (typically legitimate interests) and for requesting them. If you rely on legitimate interests, complete and document a Legitimate Interest Assessment (LIA).
3. Tailor your reference requests. Only request information that is proportionate to the specific role. Use different reference templates for standard, regulated, and safeguarding roles rather than a single comprehensive form.
4. Implement access controls. Store references in HR systems with role-based access. Limit who can view reference data to those with a genuine need: typically the hiring manager and HR.
5. Set and enforce retention schedules. Delete references for unsuccessful candidates within six months of the recruitment exercise concluding. Retain references for successful candidates only for the duration of employment plus a defined period.
6. Prepare for Subject Access Requests. Have a documented process for handling SARs that include reference data. Train HR staff to understand the distinction between references given (exempt) and references received (not exempt).
7. Train your people. Make sure HR staff and hiring managers understand their data protection obligations when handling references. This includes knowing what to include (and exclude) in a reference, how to store reference data securely, and how to respond to SARs.

How Digital References Support Data Minimisation

The traditional reference process involves repeated data transfers. Every time a candidate moves jobs, their former employer shares personal data with a new organisation. This creates multiple copies of reference data held across different employers' systems, each with their own retention policies and security standards. From a data protection perspective, this multiplication of personal data is difficult to reconcile with the minimisation principle.

Digital reference platforms like RefPassport support data minimisation by design. A reference is created once and carried by the candidate, reducing the need for repeated data transfers between employers. The verifying party confirms authenticity through cryptographic verification without needing to contact the issuing organisation or process additional personal data.

This approach aligns with several UK GDPR principles simultaneously. Data minimisation is served because fewer copies of the data exist and less information needs to be transferred. Purpose limitation is supported because the reference is structured to contain only what is relevant. Storage limitation is easier to manage because the candidate controls their own reference rather than relying on multiple former employers to delete data on schedule. And the integrity and confidentiality principle benefits from cryptographic verification, which provides stronger assurance of authenticity than a phone call or email exchange.

Key Takeaways

• Employment references are personal data under UK GDPR, including opinions and factual details alike.
• Legitimate interests is the most practical lawful basis for giving and receiving references in most cases.
• The confidential reference exemption from SARs only protects the organisation that wrote the reference, not the one that received it.
• Retention periods should distinguish between successful and unsuccessful candidates, with six months being the ICO's recommended maximum for recruitment records.
• Data minimisation requires tailoring reference requests to the role rather than using a blanket template.
• Document everything: your lawful basis, your retention policy, your LIA, and your SAR procedures.

Getting reference handling right is not just about avoiding regulatory risk. It reflects well on your organisation, builds trust with candidates and former employees, and demonstrates that you take data protection seriously as part of good HR practice.