This is what the Information Commissioners website - "Legal Guidance" - has to say on the subject of confidential references.
"5.13 The Miscellaneous Exemptions (Schedule 7) - confidential references given by the data controller
Personal data which consist of a confidential reference given, or to be given, by the data controller for specified purposes (education, training or employment, appointment to office or provision of any service) are exempt from subject access.
This exemption is not available to the data controller who receives such references. In other words, where company A provides an employment reference concerning one of its employees to company B, if the employee makes a subject access request to company A, the reference will be exempt from the disclosure. If the employee makes the request to company B, the reference is not automatically exempt from disclosure and the usual subject access rules apply. (See Chapter 4 - Subject Access)"
What Schedule 7 actually says is as follows:
"1. Personal Data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of -
(a) the education, training or employment, or prospective education, training or employment, of the data subject,
(b) the appointment, or prospective appointment, of the data subject to any office, or
(c) the provision, or prospective provision, by the data subject of any service."
This provision did not appear in the 1984 Act.
The reason for the distinction made by the Information Commissioner's Office is the use of the word "the" rather than "a" data controller in section 7 (1).
Does this mean that a data subject can obtain a confidential reference from the recipient as a matter of right?
The "legal guidance" on the Commissioner's website itself states " the usual subject access rules apply".
These subject access rules are contained in Part II of the Act, which it is worth noting is entitled " Rights of Data Subjects and others".
Section 7 (1) of the Act starts " "Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled...."
Section 7 (4) states " Where a data controller cannot comply with the request [ by the data subject for access] without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless -
(a) the other individual has consented to the disclosure of the information to the person making the request, or
(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual." The following subsection s7(5) goes on:
"In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise."
The starting point is therefore whether the Data Controller who gave the reference consents to the disclosure. If so, no problem. If the Data Controller giving the reference refuses, s7(5) seems to suggest is that all the recipient of the reference can do is excise anything relating to the identity of the person giving the reference. In many cases, however, the identity will be known and it is not the identity which is of concern, but the remainder of the reference.
The reference, it is assumed, was given under an obligation of confidence. Even if it was not expressly stated as being in confidence, if the circumstances of the communication of information are such as to make it clear that an obligation of confidence was intended the recipient will be bound - Attorney General v guardian Newspapers ( No 2) - the Spycatcher case.
If the Recipient releases the data in the reference to the Data Subject he will be "processing" it under s1 of the 1998 Act and he must do so in accordance with the Data Protection Principles. Para 1 of Schedule 1 to the Act makes it clear that any processing must be lawful - which is not limited to lawfulness under the Act. It has to be lawful under the Common law as well. The release of information imparted under an obligation of confidence without the consent of the giver of the information would appear to me to be "unlawful". This would point to a non-release of the information by the recipient of the reference if the giver refuses to consent.
Anyone come across a similar situation? Anyone been in correspondence with the Information Commissioner's office on the same?
Peter McGrath
The views expressed are the personal views of the writer and are not to be relied upon as being legal advice.
==================================================
Confidentiality Notice: The information contained in this e-mail
is for the intended recipient(s) alone. It may contain privileged
and confidential information that is exempt from disclosure under
English law and if you are not an intended recipient, you must not
copy, distribute or take any action in reliance on it. If you have
received this e-mail in error, please notify us immediately either
by using the reply facility on your e-mail system or by contacting
us at the address below. If this message is being transmitted
over the Internet, be aware that it may be intercepted by third
parties.
Cobbetts offices are at:
Ship Canal House, King Street, Manchester, M2 4WB,
England.
Telephone: +44 161 833 3333; Fax: +44 161 833 3030.
Trafalgar House, 29 Park Place, Leeds, LS1 2SP,
England.
Telephone: +44 113 246 8123; Fax +44 113 244 2863
www.cobbetts.co.uk
This firm is authorised by the Law Society to conduct investment
business.
=================================================
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|