Preparation and disclosure of references

Introduction

There is a reasonable expectation that senior staff will provide a reference for students and other members of staff whose careers they are in a position to influence, and they have a moral obligation – both to students and staff, and their future employers or institutions – as well as legal duty to get it right.

Giving a reference involves the disclosure of personal data in the form of facts and opinions about the data subject. As such, it must be consistent with data protection law, namely: fair, accurate and adequate in how those facts and opinions are recorded. However, data protection law does allow staff to give references on these terms lawfully and with due confidence.

In addition to standard references for employment, or for placement at another academic institution, staff may provide references for internal candidates (concerning their employment or promotion) and also external references for peers in the form of academic peer review (relating to the promotion or appointment of an academic with whom they may have or have had a close working or research relationship).

Whilst data protection law – meaning both the GDPR and the Data Protection Bill 2018 – gives data subjects a general right of access to their personal data, it also provides for various exemptions from such rights. One of these is in relation to confidential references.

However, this exemption cannot always be relied on, and is far more easily challenged when the receiving party seeks to rely on it. Therefore it is always proper practice to write references on the basis that, if the subject were to see the reference, they could not have cause for reasonable complaint. The following guidance is therefore provided on the writing of references and responses to requests from data subjects for access to them.

Writing references

2.1 When writing a reference, bear in mind that the subject of the reference may have a right to see it on request – either because it cannot be shown that it was written in confidence, or because the receiving party cannot rely on the exemption.

2.2 References should be factually correct and state within what parameters the reference is given. Where opinions about a person's suitability are disclosed, every referee should be prepared to stand by any comments made and defend or justify them on reasonable grounds. Statements should not be made which the writer is not qualified to make, or which are based on hearsay.

2.3 If asked to express an opinion on an issue about which the writer has limited knowledge, an appropriate response might be, for example, "I know of nothing that would lead me to question X's honesty". Particular care should be taken if asked to provide a reference for a student who is not known to the employee.

2.4 Where reference forms request sensitive information (or special category data, in the legal definition) – e.g. sickness, mental health problems, criminal records, philosophical or religious beliefs or sexuality – staff should not provide such data unless specifically requested to do so (in writing) by the data subject. If no such request has been made, “I am not in a position to comment regarding X's health/sickness record" would be a suitable response.

2.5 When a request is made by a potential employer or institution, but the writer is unable or unwilling to give a reference, such a refusal should be communicated with caution so as not to imply a negative reference (which itself could be held to be a denigration of character or unwarranted disclosure of personal data).

2.6 Do not submit a minimal reference inviting the recipient to telephone you for additional information. Also, please note that if a note of a verbal reference is taken, and is committed to a written or electronic record, that record may then be disclosable under data protection law.

2.7 Do not disclose any information if asked to give an unsolicited reference e.g. for a person who has not, to your knowledge, cited your name as a referee. Disclosure in the form of a reference should only be made following either confirmation of the identity of both the data subject and the employer, or on specific request of the data subject.

2.8 Keep copies of any outgoing references provided for a period of up to one year in case of possible litigation from unsuccessful applicants. If you consider there may be reasons to keep the reference for longer, for example because of some serious allegation in the content, then please consult the College’s Data Protection Officer.

Requesting a reference

3.1 If you are applying for promotion within the College or for another job outside it and you know that a reference will be required from your current advisor/tutor/supervisor departmental head, always seek permission first before citing their name on an application.

3.2 If, as a potential employer/provider of education, you are requesting a reference from an external referee you should ask them to register whether or not they are happy for the reference to be seen by the data subject should they subsequently request it from you. This will be a factor in deciding whether the reference can be disclosed and whether they can be identified as the referee. However, if permission for disclosure is not given, you should be careful not to give any reassurances in this regard, as data protection law may still require its disclosure.

3.3 Where an applicant provides a reference to the College but does not take up employment with the College, keep copies of any references received in respect of such applicant for a period of one year following the end of the year in which the reference is received. Where an applicant takes up employment with the College, any references provided in respect of the applicant should be kept in the staff file of the applicant which will be retained as per the College’s Retention Schedule.

Responding to a request for a copy of a reference

It should not be assumed that references are confidential. In most cases a data subject will have the right to request a copy of a reference submitted by the College or one of its staff from a potential employer or institution to whom it was provided.

If a reference has been written "In Confidence" and clearly states this, the College has the right to refuse this request by stating the reason for the refusal in writing, although this exemption from disclosure to the data subject cannot be relied upon in all circumstances – and the College may decide in any event it is reasonable to disclose the reference. As a consequence, you should not put into a reference and opinions about a data subject that you are not able to justify.

If you receive a request from the relevant data subject for a reference you have received about them from another organisation, you may be able to withhold this if such reference has been written ‘In Confidence’ and clearly states this. However, this exemption from disclosure to the data subject may not be possible to rely on in all circumstances – and the College may decide in any event that it is reasonable to disclose the reference (possibly, after anonymising it). If you receive such a request please contact the College’s Data Protection Officer. This emphasises the need to follow the College’s data retention policy in respect of historic references received.

The formal procedure for responding to a request to the College for a copy of a reference written or received by a member of staff is set out in the Code of Practice on "Access to Personal Data" and should be handled in the first instance by the College's Data Protection Officer.

If, however, the request is a personal one to, say, a former tutor/supervisor/manager, is limited to the reference alone (and is clearly not therefore intended as a wider request for information) and you are happy to release a copy of a reference you have already submitted to a potential employer, there are no formal procedures to go through other than making sure that you redact from the copy any reference to a third party. If you have any doubts about the redactions, please contact the College's Data Protection Officer.