The Data Protection Bill (engaged in Parliamentary ping-pong) contains an exemption that allows confidential employment references to be kept secret in all circumstances; this exemption has not been discussed, debated or challenged.
The exemption thus raises the spectre that an employer will be able to give a confidential reference about an employee where the employee is ignorant of the reference and has no right of access to check the accuracy of the reference.
The exemption exists in a non-virulent form in the current Act at Schedule 7, paragraph 1 under the heading “Confidential references given by the data controller”. (my emphasis). This states that:
“Personal data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of—
(a)the education, training or employment, or prospective education, training or employment, of the data subject,
(b)the appointment, or prospective appointment, of the data subject to any office, or
(c)the provision, or prospective provision, by the data subject of any service”.
So do you agree with the following?
- the “confidential reference “given by the data controller” exemption does not apply to the controller who receives the reference?
- the exemption does not exclude the fairness requirements of the First Principle, so the data subject should know the reference exists?
Now compare the above exemption with the 2018 Bill equivalent which is found under the heading “Confidential references” (where the phrase “given by the data controller” is absent). In further detail, Schedule 2, paragraph 24 of the Bill states:
The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—
(a) the education, training or employment (or prospective education, training or employment) of the data subject,
(b) the placement (or prospective placement) of the data subject as a volunteer,
(c) the appointment (or prospective appointment) of the data subject to any office, or
(d) the provision (or prospective provision) by the data subject of any service.
For completeness, the “listed GDPR provisions” are listed in paragraph 18 of Schedule 2; the exemption therefore is from: the right to be informed in Article 13 & 14; the right of access to personal data in Article 15; and all Principles that correspond to these two right (e.g. the First Principle and the requirement that the processing of personal data has to be transparent).
Do you agree that, unlike the equivalent 1998 exemption, that the DPBill’s confidential reference exemption….
- now applies to the controller who receives the confidential reference as well as the giver of that reference. As the receiving controller can now argue that he has been “given a confidential reference”, the reference in the receiving controller’s hands is exempt from subject access.
- now applies to the right to be informed so the data subject can be left ignorant of the fact that a reference about him has been given or received.
- the exemption is broadened to include “volunteering”.
Under the GDPR, all exemptions have to be justified in terms of Article 23; this one is justified under the heading of “other important objectives of general public interest” where the Government has not explained what that “general public interest” is.
Additionally, the Government has drafted an exemption which is broad in scope (e.g. the exemption is not limited to cases where there is prejudice to some activity where the public interest requires protection) nor has the Government provided a safeguard (e.g. a mechanism that allows the data subject to dispute a confidential reference).
Indeed, the only thing the Government has said about the exemption is in the DP Bill’s “Explanatory Memorandum” which explains nothing of substance. It states (paragraph 667):
“Paragraph 22 restricts the application of the listed GDPR provisions to personal data consisting of a reference given (or to be given) in confidence, for example for education or employment purposes. This replicates and extends the exemption in paragraph 1 of Schedule 7 to the 1998 Act.”
The Parliamentary record (see references) shows that this exemption was amended by Government, yet the Minister in charge failed explain anything exceptional about this exemption. Indeed, the House of Lords permitted the Government’s change without any debate. Would there have been a debate if the Government were transparent about what was happening? You bet.
Hence my conclusion that a significant change has been made to the protection of data subjects especially in the important area of employment, without proper debate, without explanation, without reason and without safeguards.
I note this exemption has been drafted by a Government that often touts its intent to strengthen workers’ rights after Brexit. Indeed, this is the second time I have reported that the Data Protection Bill has been drafted in a way that reduces employee’s rights. Perhaps there is a pattern of behaviour here.
Article 8 and the ECHR judgment in Gaskin v UK
In addition, the exemption could very well mean that the UK is in breach of Article 8 of the European Convention of Human Rights as the facts surrounding the use of this exemption mirrors those in the case of Gaskin v UK (1989).
In Gaskin, the context was social work and the right of access, by a data subject, to the confidential comments made by third parties about him (e.g. made by health professionals etc). The Court recognised the importance for receiving objective and reliable information and that confidentiality can also be necessary for the protection of third persons but stated there needed to be a counterbalance.
In Gaskin, the Court then stated (at paragraph 49):
The Court considers, however, that under such a system the interests of the individual seeking access to records relating to his private and family life must be secured when a contributor to the records either is not available or improperly refuses consent. Such a system is only in conformity with the principle of proportionality if it provides that an independent authority finally decides whether access has to be granted in cases where a contributor fails to answer or withholds consent. No such procedure was available to the applicant in the present case.
The Courts objections in Gaskin are very similar to what could happen with this exemption. As in Gaskin, the content of an unfair confidential employment reference can impact on private and family life severely. Indeed, the ability to send a secret confidential reference can effectively damage an individual’s career and can have the same effect as if an employee were black-listed.
There is no independent authority to counterbalance the exemption who can decide whether or not access can be provided to confidential references. This is because the exemption is absolute and applies to both giver and recipient of the reference; it is either a confidential reference or it is not.
This is not the case under the 1998 Act as the exemption only applies to the giver of a reference and NOT the recipient and the counterbalance is the ICO.
Under the 1998 Act, the ICO’s website has a wonderful comment: “We explained that organisations are generally required to release references they have received about individuals, even if they are marked as confidential”. Not any longer.
Concluding comment
This DP Bill started life at 200 pages and will be finally around 400 pages; it is complex and impenetrable and controversial and largely unscrutinised by Parliament. Yes there have been set pieces over Leveson, immigration or national security but I think there has been very little attention to the detail. When you get to the detail of this small exemption, it is an understatement to state that “some unpleasantry creeps out of the wording”.
So how many exemptions will be like the confidential reference exemption do you think? Well we only find out when the DP Bill becomes an Act and the ICO is powerless to defend data subjects.
Data Protection Courses (London)
- BCS Data Protection Bill/GDPR Foundation Qualification: London starts 5,6,7 June
- BCS Data Protection Bill/GDPR Conversion Practitioner Qualification: London on June 26/27
- BCS Data Protection Bill/GDPR Practitioner Qualification: London starts July 16, 17, 18 …
Details of all courses from: http://www.amberhawk.com/dp.asp
References:
Gaskin v. UK, Application no. 10454/83); 7 July 1989: https://hudoc.echr.coe.int/eng#{"dmdocnumber":["695368"],"itemid":["001-57491"]}
The other reduction in employee rights? See under the heading “Consequences of this approach for rights of access” in “How the Data Protection Bill reduces data subject rights and, in particular, workers’ rights” http://amberhawk.typepad.com/amberhawk/2018/03/how-the-data-protection-bill-reduces-data-subject-rights-and-in-particular-workers-rights.html
Many Data Protection Bill exemptions are expanded, unexplained and some permit unlawful processing. http://amberhawk.typepad.com/amberhawk/2018/02/many-data-protection-bill-exemptions-are-expanded-unexplained-and-some-permit-unlawful-processing.html
The Government modified the confidential reference exemption (amendment 87)l without identifying the extensions of the exemption (See Lords Hansard, 13 November 2017, Volume 785 Committee (3rd Day) (Continued), Column 1917).
Wonderful ICO comment on confidential employment references: https://ico.org.uk/action-weve-taken/case-stories/case-story-1/
Comments
You can follow this conversation by subscribing to the comment feed for this post.