Many employers bemoan the devaluation of references for employment that has happened over the last 20 years. Current references often only confirm dates of employemnt and nothing else.
This came about because the Data Protection Act 1998 enabled data subjects to get access to their data. In the case of references for employment, the company providing the reference was exempt from providing a copy of it in a subject access request, but the organisation receiving the reference was not. This led to a number of cases found against employers for giving 'bad' references.
The new Data Protection Act 2018 contains Schedule 11 which is titled 'Other exemptions under Part 4'. This is an exemption of data subject rights, including the right to access in certain circumstances, and point 11 is called 'Confidential references given by the controller'.
XpertHR certainly seem convinced that this is a closure of that loophole (even if they seem to refer to the legal section as schedule 2).
If XpertHR are right, this might encourage Personnel and HR departments to be more demanding about what they ask for, but to state:
"We will not disclose the contents of confidential references to data subject access requests, as provided for by Schedule 11.11 of the Data Protection Act 2018."
Also you can offer more complete references under the disclaimer:
"The information in this reference is confidential and must not be disclosed to a data subject access request, as provided for by Schedule 11.11 of the Data Protection Act 2018."
However, just for completeness, you may also want to receive an undertaking from the other party that they will not disclose it to a data subject access request.