What processing condition can an employer rely upon under the GDPR when providing a reference?
As a starting point, it is necessary to consider what specific personal data will be supplied as part of the reference. For example, if information on the employee’s absence levels is included in a reference and that information comprises information regarding the employee’s health, this will constitute special category data under Article 9(1) of the GDPR.
When processing personal data, the employer will have to ensure that it satisfies a lawful condition for processing as set out under Article 6(1) of the GDPR. If the employer is processing health data as part of the reference, it will also have to satisfy an additional processing condition under Article 9(1) of the GDPR.
Traditionally consent (including explicit consent) was the most widely relied upon processing condition by employers. However, following the ICO’s guidance which states that consent will rarely be appropriate in the employment context due to the imbalance of power in the employee/employer relationship, consent is no longer recommended.
Therefore, legitimate interests condition under Article 9(1)(f) is perhaps most likely to apply. Legitimate interests can be relied upon when an employer is processing an employee’s data in ways that they would reasonably expect and ways which have minimal privacy impact or where there is a compelling justification for the processing.
In order to rely on legitimate interests, an employer must:
- Identify a legitimate interest (e.g. enabling an employee to comply with their new employer’s recruitment requirements.);
- Show that processing is necessary to achieve it; and
- Balance it against the employee’s interests, rights and freedoms.
As mentioned above, if the reference contains health data which constitutes ‘sensitive’ personal information, the employer will need to satisfy an additional condition for processing under Article 9 of the GDPR. The most applicable is likely to be Article 9(2)(b) that the data is processed in accordance with the employer’s obligations and rights under employment law.
Employers must ensure that all employees have received a copy of their privacy notice which will detail how and why their personal data is processed.
Continue reading
We help hundreds of people like you understand how the latest changes in employment law impact your business.
Please log in to view the full article.
What you'll get:
- Help understand the ramifications of each important case from NI, GB and Europe
- Ensure your organisation's policies and procedures are fully compliant with NI law
- 24/7 access to all the content in the Legal Island Vault for research case law and HR issues
- Receive free preliminary advice on workplace issues from the employment team
Already a subscriber? Log in now or start a free trial
