Turning Point: What do the PMs net zero announcements really mean for heat?

View All

Case Studies

ePrivacy for a Major High Street Bank

View All

Upcoming Events

International Cyber Expo 2023

View All


Reference & ChecksReference & Checks


Data Privacy Considerations when Issuing References

21st Sep, 2022

First impressions count, which is why it may be tempting to enhance a story or exaggerate at a dinner party. Yet, whilst you wouldn’t expect your host to be fact-checking everything you say, candidates should certainly expect a potential employer to be scrutinising their application in this way.

Cifas, a fraud prevention body, recently found that approximately 1 in 12 candidates have admitted to lying on their CV, predominantly about their qualifications. This is often identified as part of the vetting process. Depending on the industry or role, employers may be more interested in assessing whether a candidate is qualified for the role or has the values and characteristics they are looking for.

Employers can verify a candidate’s suitability or professional experience via a reference from another employer. In regulated industries, references are mandatory and employers should rely on the Legal Obligation lawful basis under the UK GDPR to process them. Where a reference is desired, not mandatory, the most appropriate lawful basis may be Legitimate Interests. For this, the employer would need to identify a legitimate interest to request a reference and conduct a Legitimate Interest Assessment to ensure candidates’ interests are not overridden.

Organisations should have a specific policy or approach for handling references, setting out exactly what information can be included for which roles and who is authorised to write these or make decisions based on the information received. Where intending to deviate from the policy, there should be a good reason for doing so as inconsistent references may appear more favourable to one individual, thereby discriminating against another.

Additional privacy considerations that underpin the policy include identifying a lawful basis, the purpose(s) for disclosing or collecting the additional information, and justifying the amount and range of data. For the latter, considering how the information will inform the decision should indicate the appropriate level of information to request or provide. A short, basic reference may cover details like the individual’s name, job title, salary and the dates of employment. This level of checking may be sufficient for the role, however, for more senior roles, higher paid roles or roles working with vulnerable individuals, a detailed reference may be identified as more appropriate. Detailed references can include answers to specific questions asked by the potential employer, details of the employee’s skills, experience, character, strengths and weaknesses, details of any disciplinaries, and the reason for leaving.

Confidential references exempt the organisation from certain provisions under the UK GDPR, such as providing copies of a reference or disclosing information about it. Most references are now provided in confidence. References must be true, accurate, and fair and new employers may be liable under the Equality Act 2010 if they withdraw an offer based on a discriminatory reference. A recent case of a discriminatory reference was South Warwickshire NHS Foundation Trust v Mrs S Lee and Others.

Employers can also conduct a background check, usually a DBS (previously CRB) check. The UK GDPR gives extra protection for criminal offence data and it is unlawful to process it unless specific conditions under both the Data Protection Act (2018) and the UK GDPR are met, as well as crime and employment laws.

There are three types of DBS checks, providing a varying level of intrusion on the candidate’s privacy; basic, standard, or enhanced. Standard checks are only permitted for positions in a regulated sector, such as law, medicine or finance, and enhanced checks are only permitted for roles within those industries that work with children and vulnerable adults. If a criminal record check is a requirement of the role, this must be communicated to candidates as soon as possible, such as the job advert.

In addition to meeting the condition(s) under the DPA, the lawful basis employers rely on to conduct either of these checks will be Legal Obligation, whereas for basic DBS checks or equivalent, they must rely on another and be able to justify that the check is necessary. The same also applies to requesting confirmation of criminal convictions within an application form, even where the applicant states they have no criminal convictions. The absence of such data is still considered as criminal offence data, and merits the same level of special protection.

Background checks on prospective employees offer employers a level of protection and assurance. The balance is tipped more favourably towards employers as there is no equivalent check for candidates to assess prospective employers, and certainly not to the extent of information that some collect. It should not be forgotten that the process is highly intrusive for the person on the receiving end of it which, if not done correctly, can be detrimental.

Advice for candidates:

  • Ensure your CV is an accurate summary of your professional experience… Or in other words, don’t lie!
  • Read the privacy information available to you and ask for clarity if needed.
  • Seek advice from ACAS or Citizens Advice if you have been subject to discrimination or an unfair dismissal following an employment reference.

Advice for employers:

  • On receipt of a reference, consider whether it could be discriminatory and take caution that any decision(s) you make based on the reference could be challenged.
  • Consider whether conducting criminal record checks are necessary and whether there is a less intrusive way of doing so.