I have taken advice from the Data Protection Commissioner's Senior
Compliance Manager re references - he told me:-
'In the hands of the referee references are exempt from the subject
access provisions of the Act. However, when received from a third party
the exemption does not apply. Of course, in many cases a reference will
identify other data subjects, particularly if the reference has been
written by an individual rather than an organisation. In those
circumstances the data controller should first of all seek permission of
the third party. If permission to disclose the information of the data
subject is withheld, then in most cases the data controller should
remove that part of the reference which identifies the third party. In
some rare circumstances the Act envisages that it will be proper to
disclose the third party information even without consent. (See also
Section 7 of the Act.)
Clearly in many cases an individual will be able to guess the identity
of the referee from the reference itself. While this may be the case, a
data controller is only entitled to remove that information which
actually identifies the referee. It will be very rare that a controller
will be justified in withholding the whole of a reference in response to
a subject access request.'
Hope this helps. I'm trying to clarify the position when a reference is
provided on behalf of an institution to the same institution!
Nadine Cleaver
DP Co-ordinator
University of York
Lucinda Bennett wrote:
>
> Colleagues
>
> I wonder if anyone could enlighten me with regards to the
> thorny issue of confidential references. My understanding
> is that if a conf ref is given for specified purposes then
> the giver is not obliged to disclose it to the data subject
> under a subject access request, but that the data subject
> may be able to obtain a copy from the recipient. However,
> in discussions with a solicitor recently, his interpretation
> was different: that a confidential reference given for
> specified purposes will remain confidential even if the
> data subject approaches the recipient for a copy.
>
> I have checked out the DPO booklet and it concurs with the
> the former view set out above, as does a number of other
> documentation, as does this mailbase group. However, I
> have looked at the Act itself and the wording is somewhat
> ambiguous and, having thought about the matter in the light
> of the solicitor's comments, it could be argued that the
> latter point above may be correct. The Act itself states
> as follows:-
>
> 1. Personal data are exempt from section 7 if they consist
> of a reference given or to be given in confidence by the
> data controller for the purposes of-
>
> (a) the education, training or employment, or prospective
> education, training or employment, of the data subject,
>
> (b) the appointment, or prospective appointment, of the
> data subject to any office, or
>
> (c) the provision, or prospective provision, by the data
> subject of any service.
>
> Could it be argued that once the confidential reference was
> in the hands of the recipient, the reference was given in
> confidence and is therefore exempt from disclosure?
>
> ----------------------
> Lucinda Bennett
> Administrative Officer
> Registry, Room 159
> University of Exeter Tel: 01392 263355
> Northcote House Fax: 01392 263108
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|