News Article

The GDPR Reference Exemption

Under the GDPR employees have rights to access personal data. However, the new Data Protection Act 2018 (DPA) carves out a specific exemption for references. What do you need to know? 


GDPR gives employees the right to access the personal data that their employer holds. The GDPR was enshrined into our domestic law by the Data Protection Act 2018 (DPA) , which received Royal Assent on 23 May 2018. The previous Data Protection Act 1998 has now been repealed. However, whilst the new DPA gives the GDPR effect in the UK, it also specifies several exemptions. 

Right to refuse. 

One of these exemptions relates to confidential employment references. This is set out in Schedule 2 which states that: “The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of the education, training or employment (or prospective education, training or employment) of the data subject” . This means that you can refuse to disclose a confidential employment reference to a data subject, regardless of whether you provided or received it. 

Why the change? 

This provision has been included in the new DPA to correct an anomaly which existed under the old legislation. Although it contained a similar exemption, it only applied where the employee made a request to the employer that had provided the confidential employment reference; it didn’t apply to the recipient. Therefore, the individual could get around the exemption by making a subject access request to the employer that had received the reference. 

For any further advice or information please contact the team here at SFB Consulting. Our offices are based in Bishop’s Stortford and London, but we offer our services and consultancy UK wide. 

T:01279 874 676 

E:info@sfb-consulting.com