Providing References in Staff Vetting: Legal Essentials in the UK

Hiring the right people is critical - and your staff vetting procedures are a big part of getting it right. For many UK small businesses, providing and requesting references is a core step in that process.

But there are legal guardrails. From data protection to discrimination risks, and from what you can (and can’t) say in a reference to how long you keep recruitment records, there’s a lot to balance.

In this guide, we break down how to handle references lawfully and efficiently as part of your vetting process, so you can hire confidently and protect your business from day one.

Are Employers Required To Provide References In The UK?

In most cases, there’s no general legal duty to give a reference. However, there are important exceptions and practical considerations.

• Contractual or policy obligation: If your contracts or policies promise references, you’ll be expected to provide one.
• Regulatory requirements: Certain regulated roles (e.g. financial services) have specific reference expectations under sector rules.
• If you do provide a reference: You owe a duty to take reasonable care that the information is true, accurate and fair - and not misleading by omission.

If you’re unsure when you can refuse to provide a reference, it’s wise to get tailored advice, especially where the employment ended in dispute or there are safeguarding concerns.

What Counts As Staff Vetting And Where Do References Fit?

Staff vetting usually combines several checks to confirm a candidate’s suitability, honesty and right to work. References sit alongside:

• Right to work checks (a legal requirement)
• Identity verification and address checks
• Qualifications and professional memberships
• Employment history and gaps
• Criminal record checks where appropriate (e.g. DBS)
• Credit checks for certain roles handling money

References are typically requested after a conditional offer and can be character-based or employment-based. Decide up front which type you need for each role and keep your approach consistent to reduce bias and discrimination risks.

Legal Framework: Key Laws That Affect Employment References

When references form part of your vetting, several UK laws come into play. The main ones are:

Data Protection And Privacy

Under the UK GDPR and Data Protection Act 2018, you need a lawful basis to collect, share and retain personal data as part of recruitment. Legitimate interests is commonly relied on for reference checks, but you must balance this against the candidate’s rights and expectations. Be transparent with applicants via a clear recruitment privacy notice that explains what checks you’ll do, why, and how long you’ll keep data. Many businesses embed this in their Privacy Policy.

Equality And Discrimination

The Equality Act 2010 prohibits discrimination based on protected characteristics (for example, age, disability, race, religion, sex). Reference requests and the way you use them must avoid direct or indirect discrimination. Be careful that questions don’t elicit or rely on protected information unless strictly necessary and lawful.

Rehabilitation Of Offenders

The Rehabilitation of Offenders Act 1974 (and associated Exceptions Order) restricts when and how you can ask about spent convictions. Only roles eligible for standard or enhanced DBS checks can legitimately require broader criminal disclosures.

Defamation And Negligent Misstatement

You can be liable if you provide a reference that is false, misleading or given carelessly, and the former employee suffers loss. Stick to fact-based, evidence-backed statements and avoid speculation or opinions you can’t support.

Confidentiality And Contractual Duties

Respect confidentiality obligations owed to the ex-employee and to your business. Don’t disclose sensitive commercial information, health data or allegations that haven’t been properly substantiated - especially if an investigation is ongoing.

How To Provide References Lawfully And Safely

If you choose to provide references, a consistent process will reduce risk and save time.

1) Use A Clear Reference Policy

Decide who can give references on behalf of the business (e.g. HR only) and whether you provide only factual references (job title, dates, responsibilities) or broader performance references in certain cases. Document this in your Workplace Policy or Staff Handbook to ensure consistency.

2) Confirm Authority And Identity

Only release references when you’re satisfied the request is genuine and the recipient is who they say they are. Check the official company domain and, if needed, call the organisation to verify.

3) Stick To Verifiable Facts

Keep references factual and evidence-based. If you state performance concerns or misconduct, refer to documented appraisals, warnings or the outcome of a fair investigation. Avoid subjective commentary or unproven allegations.

4) Be Balanced And Fair

If you include negative information, set out the context and any mitigating steps taken (e.g. performance improvement plans). The duty is not just to be accurate but to avoid creating a misleading overall picture.

5) Standardise Your Template

Adopt a simple, consistent format to reduce errors and ensure you cover the essentials. A well-drafted employee reference template helps your managers respond quickly and lawfully.

6) Keep A Paper Trail

Record who requested the reference, what you sent, and when. This helps defend your position if a complaint is raised later and supports your data retention schedule.

How To Request And Check References From Candidates

On the receiving end of references, your goal is to validate key facts and spot red flags without over-collecting personal data.

Ask For The Right Referees

Specify recent line managers or supervisors who can speak to the candidate’s performance. If you’re unsure who’s suitable, it helps to clarify who can be a reference and why certain roles (like peers or friends) may be less reliable.

Be Transparent With Candidates

Let candidates know what checks you’ll do and when. This builds trust and meets UK GDPR transparency obligations. Include this in your application process and privacy information.

Use Targeted, Job-Related Questions

Ask specific, role-relevant questions (e.g. reliability, key competencies, attendance) rather than open-ended prompts that invite excessive personal data. Avoid questions that touch on protected characteristics or health unless legally necessary.

Verify, Don’t Overreach

Cross-check role titles, dates, and responsibilities against the CV. If the candidate has unusual gaps or frequent moves, explore them fairly and objectively rather than assuming misconduct.

Combine With Proportionate Vetting

References are one part of the picture. Where appropriate, add right to work, qualification verification and role-appropriate background checks - but always keep it proportionate to the risks of the role.

DBS Checks, Criminal History And Safeguarding

Criminal record checks are sensitive and tightly regulated. Only request a Basic, Standard or Enhanced DBS check where the role is legally eligible. If you’re unsure, check the eligibility guidance before asking for anything beyond a Basic check (which shows unspent convictions only).

