Skip navigation to content

4. 'Confidential' references

4.1 Personal references

Personal references supplied for specified purposes, including education, training or employment, are exempt from subject access. Thus, the writer of a 'confidential' reference for an individual cannot be required to disclose its contents in response to a data subject access request.

The exemption from disclosure does not, however, apply to the individual or organisation that receives the reference. They can be expected to disclose a reference, particularly if it is possible to conceal the identity of the referee (e.g., by blanking out their name, address, etc).

With this in mind, staff should:

  • Always ensure the accuracy of any statements made in a reference.
  • Ensure that any opinions expressed are justifiable and defensible.
  • Not supply sensitive data, (e.g. sickness, mental health problems) unless permission to do this has been explicitly given (in writing) by the data subject. 'I am not in a position to comment regarding X's health/sickness' would be a suitable response.
  • Not disclose any information if asked to give an unsolicited reference (for a person who has not, to your knowledge, cited your name as a referee).
  • Take particular care if asked to provide a reference for a student or other individual unknown to them and make it clear that their knowledge of the person is limited.
  • Consider providing a strictly factual reference which makes no evaluative comments at all about the individual concerned.
  • File copies of references provided and keep them securely.

4.2 Requests for telephone or verbal references

It is recommended that these are not routinely given. However, they would be acceptable where the data subject has specifically requested the referee to provide a reference that is required at short notice. If notes are kept of the conversation, these will constitute personal data.

The identity of the person requesting the reference should always be confirmed prior to disclosure. As a minimum security measure it is recommended that staff ring the enquirer back.

4.3 Internal references

Where internal references are concerned, the institution could be argued to be both the originator and the recipient (see Section 4.1 above). This would apply to references written on behalf of a member of staff applying for a post in another Unit / School or a reference supplied to the Promotions Board by a head of Unit / School.

The University would probably find it hard to justify refusal to disclose where a reference directly affected a candidate's career. If a data subject were to pursue a court case against the University, the reference would then most likely become disclosable anyway under the 'legal proceedings' exemption in the Act.

Staff should therefore follow the same guidelines when writing internal references as they do for external ones.

Further information may be found in the Information Commissioner's Employment Practices Code - Supplementary Guidance (pages 40 and 41).


Data Protection Co-ordinator

IT Services
Butts Wynd Building St Andrews Fife
St Andrews
KY16 9AL
Scotland, United Kingdom

Tel: 01334 46 4010/2776