Reference Requests: What UK Employers Can Ask And How To Respond

Reference requests can feel deceptively simple.

On the surface, it’s just another employer asking you to confirm dates and job titles. But for small businesses, a reference request is also a legal and reputational moment: you’re handling personal data, giving statements that could be relied on, and potentially influencing someone’s next job.

The good news is that you don’t need to overthink it - you just need a consistent, lawful process and a clear idea of what you can say (and what you probably shouldn’t).

This guide breaks down what UK employers can ask for in a reference request, how to respond safely, and how to set your business up with a process you can follow every time.

What Is A Reference Request (And Why It Matters For Your Business)?

A reference request is when a prospective employer (or sometimes a landlord, insurer, regulator, or agency) contacts you to ask about a current or former worker.

Usually, they want to verify:

• employment dates
• job title and duties
• salary (sometimes)
• reason for leaving
• attendance or conduct issues (sometimes)
• whether you’d re-employ the person

Even though references are common, they can carry real risk for small businesses because:

• They involve personal data (so UK GDPR and the Data Protection Act 2018 may apply).
• They may be relied on by the recipient, so inaccurate statements can cause disputes.
• They can trigger discrimination concerns (for example, if you include health or protected-characteristic information unnecessarily).
• They affect your reputation - your “standard reference” approach is part of your employer brand.

In other words: a reference request isn’t just admin. It’s a process worth getting right from day one.

What UK Employers Can Ask For In A Reference Request

There’s no single “reference law” in the UK that sets out a mandatory list of what can be asked. In practice, reference requests tend to fall into two buckets:

• Verification references (basic factual checks)
• Character/performance references (subjective information about performance, conduct, suitability)

Here are the most common topics that are typically asked for - and how to think about them as the responding employer.

Employment Dates, Job Title And Basic Duties

This is the “safe core” of most references and often the easiest to provide.

In many businesses, a factual reference includes:

• start date and end date
• job title(s)
• full-time/part-time status
• a brief description of role (optional)

Salary, Bonus Or Benefits

Some employers ask for salary confirmation, especially where the new role includes regulated pay bands or where the employee has quoted a salary figure.

You can provide salary information, but you should be careful that:

• you have a lawful basis to share it (for example, the employee’s consent, or a legitimate interest in providing accurate verification)
• you only disclose what’s necessary for the request
• you disclose accurate figures (and clarify whether the figure is base salary only or includes variable pay)

If you’re unsure, it’s perfectly reasonable to provide a reference that excludes pay information unless the individual has clearly consented.

Reason For Leaving

Employers commonly ask whether someone resigned, was dismissed, was made redundant, or left at the end of a fixed term.

This can be provided as a factual statement - but it’s also a common source of conflict if there was a dispute at the time of exit. If the wording is delicate, keep it neutral and document-based (for example, “resigned” rather than any commentary about motivation).

Absence, Sickness And Medical Information

Many reference request forms ask questions like: “How many sick days did the employee have in the last 12 months?” or “Does the employee have any health conditions that may affect their ability to perform the role?”

This is where businesses need to slow down.

Health information is typically treated as special category personal data under UK GDPR. Sharing it can create legal risk if you don’t have a clear lawful basis and an appropriate condition for processing.

As a general rule, avoid including medical detail unless:

• you have a clear lawful basis and a valid UK GDPR condition to share it (and in many cases, consent won’t be the best option in an employment context), and
• there’s a clear, legitimate reason the recipient needs it (for example, specific safeguarding/regulatory roles), and
• you are confident you can share it fairly and lawfully.

It’s also worth remembering that an employee doesn’t generally have to hand over broad health details to you without good reason - and your obligations around handling health information are strict. If this comes up internally, it’s worth understanding medical information duties before you disclose anything in a reference.

Disciplinary History And Misconduct Allegations

Some reference request forms ask about warnings, investigations, or whether the employee was subject to disciplinary action.

You can provide information about misconduct or disciplinary outcomes, but only if you can do so:

• accurately (based on records, not memory or workplace gossip)
• fairly (avoiding exaggerated wording or one-sided characterisations)
• consistently (so you’re not singling someone out)

If an issue was investigated but not proven, or was unresolved at the time the person left, consider whether it’s appropriate to disclose at all. In many cases, sticking to a factual, minimal reference is the safer option.

Performance, Suitability And “Would You Re-Employ?”

Questions like “How would you rate their performance?” or “Would you re-employ them?” are common.

You can answer them, but these are subjective - and subjective statements can cause disputes if the employee believes the reference is unfair or misleading.

If you do answer, keep it:

• specific (based on evidence)
• measured (avoid emotionally loaded language)
• consistent with your internal records (appraisals, warnings, KPIs)

How To Respond To A Reference Request Without Creating Legal Risk

Most reference issues don’t come from bad intentions - they come from rushed replies, informal emails, or managers “just being honest” without thinking about the legal consequences.

Here’s a practical approach you can adopt in your business.

1) Decide Your Business Policy: Factual Only vs Full Reference

Small businesses often choose one of these models:

• Factual-only references (dates, title, sometimes reason for leaving)
• Expanded references (factual plus performance and conduct information)

There’s no universal “best” option - but you should pick one and apply it consistently.

