Confidential references for educational or employment purposes will involve the disclosure of personal information, often of a private nature. Requests for references which are received from reputable organizations and which request that the reference is returned to a recognised address can generally be taken at face value, where it is known that the individual who is the subject of the request has cited a member of SOAS as a referee. However, if there is any doubt as to the validity of a reference request, staff should always check with the individual concerned to determine that they are willing for information about them to be released.
References given by a data controller are exempt from data subject access requests under the Data Protection Act (see Access to Data). In practical terms, this means that SOAS is under no obligation to disclose the data contained in copies of references given by SOAS staff. However, references received by a data controller are not exempt from subject access requests. This has the following implications, which should be taken into consideration by staff who are asked to provide references:
- References received by SOAS from other individuals or organisations may have to be disclosed in response to subject access requests directed at SOAS.
- References from SOAS to other organisations may have to be disclosed by those organisations in response to subject access requests.
A reference will also contain personal data about the referee, such as the referee's name and address, and possibly confidential information about the referee or third parties. The information contained in a confidential reference need not be released if it would identify the referee, unless one of the following conditions can be satisfied:
- The referee's identity can be protected by anonymising the information.
- The referee has consented to the release of the data.
- It is reasonable in all circumstances to release the information without the referee's consent.
Guidance has been issued by the Information Commissioner on handling subject access requests for references, which emphasises that such requests should be dealt with on a case by case basis. All requests from data subjects for access to references should be referred to the Information Compliance Manager (see Data Protection Contacts).
Given the possibility that a reference may be disclosed as a result of a Data Protection Act request, referees should avoid making statements in references which cannot be supported by factual evidence.
Staff involved in recruitment and selection should be aware that information in documents such as interviewers' notes could potentially be disclosed to data subjects in response to access requests. Staff should therefore ensure that any feedback which is provided to candidates after interview is consistent with and can be supported by the documentation relating to the recruitment and selection process. Feedback should be provided in a manner which complies with SOAS's Recruitment Policy, Recruitment Procedure and Best Practice Guidelines on Feedback.
Last updated March 2012