A data subject issued a complaint to the Data Protection Commission (DPC) against their employer (data controller) regarding the processing of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that details of a confidential matter as part of a reference was given to a third party (a prospective employer). Before contacting the DPC the data subject contacted the data controller to address their concerns as they felt their personal data had been unlawfully processed; however, they did not receive a satisfactory response to their complaint.

The DPC notes that the provision of a reference about a staff member from a present/former employer, to a third party, such as a prospective employer, will generally involve the disclosure of personal data. The data subject mentioned that the data controller disclosed a confidential matter in the reference provided to the prospective employer.

As part of its examination, the DPC engaged with the data controller and shared the details of the data subject’s complaint. The data controller responded to the DPC and explained that, it is relying on consent and legitimate interest for disclosing the confidential matter.

The data controller outlined that in balancing the data subject’s rights against the interests of the third party (and those to whom it provides care) it determined that it had a duty of care to ensure that the recipient of the reference (prospective employer) received a reference which was true, accurate, fair and relevant to the role which the data subject had applied for. The data controller was satisfied that the data was processed, fairly and in a transparent manner. It further stated that due to the nature of the employment it had a duty of care not only to the people they support, the staff members, but also to prospective employers who provide support services to same category of clients.

It is important to consider whether the status of the data controller, the applicable legal or contractual obligations (or other assurances made at the time of collection) could give rise to reasonable expectations of stricter confidentiality and stricter limitations on further use. The DPC has taken into consideration whether the data controller could have achieved the same result without disclosing the confidential details to the prospective employer. The statements made in the reference were based on facts, which could be proven and were necessary to achieve the legitimate interests of and the duty of care of the data controller’s clients.

The DPC is satisfied that despite the duty of confidence, and in circumstances where the data subject nominated the data controller to provide the reference, thus consented to the sharing of the data subject’s relevant personal data to a prospective employer, the prospective employer’s legitimate interest and the wider public interest justifies the disclosure of the confidential matter.

Having examined the matter thoroughly, under section 109(5)(c) of the 2018 Act the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of this complaint are reasonable and no unlawful processing had occurred. Accordingly, no further action against the data controller was considered necessary in relation to the data subject’s complaint.