7 minute read
2.5 Types of personal data and data subjects
data relate to. Google was not willing to let the researchers provide additional information enabling their identification.
2.5 Types of personal data and data subjects
Advertisement
As emphasized above, this DPIA cannot provide the required limitative overview of the different categories of personal data that will be processed in the context of G Suite Enterprise. However, this report aims to provide assistance to the government organisations about these categories, to help them decide about the actual installation and settings based on an inventory of the categories of personal data that are factually processed in their specific organisation.
As the categories of personal data and data subjects in Customer Data and Support Data are dependent on the data that the customer and its end users provide to Google, this section focusses on the data that are collected by Google through the use of the services (Diagnostic Data).
2.5.1 Categories of personal data Generally speaking, end user can process all kinds of personal data with G Suite Enterprise. The different services can be used for many different purposes by many different organisations. Absent a comprehensive documentation and publicly available policy rules governing the types of data that can be stored by Google as Diagnostic Data, it is prudent to assume that the G Suite Diagnostic Data may include all categories of personal data. Some types of data require extra attention due to their sensitive nature.
Classified Information Depending on the capacity in which Dutch government employees work, they may process confidential government information or state secrets (Classified Information). The Dutch government defines four classes of Classified Information, ranging from confidential within a department to top secret.126
Classified Information is not a separate category of data in the GDPR or other legislation concerning personal data. However, information processed by the government that is qualified as Classified Information, regardless of whether it qualifies as personal data, must be protected by special safeguards. The processing of this information may also have a privacy impact if such information relates to a specific individual. If the personal data of a government employee, such as his G Suite email address at the domain of his employer, or unique device identifier, reveals that this person works with Classified Information, the impact on the private life of this employee may be higher than if that employee would only process ‘regular’ personal data. Unauthorised use of Classified Information could for example lead to a higher risk of being targeted for social engineering, spear phishing and/or blackmailing.
Google acknowledges that there may be spill-over from an employee’s ‘private’ Google Account to his enterprise Google Account.
“When you’re signed in with more than 1 Google Account at the same time, ads may be based on ad settings for your default account. Your default account is usually the account you signed in with first.” 127
126 Amongst others, the categories of classified information are defined in the Voorschrift Informatiebeveiliging Rijksdienst – Bijzondere Informatie (VIR-BI). 127 Google, Control the ads you see, URL: https://support.google.com/ads/answer/2662856
If government organisations use Drive or Gmail, they have to be aware that the information stored on Google’s cloud servers may include Classified Information from and about government employees, including information which employees regularly access, send or receive such confidential data.
Personal data of a sensitive nature Some personal data have to be processed with extra care, due to their sensitive nature. Examples of such sensitive data are financial data, traffic and location data. Both the contents of communication as well as the metadata (Diagnostic Data) about who communicates with whom, are of a similar sensitive nature. The contents of communication are specifically protected as a fundamental right, but metadata (Diagnostic Data) deserve a high level of protection as well. This will be explained in more detail in Section 16 of this report.
The sensitivity is related to the level of risk for the data subjects if the confidentiality of such data is breached. The effect of a breach of personal data of a sensitive nature may pose a greater risk for the data subject of being targeted by criminals (e.g. blackmail, identity theft, financial fraud). Government employees may also experience a chilling effect as a result of the monitoring of their behavioural data. The audit logs for example could be used by the employer to reconstruct a pattern of the hours worked with the different applications. Such monitoring could lead to a negative performance assessment, if not specifically excluded in an (internal) privacy policy for the processing of employee personal data.
It is likely that many government employees will process personal data of a sensitive nature by using G Suite Enterprise. For example, employees may process sensitive financial data in relation to subsidies. Employees from the High Councils of State and Advisory Commissions are tasked to process sensitive personal data from individual requests and complaints from the Dutch public.
Personal data of a sensitive nature can be included in snippets of content of files that are provided to Google as Customer Data (such as the line preceding and following a word) in the telemetry data, as shown in Figure 15. However, such snippets may also be included in system generated event logs about the use of the Additional Services such as Google Groups, Classroom, Photos or as keywords in Google Alerts. Path and filenames are included, as shown in the Drive audit log, in Diagnostic Data about the opening or saving of files in Drive or headers of mails in Gmail. Special categories of personal data Special categories of personal data are strongly protected by the GDPR. According to Article 9 (1) GDPR, special categories of data consist of any:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.
With special categories of data, the principle is one of prohibition: these data may in principle not be processed. However, the GDPR contains specific exceptions to this rule. Special categories of personal data may be processed for instance when the data subject has explicitly consented to the processing, or when data are made public by the data subject, or when processing is necessary for the data subject to exercise legal claims.128
128 These specific exceptions lifting the ban on the processing are listed in Article 9(2) under a, e and f of the GDPR.
If government organisations such as the police and the judiciary worked with G Suite Enterprise, there is a risk that the Diagnostic Data may contain information on crimes and convictions, if such data are included in the file or path names.
2.5.2 Categories of data subjects Generally speaking, the different categories of data subjects that may be affected by the processing of personal data, can be distinguished in three groups, namely: employees, contact persons and miscellaneous other data subjects.
Employees The government end users of the G Suite Enterprise services are employees, civil servants, contractors and (temporary) workers of a governmental organisation.
Their names and other personal information are processed in connection with the documents they create and store in an online storage usually carrying their (last) name, be it Google Docs, Google Sheets, Google Slides, Google Forms or another file format. Their names and other personal data are also part of the emails they send and receive with Gmail.
Apart from the information generated by the employees themselves, employees are also data subjects in information generated by others. For instance, employees in the cc or bcc field of an email.
Contact persons Information processed with the G Suite applications is often shared internally and externally. Customer Data and Diagnostic Data may contain information about contact persons who are not employees of the relevant government organisation. Examples are employees of other government organisations and third-party vendors. Diagnostic Data may include the sender’s name and email address, as well as the time when an email was sent or received.
Dutch citizens and other data subjects Besides employees and contact persons, personal data of other subjects that are not directly in contact with the government organisation may also be processed through the government organisation’s use of G Suite Enterprise service. Such personal data could also occur in snippets of content included in the Diagnostic Data generated by the use of the G Suite Enterprise service. Diagnostic Data could also include information about the communications pattern with people that do not work for the Dutch government such as lawyers and other advisors. Other examples involve people whose information is forwarded, but who are not directly in touch with a Ministry themselves, or people who apply for a job.
In sum, there are no limits to the categories of data subjects whose data may be processed in Customer Data and Diagnostic Data under normal use conditions by employees of the Dutch government.
3. Data processing controls
This Section 3 discusses the available privacy controls that end users and administrators can use to influence the processing of Diagnostic Data, and the processing of personal data through the Additional Services and Related other services. This section also describes the default settings of such controls, and situations where admins do not have central privacy controls.
