The GDPR impacts on the giving of references and supplying confidential information
Employers are advised to write a clear policy on the giving of references. The ICO (Information Commissioner’s Office) has said employers should have a clear policy setting out, which employees are authorised to give references and in what circumstances.
* The Policy should include, not providing confidential references unless the employee has provided consent, and this will involve processing personal data. It is a recommendation that as part of an exit policy, information should be put on the employee’s file about whether they wish for references to be provided after they have left employment.
* Sensitive personal data: employers need to be cautious about disclosing information about an employee’s reasons for absences, for example on sick leave, or any other particularly sensitive information. The employees consent will be required in order to comply with the GDPR, before any sensitive personal information is disclosed. Failure to do so will result in financial sanctions for breach.
* Document retention policy: documents should not be retained by employers for longer than is necessary. The limitation period for breach of contract and tort claims is six years. Employers may wish to retain documents on former employees for at least this period. Following the expiration of six years employer’s may decide to delete the records of former staff. This will mean employer’s will be unable to respond to reference requests unless minimal information such as, the period of employment and job title details are retained.