Records Management

Requests for copies of references

How to deal with requests for copies of references

Audience and purpose

This guidance is for information practitioners responsible for responding to information requests for their business areas. It tells you what to do if you receive a subject access request for references.

Background

The University receives references for staff and prospective staff in connection with job applications, and for students and prospective students in connection with applications to study.

The subjects of these references (data subjects) are entitled, under data protection legislation, to make a subject access request for copies of these references.

The University must respond to subject access requests within one month.

Step by step instructions for responding to a request

1. Confirm the identity of the applicant

Before disclosing any personal information you must be satisfied of the identity of the data subject.

You may be satisfied of the data subject's identity because of your previous interactions with them. For example if the data subject is someone you have just interviewed for a job, and they are using the same email address as in their application form.

You may also be able to verify their identity from their signature or address, for example is the signature or address on the application form the same as that given on the subject access request.

If you are unable to verify the data subject's identity, you may need to contact them for further information. For example you could write to them and ask for a copy of their driver's licence or passport.

2. Was referee consent to release the information obtained when the reference was provided?

We recommend that when you request references you make it clear they will be disclosed if requested. Recommended wording is provided in our guidance on requesting references. 

Requesting references

If you informed the referee that the reference would be disclosed on request skip to step 6 below for advice on replying to the request.

If you did not warn the referee that the reference would be released to the subject on request, or you said that the reference may remain confidential you must write to the referee and consult them on disclosure. You should also contact the referee if they indicated they would like to be consulted or informed in the event of a request to see the reference. Carry on to step 3.

3. Consult the referee

You must consult the referee if you told them that the reference would remain confidential.

Use model letter 3 in the data protection model letters pack to write to the referee for their views.

If the referee consents to the disclosure of the reference, the reference should be disclosed. Please skip to step 7 below for advice on replying to the request.

Model letters pack

4. What to do if the referee does not consent to disclosure, or you cannot contact the referee

If the referee expresses reservations about the disclosure of the reference, you must consider the reasons for those reservations, and balance them against the data subject's interests.

You must also do this if you cannot contact the referee.

You should consider the following:

If a member of University staff, acting in their official capacity, wrote the reference then that reference should be disclosed, unless there are strong reasons not to do so, for example if it is likely the individual will harass the referee.

If the release of the reference would cause substantial distress or endangerment to the referee, try to anonymise it. If it cannot be anonymised, do not disclose the reference.

If the referee refuses consent to disclose the reference and that reference was supplied as a confidential reference, do not disclose the reference. If at the time the reference was sought the University committed to keeping the reference confidential the University is obliged to try to honour that commitment .

 

The data subject may challenge our refusal to disclose third party information and it is possible that we could be ordered to disclose the reference. Therefore we cannot guarantee to referees that we will not release references.

5. Acknowledge referee's views

When you have decided whether or not to release the reference (based on the views of the referee), write to the referee acknowledging their consent/views. You can use model letters 4 or 5 for this.

Model letters pack

6. Reply to the request

Once you have decided whether or not to disclose the reference, and in what form to disclose the reference (anonymised or not), write to the data subject.

If you are disclosing the reference write to the data subject enclosing copies of the reference (use model letter 10).

If you have anonymised the reference or if you are not disclosing some or all of the requested references because of an exemption, write to the data subject enclosing a copy of the anonymised reference and/or the references you are able to disclose giving an explanation (use model letter 14).

If you are not disclosing any of the requested reference explain the nature of the exemption to the data subject and return the fee (use model letter 15).

Model letters pack

7. Keep a record

You need to keep a record of your handling of the request for management purposes for five years from the date you respond to the request.

You should keep:

  • Copies of the correspondence between yourself and the data subject, and between yourself and any other parties
  • A record of your decisions and how you came to those decisions
  • Copies of the information you sent to the data subject. For example, if the information was anonymised, keep a copy of the anonymised version that was sent to the data subject.

The file should be kept for one year and then securely destroyed.