2

I can't seem to find much information on this online, and forgive me if this is obvious to other folks in the info-sec community but would storing documents such as CVs of applicants, letters written for an employee by HR etc. on a shared/Google Drive where other employees can access/see the contents of the files without restriction be considered a breach of GDPR?

Anon
  • 21
  • 2
  • This seems fairly specific and might be more on topic for a legal Q&A site or perhaps just ask a lawyer. Sharing PII unnecessarily is generally a breach, but an organisation is usually seen as one legal entity, so I'm not sure. For the privacy aspect, as an applicant, I would not like it if everyone can see everything about me like that. That's already two reasons no to do it (and I'd say moral reasons count more than legal). But if you're strictly asking about the law, I think that's off topic here. I've flagged it and a moderator will move your question if appropriate. – Luc May 16 '19 at 07:50
  • 1
    It is indeed a legal matter, but also related to security. I would not mind for the question to stay. – Overmind May 16 '19 at 09:16
  • "where other employees can access/see the contents of the files**without restriction**" I'm pretty sure that that's a breach of GDPR. When requesting consent you have to list all those figures who can have access to the data and you should only give access to those that legitimately need access to the data. Putting the files in an unrestricted place would go against this. However using a separate folder where only people that need to handle such information have access **might** not be a breach of GDPR. – Giacomo Alzetta May 16 '19 at 10:52
  • This should't be closed, this should probably be moved to Law.SE. – reed May 16 '19 at 11:31

3 Answers3

1

This is article 6, lawfulness of processing:

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

See also the following article (article 25, data protection by design and by default):

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

And article 28 defines "data processors", which are companies that process data on behalf of a controller. There must be a particular contract between these two parties, here's a little quote:

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor [...]

What does this mean in practice? My personal interpretation (IANAL) is that it's ok to share data on Google Drive provided that:

  • sharing CV data with other employees must be necessary, or the data subject can reasonably expect such data to be shared in that way. For example, if it's only shared between office workers, and you only have one office with three employees working next to each other, I don't think this can be a problem. On the other hand, if you are sharing data between hundreds of employees (in different offices, different locations, for different tasks, etc.) then accessing CV data is none of their business.
  • Google Drive has provided a DPA (Data processing agreement) that is compliant with article 28 and the GDPR in general, because Google will be processing personal data on your behalf. You need to check this carefully, because I'm not sure Google is compliant for their free services. The last time I checked, only business services (paid versions of their free services) had settings that could be configured to make the service compliant with GDPR and had privacy policies that contained a section for DPA agreements.

My opinion is that just asking the user for consent will not work in this case, because unnecessarily sharing CV data this way just seems a matter of careless organization, rather than a meaningful reason for processing. All it takes to fix this issue is protecting some files with a password, or sharing a folder only with certain accounts.

reed
  • 15,398
  • 6
  • 43
  • 64
0

Applicant data is personal data, so it must comply wit GDPR rules.

An applicant’s CV, whether you review their details, interview them, employ them or not, is personal data and it must therefore be handled in a compliant manner.

Therefore you cannot share this data without signed consent from each of them. Securely delete any CVs (even those of employees you hired) you are not currently working on (that are currently not in a hiring process).

Even more, as a personal security concern, I would not like my data existing on any Google-drive like system. If a company would keep my CV on a cold storage I would not mind, but if it would put it on a cloud drive (which even worse it's shared) I'd definitely sue them.

As a conclusion, yes, your case is a breach of GDPR.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    Consent isn't the only 'lawful basis' for storing or processing PII under GDPR and other justifications may be given. It's a common misconception that GDPR is all about 'consent' (signed or otherwise). Sharing PII with a third party could be justified in any one of six different ways and the ICO details this here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/ – David Scholefield May 16 '19 at 10:01
  • Consent is not for random 3rd parties is for the specific company you agree on and their partners. – Overmind May 16 '19 at 11:19
0

You need to be able to justify your collection, storage, processing, and sharing of any personal information under the GDPR and it could be that you have a legitimate basis for processing that conforms with the ICO's interpretation of the regulation without gaining explicit consent (although in the brief description you've given, consent seems the most fitting lawful basis for processing). All cases are different.

For example, you may include in your agreement with the person whose data you are processing that you will share the data with other (or all) employees and provide the data subject with an opportunity to opt out of that, or to consent to that level of sharing. Transparency with the data subject is the key here.

You may believe that you have a 'legitimate interest' in processing the data and, as long as you can demonstrate that you are not harming the data subject by processing their data in this manner, then you can use 'legitimate interest' rather than consent as your lawful basis for processing (you should be cautious of this catch-all approach though, you need to be able to justify it).

The GDPR operates on a number of principles rather than strict and precise details on how to comply. They are (paraphrasing) about transparency, fairness, enabling the data subject to retain control of their data, only collecting and processing data as far as necessary to achieve the original purpose, taking due diligence in protecting the data from unauthorised access etc.

So the question is quite complex. If you can demonstrate that you are only collecting the data you need to perform the primary task, the data subject is aware of how you are processing (and sharing), you only keep the data for as long as you need, the data subject retains control over your use of the data (in an informed manner), etc. then you will probably be on the right side of the regulation.

It's important that you think about these issues and preferably record your thought process and decision making. That way you can demonstrate due diligence to the ICO if there is a dispute. They may ultimately disagree with your decisions but I suspect the ICO will be more sympathetic if you've genuinely considered these issues and come to a conclusion based on that consideration rather than just acted without concern.

This is my opinion on GDPR and should not be taken in any way as legal advice. Your legal advisers may differ of course.

David Scholefield
  • 1,824
  • 12
  • 21