• Don’t ask candidates to self-disclose spent convictions unless the role is exempt under the Exceptions Order.
• Handle DBS data securely, restrict access and store it separately from general HR files.
• Only keep criminal record information as long as strictly necessary and documented in your retention schedule.

For roles involving children or vulnerable adults, make safeguarding a central part of your recruitment policy and training. References should specifically confirm suitability for regulated activity where applicable.

Data Protection Essentials For References And Vetting

References inevitably involve personal data - sometimes including sensitive data. Build these privacy steps into your process.

Identify Your Lawful Basis

Legitimate interests is common for reference checks. Document your assessment (a Legitimate Interests Assessment) and ensure your interests aren’t overridden by the candidate’s rights.

Be Transparent

Provide clear privacy information at the point of collection, including the categories of checks, who you will contact, and how long you’ll keep the data. Your GDPR Package or data protection policies should cover recruitment processing in plain English.

Responding To Candidate Information Rights

Candidates can make data subject requests, including access to reference data. There are exemptions in UK GDPR for confidential references given by an employer, but not necessarily for references you receive. Be ready to handle subject access request deadlines and assess what can be disclosed safely and lawfully.

Retention And Deletion

Set clear retention periods for unsuccessful applicant records, references and vetting documents - typically months rather than years unless there’s a strong reason. For former staff, follow a documented schedule and only retain what you genuinely need. Our guide on how long to keep ex‑employee records explains common timelines and pitfalls.

Security And Access Controls

Store recruitment data securely, restrict access to those who need it and ensure third-party providers (e.g. background screening services) have appropriate data processing agreements in place.

Avoiding Discrimination And Unfairness In Reference Use

It’s easy to inadvertently disadvantage certain candidates during vetting. Build fairness in from the start.

• Consistency: Apply the same reference standards to all candidates for the same role.
• Relevance: Only ask questions that relate to the job’s genuine requirements.
• Bias checks: Train hiring managers to avoid assumptions linked to protected characteristics.
• Context: Consider mitigating factors (e.g. restructuring) when weighing a negative reference.

If you receive a concerning reference, give the candidate a chance to respond, especially where the information is ambiguous or historic. Where serious allegations arise, follow a fair, documented process - your workplace investigations approach should set out how you handle this before final decisions.

Practical Checklist: Embedding References Into Your Vetting Process

Use this step-by-step approach to keep your hiring compliant and efficient:

1. Define your vetting matrix for each role (which checks and why), documenting the risk rationale.
2. Update your recruitment privacy information and Privacy Policy to cover references and checks.
3. Adopt a clear Reference Policy in your Staff Handbook and choose a standard reference format (factual only, or factual plus performance in defined circumstances).
4. Use a consistent reference template and keep copies of all references given and received.
5. Train hiring managers on lawful questioning and discrimination risks, including Rehabilitation of Offenders rules.
6. If you use third-party screeners, put a compliant data processing agreement in place and check their security standards.
7. Set clear retention periods for recruitment and reference data and build deletion reviews into your HR calendar.

Key Documents To Support A Compliant Vetting Process

• Employment Contract with conditional offer language and pre-employment check clauses.
• Clear recruitment and vetting policy within your Staff Handbook.
• Privacy Policy (and candidate-facing privacy notice) explaining your vetting activities.
• Standardised reference request and response templates to ensure accuracy and consistency.
• Data retention schedule for applicant and employee records (aligned with how long you’ll keep ex‑employee records).

If you don’t yet have these in place, getting them drafted properly will make your hiring smoother and significantly reduce your legal risk.

Common Pitfalls To Avoid When Giving Or Using References

• Speculation and opinion: Don’t guess or include subjective commentary without evidence.
• Inconsistency: Providing glowing references to some and bare factual references to others with similar records can appear unfair or discriminatory.
• Excessive disclosure: Avoid sharing sensitive data (health, trade secrets, union membership) unless strictly necessary and lawful.
• Over-reliance on one negative reference: Look for corroboration and give candidates a fair chance to respond.
• Ignoring data rights: Be ready to handle SARs within applicable deadlines and apply exemptions correctly.
• DBS misuse: Only request criminal checks where eligible; don’t store results longer than necessary.

Frequently Asked Questions About References In Staff Vetting

Can We Use Verbal References?

Yes, but document the call notes, date, referee identity and key points. Written references are easier to evidence if there’s a dispute, so consider confirming the main points by email.

What If The Previous Employer Won’t Provide A Reference?

Many employers adopt a “factual only” approach or decline references as policy. You can ask the candidate for alternative referees, additional documentation, or extend probation with clearer objectives. Where appropriate, you can also rely on other vetting steps (like qualifications or right to work).

Can Candidates See Their References?

They can ask for their personal data under UK GDPR. References you give are often exempt, but references you receive may be disclosable subject to exemptions and third-party rights. Have a process to handle requests fairly and lawfully.

Key Takeaways

• References are a legitimate part of staff vetting procedures, but you must follow UK GDPR, Equality Act and (where relevant) Rehabilitation of Offenders rules.
• There’s usually no general duty to provide a reference, but if you do, you must take reasonable care to ensure it’s true, fair and not misleading.
• Standardise your approach with a Reference Policy, a simple template and manager training to reduce risk and save time.
• Be transparent with candidates about checks, rely on a clear lawful basis, and set sensible retention periods for recruitment data.
• Use references alongside proportionate checks (right to work, qualifications, DBS where eligible) and avoid discriminatory or excessive questioning.
• Have core documents in place - Privacy Policy, Staff Handbook, templates and a retention schedule - so your hiring remains compliant as you scale.

If you’d like help setting up compliant vetting processes, drafting policies and templates, or handling a tricky reference request, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.