A client asked a question today about GDPR compliance when completing a reference for an ex-employee so I thought it might be useful to clarify what you need to do:
Providing a reference will be an act of processing personal data and you will need a legal basis to do so.
Usually employers cannot rely upon consent as the legal basis for data processing but as there is no longer the imbalance of power that might mean consent cannot be freely given once an individual is no longer your employee, and as they can genuinely choose whether or not to give your details as a referee to a prospective new employer, consent can be relied upon.
The ICO recommend you have a policy on giving references but for most small businesses where just one person is likely to be the point of contact for reference requests, it is not essential.
However perhaps more importantly an ex-employer should be able to satisfy themselves that an employee is happy for them to give a reference – in other words that they have given that all important consent.
You might argue that the very fact that they have given your contact details to a prospective new employer is sufficient to satisfy this.
But if you have any doubts or concerns then you could ask an employee to confirm at exit interview or on an exit form that they are happy for you to provide a reference. Or on receiving a request you might decide that you will check with the ex-employee before providing it. This last option however seems pretty laborious for every reference request you receive and relies upon you still being able to contact the ex-employee.
Want any further guidance or an Exit Interview Form? Give us a call!