How to make sure your candidate reference check is legal, compliant and fair

The law is pretty black and white when it comes to how companies should process employee data. This is something that global organisation PricewaterhouseCoopers (PwC) found out to their detriment back in July 2019.
‍
In an attempt to comply with the GDPR, the organisation asked employees to sign a blanket consent form for their data to be processed. With all staff members’ consent safely immortalised in writing, the professional services firm was confident that it had done everything it needed to to stay on the right side of the law. After all, consent is a legal basis to process data under the GDPR.
‍
Except when it’s not. And this was the conclusion Greece’s Hellenic Data Protection Authority (HDPA) came to when they launched an investigation after an anonymous tip-off.
‍
With over 280,000 employees worldwide and 1,000 in Greece alone, the HDPA ruled that the massive organisation had unfairly exerted its position over individual employees, and that consent couldn’t be freely given when there was an imbalance of power. Moreover, the organisation had asked its employees to give unconditional consent to process personal data in the future without any legal basis to do so — and they’d falsely given the impression that everything was above board.
‍
The result was that PwC was fined €150,000, and given three months to overhaul their process. But PwC wasn’t the victim in this case — rather, it was the thousands of employees who had the right to be told how their data would be used. And as we’ll find out, that’s absolutely key at all stages in the hiring process, including the candidate reference check.
‍
In the final article in this series, we’re going to put on our legal wig for a minute, and navigate the tricky terrain of how to conduct a compliant, legally-binding reference check. We’ll explain the meaning of consent, what the GDPR says about the data you collect, and your referees’ right to decline giving a reference.
‍
Before we get things in full swing, we need you to know that at HiPeople, we may be a brilliant team of data and psychology experts (join us!), but we’re not a legal counsel. As such, please consult your own legal expert for any advice relating to topics discussed in this article.
‍
Missed something? Catch up with the first three articles in this series:
- What is a candidate reference check and why should you do one?
- How to conduct a candidate reference check
- The best questions to ask when conducting an employee reference check
‍
Do you need consent to check a candidate's references?

We’ll start with the big one: consent. Consent is described in article 4(11) of the GDPR as:
‍
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her [...]”
‍
In short, consent means giving people genuine choice and control over how their data is used. So, do you need consent from your candidate before checking their references? The short answer is… Yes — but it’s complicated. Let’s unpack this a little further.

You need to inform candidates that you’re going to check their references

‍When you collect someone’s references, you’re processing their personal data — and you’re also potentially collecting referee data too. The GDPR requires you to have a legal basis to collect and process this data.
‍
The transparency requirements of the GDPR state that people have a right to be informed about the collection and use of their personal data, including the purposes for doing so, who it will be shared with, and how long you’ll keep the data. This is known as privacy information, and must be made available to candidates.
‍
This means that when you check a candidate’s references, you need to inform them what you’re going to do with the information you receive. You must also ask for consent in a clear and easy-to-understand way.
‍
Candidate consent can be given in writing or verbally, depending on the hiring processes in place. It’s also frequently given as part of the application process, and on many talent acquisition platforms and applicant tracking systems, it can be a little checkbox alongside a privacy statement.
‍
Informing a candidate of your intent to process their personal data in this way represents ‘affirmative action’ that the candidate knows and has approved that their data will be collected and processed.
‍
Understanding consent is important, because it’s one of the bases for processing personal data. But consent is not always a viable legal basis for checking candidate references. Confused? Read on.

A GDPR-compliant employee reference check requires legitimate interest

‍There are multiple legal reasons to process personal data. Consent is one of these, and may be necessary in specific circumstances. However, consent is not usually a legal basis to process candidate data when there is an imbalance of power, such as when an employer is collecting references from a potential employee, or if the candidate fears negative repercussions by not agreeing to the request.
‍

HiPeople’s automated reference checking process is fully GDPR-compliant
‍

Employee reference checks fall under the category of employee data. Under GDPR, employee data is referenced as a ‘legitimate interest’ to process someone’s information. However, in order for your reference check to be GDPR-compliant and fall under legitimate interest, it also needs to:
‍
- Relate to informing a contractual decision
- Meet industry compliance  
- Be in the public's interest
‍
It’s important to remember that in order to be completely GDPR-compliant, employee reference checks must fall within reasonable privacy expectations. This means questions shouldn’t be personal, discriminatory, or otherwise irrelevant to the candidate’s performance in the workplace.
‍
In an age where we live our lives online, this last part also extends to social media presence. Unless you’ve asked for consent to process this data, it shouldn’t be part of any background or reference checking process and is unlikely to constitute a legitimate interest.

