Dear All,
Following a recent query regarding the subject access status of confidential
references I have reviewed relevant sections of the Act, previous mailbase
discussions, and other commentary upon this topic. In an attempt to clarify the
situation I plan to send a version of the document below, on behalf of the
Lancaster Data Protection Project, to the OIC and will hopefully come back with
some definitive answers.

I know this issue has been raised before but don't think it has been
successfully resolved. Any comments on the document below would therefore be
appreciated, in particular other interpretations of the Act and additional
suggestions (and counter-arguments) as to why the confidential references
exemption exists.

Mark Mukerji

Lancaster University Data Protection Project
Student Registry
University House
Lancaster University
Lancaster LA1 4YW
01524 592086
www.lancs.ac.uk/dataprotection



Confidential References and Subject Access

Background

Section 7 of the Data Protection Act 1998 gives data subjects a general right
of access to their personal data. However, Schedule 7 of the Act provides
various exemptions from such access rights for i) specific types of personal
data and ii) personal data processed for specified purposes.
One of the types of personal data specifically exempted are 'Confidential
References'. A confidential reference is defined in Schedule 7.1 of the Act as:
 a reference given or to be given in confidence by the data controller for the
purposes of-
        (a) the education, training or employment, or prospective education,
training or employment, of the data subject,
        (b) the appointment, or prospective appointment, of the data subject to
any office, or
        (c) the provision, or prospective provision, by the data subject of any
service.


The phrase 'given or to be given in confidence by the data controller' appears
to be relatively ambiguous and has led to the exemption being interpreted in
several different ways


Interpretations

Does the exemption indicate:
1) All confidential references (whether 'given', 'to be given', 'received from
a third party' or 'generated internally') are exempt from subject access?
or
2) Only confidential references given (or to be given) by the data controller
are exempt but confidential references received by a data controller are open
to subject access?

If point 2) is correct then a secondary question that arises is 'How are
confidential references that are generated internally regarded' (E.g. a
reference written by a Head of Department relating to the internal promotion of
a member of staff)?
Does the exemption indicate:
2 a) the reference should be open to subject access? The reference has been
received by a data controller and "there is no obvious justification for
differentiating between confidential references received from external third
parties and confidential references received from within the institution as
regards any consideration of data subject access"- (JISC CoP).
or
2 b) the reference should be exempt from subject access? The reference has not
passed out of the hands (control) of the institution (data controller) and as
such has not been given to, or received by, anyone?


Note: Use of the words 'data controller' appears to indicate that references
from individuals, not acting in any capacity as a data controller, are not
covered by this exemption.


Discussion

In clarification of which of these differing viewpoints is/are correct it would
be useful for the OIC to explain why the exemption for confidential references
is in place.
Current suggestions (and counter-arguments) include:

Possible reasons for exemption where interpretation 1) is correct:-

i) The aim of the exemption is to allow data controllers to write candid
references without fear of redress.
Does this simply outweigh the rights of a data subject who feels that a
reference may have been written unfairly?


Possible reasons for exemption where interpretations 2 and w.r.t. 'internal'
references 2 a) are correct:-
i) The exemption is solely in place to minimise any possible 'interference' or
'influence' by the subject prior to the confidential reference being given?
This would not prevent the data subject influencing subsequent references. If
the subject does not 'get the job' they may request access from the recipient
of the reference before applying for next job?


Possible reasons for exemption where interpretations 2 and w.r.t. 'internal
references' 2 b) are correct:-

i) The exemption is solely in place to 'protect' internal staff who are
required by the institution to write a reference.
Again, does this simply outweigh the rights of a data subject who feels that a
reference may have been written unfairly?

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^