A factual-only policy is popular because it reduces risk, is quicker to deliver, and is easier to standardise. A more detailed reference can help great employees - but it needs more internal controls.

2) Centralise Who Responds (So Managers Don’t Freelance)

To keep things consistent, nominate one role (or small group) to handle every reference request - for example:

• your HR lead
• your office manager
• a director

If managers want to support someone personally, they can do so with a personal reference in their own name (separate to your company response) - but you’ll still want internal guardrails.

3) Confirm Identity And Authority Before Disclosing Anything

Before you share personal data, sense-check:

• Is the requester a genuine employer/agency?
• Are they using a company email domain or verifiable contact details?
• Does the request relate to the correct individual?
• Do you have consent (where appropriate), or another lawful basis?

This is especially important where you receive a reference request from a generic email address or where the request includes unusually broad questions.

4) Keep It Accurate, Fair And Not Misleading

A common misconception is that you’re “safe” as long as you’re telling the truth.

In reality, the risk usually sits around references being misleading by omission, based on unverified allegations, or written in a way that a reasonable reader would interpret incorrectly.

Simple safeguards include:

• use payroll and HR records for dates and titles
• avoid hyperbole (“always”, “never”, “terrible”, “brilliant”)
• don’t disclose matters you can’t evidence
• if something is disputed, consider whether to omit it and provide a factual-only reference

5) Mark The Reference As Confidential (But Don’t Overpromise)

Most references include a confidentiality statement. That’s sensible, but remember: the recipient may still share it internally (and the individual may request access in some scenarios).

Use a simple approach that fits your communications style, such as noting it’s a private business communication. If you want your internal templates to feel consistent, it can help to align them with how you handle Private And Confidential communications generally.

6) Use A Template (So You’re Not Rewriting From Scratch Every Time)

A template reduces the chance that someone adds unnecessary commentary in an email reply.

Even a short template can help you cover the essentials and avoid accidental disclosure. If you want something structured and compliant, an Employee Reference template approach is often a good starting point - and you can tailor it to your policy (factual-only or expanded).

When You Can Refuse A Reference Request (And When You Should Be Careful)

A big question for small business owners is: “Do we have to provide a reference?”

In many situations, there’s no general legal duty to provide one. However, refusing can still create practical and legal issues depending on the circumstances.

For example, you should be cautious if:

• you normally provide references but are refusing for one specific person (that inconsistency can look unfair)
• the refusal could be linked to a protected characteristic (raising discrimination risk)
• there was a contractual term, settlement agreement, or policy promising a reference

If you’re weighing up whether to refuse, it’s worth being clear on the risk profile first. In many businesses, the safest move is to provide a factual-only reference rather than refusing outright. If you need to explore the boundaries, the starting point is understanding when you refuse a reference and how to do it consistently.

What About Regulated Roles Or Safeguarding?

Some sectors (for example, financial services, education, healthcare, and care roles) may have additional expectations around vetting and disclosures.

If you operate in a regulated environment, you may need a more detailed process - and you should avoid applying a “one size fits all” approach without checking what your regulator or sector guidance expects.

Data Protection And Recordkeeping: Handling Reference Requests Under UK GDPR

When you respond to a reference request, you are typically sharing personal data about the worker (and possibly sensitive data). That means UK GDPR and the Data Protection Act 2018 can apply.

For small businesses, the most practical way to stay compliant is to focus on a few core principles.

Only Share What’s Necessary

If the requester asks for a long list of information, you don’t necessarily have to answer everything.

A good benchmark is: What does the recipient reasonably need to know for recruitment or vetting purposes?

Keep A Clear Record Of What You Sent

Save a copy of the reference and the request. This helps if:

• the recipient claims they didn’t receive it
• the employee disputes what you said
• you need to demonstrate consistent treatment

References also form part of your employee/ex-employee data footprint, so make sure your retention approach is sensible. Many employers build this into their broader retention planning for ex-employee records.

Get Your Employment Paperwork Right So References Aren’t Guesswork

Many reference headaches start earlier - when employment records are inconsistent, role titles are unclear, or performance management isn’t properly documented.

Having strong foundations (like a well-drafted Employment Contract) makes it far easier to provide accurate, defensible references later.

Key Takeaways

• A reference request is more than admin - it’s a moment where your business is sharing personal data and potentially influencing someone’s future employment, so consistency matters.
• Most UK employers can ask for employment dates, job title, reason for leaving, and sometimes salary, but you should only disclose what’s necessary and what you can evidence.
• Be especially cautious with sickness, medical information, and disciplinary history - health data can be special category personal data, and unverified allegations can create legal risk.
• Choose a business-wide approach (often factual-only) and centralise who responds, so managers don’t send inconsistent or informal references.
• If you’re unsure, it’s usually safer to provide a short factual reference than to refuse outright - unless you have a clear policy and a consistent reason for refusal.
• Keep records of reference requests and responses, and align your process with your wider data protection and record retention practices.

This article is general information only and does not constitute legal advice. If you’d like advice on setting up a reference request process, reviewing your templates, or tightening your employment documentation, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.