Not all reference checks fall under legitimate interest

‍Just to complicate things a little further, there are a few exceptions to the legitimate interest rule. For example, in the finance and education sectors, more stringent checks are required for compliance reasons. These may range from assessing financial security to criminal record checks, depending on the role. In this case, the legal basis for checking the candidate’s references might fall under ‘legal obligation’ rather than legitimate interest.

Are referees legally required to respond to your reference check request?

‍The reference check process can be subject to quite a few myths when it comes to the legal stuff — so let’s debunk this one.
‍
In general, there is absolutely no legal obligation for referees to respond to a request, or provide a reference. However, there may be a few exceptions to this rule depending on the requirements of specific sectors, or if there is a written agreement in place to do so. For example, in regulated industries such as the finance sector, references are a legal requirement.
‍
In addition, some organisations may have policies in place that restrict who can give a reference, and the amount of detail that can be provided.

Is it legal to disqualify a candidate if they refuse or fail to provide references?

Candidates may refuse to provide references for a number of reasons, including privacy, or fear of receiving a negative review from a former colleague. They might also be worried that if their current employer is contacted, this may backfire on them later if they’re not successful.
‍
Equally, there may be some cases where you’re unable to get the information you need from a candidate’s nominated referees — either because they’ve moved on from the previous employer, or don’t want to provide a reference for the candidate.
‍
These scenarios might seem like a red flag to a talent acquisition team, because it can seem like a candidate or their referees have something to hide. So where do you stand legally if your candidate declines a reference check, or fails to provide adequate referees?
‍
Generally speaking, there are many legal reasons why organisations disqualify candidates from the interview process. As long as these are not based on protected characteristics or discrimination, they are valid reasons.
‍
However, disqualifying a candidate who declines to provide a reference may also depend on your internal hiring policies. For example, if your hiring policy states that a reference check is mandatory for all employees, and your candidate withholds their referees, then this could be enough of a reason to disqualify them from the hiring process.

Is it legal to disqualify a candidate with a bad reference check?

Sometimes, hiring teams may make a conditional offer to a candidate based on a satisfactory reference check. If these terms are not met, or the candidate receives a bad reference check from a former workmate, then the organisation legally has the right to withdraw the offer.
‍
However, before rejecting a candidate based on a negative reference, you must first make sure the negative reference does not contain any details that could be considered a form of discrimination. For example, if a bad reference check highlighted a candidate’s long-term ill-health, a disability, or their sexuality, this cannot form the basis of your final hiring decision.
‍
This is why it’s critical to make sure that your reference checking process is as structured, fair, and data-driven as possible. When you’re able to compare responses across different colleagues and peers, it helps build a more accurate picture of a candidate’s performance, skills, and character and reduces bias.

Are backdoor references a legal way of finding out about your candidate?

‍For the unfamiliar among us, backdoor (also known as backchannel or unofficial) references are a form of employee reference check where information about a candidate is gathered from referees and sources other than the ones they provide directly. It could involve contacting a former manager who isn’t listed as a contact for a candidate, or finding mutual contacts within their LinkedIn network to find out more about them.
‍
Backdoor references are often used to gather broader information about a candidate. They fall under the same laws as reference checks, and as such, they are not illegal when carried out with the candidate’s full knowledge and consent that you will reach out to former colleagues in their network. But that’s not to say they are necessarily ethical. They could also undermine your relationship of trust and transparency with your candidate before they even start at your organisation.
‍
Backdoor references are not the most accurate way to find out more about your candidate because the insight you gather may be biased or factually incorrect. Collecting these references may also put the candidate’s current job at risk.


Do candidates have a legal right to read their references?
‍
The GDPR states that employees have a right to access information that employers or organisations hold about them — and this can include information provided during the reference check process.
‍
However in some countries such as the UK, data protection law means that if a reference is provided in confidence, it is exempt from this right of access. This means that if a referee provides a confidential reference, it is illegal for the organisation to disclose its contents to the candidate.
‍
There are a couple of exceptions here. If the candidate is involved in any form of litigation with an employer, a confidential reference may be disclosed as part of the proceedings.

Conduct fully GDPR-compliant reference checks faster with HiPeople
‍
Making sure your reference checks fall on the right side of the law can be tricky — especially when it comes to understanding consent. With HiPeople, you can carry out GDPR-compliant, fair employee reference checks that reduce the legal red tape and bias. Get in touch with one of our team members to see how it all works.

‍