Mark

I think the interpretation is quite clear:

a) If you WRITE and send off a Reference and retain a copy locally,
then that copy is exempt from Subject Access; and

b) If you RECEIVE a Reference and then retain a copy locally, then
that copy is liable to be disclosed in a Subject Access request

and the question of whether the writer of a Reference is internal or
external to an organisation is irrelevant.

The only other interpretation point to note is that I understand an
employer can argue that disclosure of a Reference whilst an employment
decision is being processed based (partly) on the content of a
Reference may prejudice the procedures; but this can only be used for
deferring disclosure rather than exempting it ?

Regards to all, Pete
Data Protection Coordinator
University of St Andrews

----- Original Message -----
From: "Mukerji, Mark" <[log in to unmask]>
To: <[log in to unmask]>
Sent: 15 May 2001 12:17
Subject: Confidential references- subject access status


> Dear All,
> Following a recent query regarding the subject access status of
confidential
> references I have reviewed relevant sections of the Act, previous
mailbase
> discussions, and other commentary upon this topic. In an attempt to
clarify the
> situation I plan to send a version of the document below, on behalf
of the
> Lancaster Data Protection Project, to the OIC and will hopefully
come back with
> some definitive answers.
>
> I know this issue has been raised before but don't think it has been
> successfully resolved. Any comments on the document below would
therefore be
> appreciated, in particular other interpretations of the Act and
additional
> suggestions (and counter-arguments) as to why the confidential
references
> exemption exists.
>
> Mark Mukerji
>
> Lancaster University Data Protection Project
> Student Registry
> University House
> Lancaster University
> Lancaster LA1 4YW
> 01524 592086
> www.lancs.ac.uk/dataprotection
>
>
>
> Confidential References and Subject Access
>
> Background
>
> Section 7 of the Data Protection Act 1998 gives data subjects a
general right
> of access to their personal data. However, Schedule 7 of the Act
provides
> various exemptions from such access rights for i) specific types of
personal
> data and ii) personal data processed for specified purposes.
> One of the types of personal data specifically exempted are
'Confidential
> References'. A confidential reference is defined in Schedule 7.1 of
the Act as:
>  a reference given or to be given in confidence by the data
controller for the
> purposes of-
>         (a) the education, training or employment, or prospective
education,
> training or employment, of the data subject,
>         (b) the appointment, or prospective appointment, of the data
subject to
> any office, or
>         (c) the provision, or prospective provision, by the data
subject of any
> service.
>
>
> The phrase 'given or to be given in confidence by the data
controller' appears
> to be relatively ambiguous and has led to the exemption being
interpreted in
> several different ways
>
>
> Interpretations
>
> Does the exemption indicate:
> 1) All confidential references (whether 'given', 'to be given',
'received from
> a third party' or 'generated internally') are exempt from subject
access?
> or
> 2) Only confidential references given (or to be given) by the data
controller
> are exempt but confidential references received by a data controller
are open
> to subject access?
>
> If point 2) is correct then a secondary question that arises is 'How
are
> confidential references that are generated internally regarded'
(E.g. a
> reference written by a Head of Department relating to the internal
promotion of
> a member of staff)?
> Does the exemption indicate:
> 2 a) the reference should be open to subject access? The reference
has been
> received by a data controller and "there is no obvious justification
for
> differentiating between confidential references received from
external third
> parties and confidential references received from within the
institution as
> regards any consideration of data subject access"- (JISC CoP).
> or
> 2 b) the reference should be exempt from subject access? The
reference has not
> passed out of the hands (control) of the institution (data
controller) and as
> such has not been given to, or received by, anyone?
>
>
> Note: Use of the words 'data controller' appears to indicate that
references
> from individuals, not acting in any capacity as a data controller,
are not
> covered by this exemption.
>
>
> Discussion
>
> In clarification of which of these differing viewpoints is/are
correct it would
> be useful for the OIC to explain why the exemption for confidential
references
> is in place.
> Current suggestions (and counter-arguments) include:
>
> Possible reasons for exemption where interpretation 1) is correct:-
>
> i) The aim of the exemption is to allow data controllers to write
candid
> references without fear of redress.
> Does this simply outweigh the rights of a data subject who feels
that a
> reference may have been written unfairly?
>
>
> Possible reasons for exemption where interpretations 2 and w.r.t.
'internal'
> references 2 a) are correct:-
> i) The exemption is solely in place to minimise any possible
'interference' or
> 'influence' by the subject prior to the confidential reference being
given?
> This would not prevent the data subject influencing subsequent
references. If
> the subject does not 'get the job' they may request access from the
recipient
> of the reference before applying for next job?
>
>
> Possible reasons for exemption where interpretations 2 and w.r.t.
'internal
> references' 2 b) are correct:-
>
> i) The exemption is solely in place to 'protect' internal staff who
are
> required by the institution to write a reference.
> Again, does this simply outweigh the rights of a data subject who
feels that a
> reference may have been written unfairly?
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^