A fair and consistent approach should be applied to the provision of references. Not only should the references be fair and accurate in terms of their content, but the decision to provide a reference or not should be applied consistently. Any unfairness or inconsistency may potentially lead to allegations of discrimination.
Disclosing any details about your former employees to third parties must comply with your data protection obligations.
Providing a reference is likely to involve processing personal data under data protection laws, therefore, the employer must provide a legal basis for processing that data. In relation to a reference, the most likely legal basis is that the employee has consented to their data being processed. However, in the context of providing a reference, an employee or former employee is likely to have a genuine choice about whether or not to consent.
The ICO recommends that employers have a policy on giving references. It also recommends that, when an employee leaves the organisation, the employer should keep a record on file of whether or not the employee wants the employer to provide references for them.
The prospective employer will normally enclose a photocopy of the employee's signed consent to requesting a reference. This will normally be sufficient for the employer to process the personal data.
If the employer has any doubts about whether or not the employee has given consent, it should contact them to check that they consent for the reference to be provided. The employer should obtain the consent in writing if possible, or should at least make a note of the employee's verbal consent.
The employer must not provide sensitive personal data (or data coming within the 'special categories' of personal data) in a reference, for example, information about the individual's health, race or sexual orientation, without first obtaining the employee's explicit consent. To obtain the their explicit consent, the employer should write to them, clearly stating why it wishes to process the data, the specific information to be processed, to whom the data will be provided and for what purpose the information will be provided. The employer should provide a means for the employee to indicate whether or not they consent to the data being processed, for example, a form to complete.