From a data protection perspective, when we share screens and show data of colleagues or clients, doubts may arise about the legality of this action. Is it correct to show personal data when streaming? The truth is that there is no single answer, as it will depend on each specific case and it will be necessary to assess the context, the type of data and the processing that we carry out on them. However, one should not lose sight of confidentiality agreements, as well as the internal affairs of the department.
First of all, it should be clarified that not all data are personal data. In order to know whether we are dealing with this type of data, article 4.1 of the GDPR gives us a somewhat ambiguous definition: "personal data is any information relating to an identified or identifiable living natural person...". Consequently, not all the data we share falls within the scope of the data protection regulation. Without prejudice to possible risks and confidentiality covenants, data such as a company's IBAN or generic personal emails such as firstname.lastname@example.org would not be considered personal data.
To return to the initial question, there are personal data that can be displayed in screen sharing and others that cannot. In order to distinguish between them, it is necessary to identify which data processing is being carried out. In other words, it is not the same to collect personal data for payroll management as it is to collect personal data to carry out the registration of visitors entering and leaving the offices. Each processing of personal data is lawful if it complies with one of the grounds/legitimacy bases set out in art. 6 of the GDPR, i.e., the case of consent, necessity for the proper performance of the processing, compliance with a legal obligation or in the vital interests of the data subject, to name but a few of the cases. These bases of legitimacy entitle us to process only the personal data necessary for the specific processing.
In the case of screen sharing, we need to focus on the processing of the data to be displayed (being careful not to display inappropriate information in the background) and we also need to consider the context, i.e., the scope of data viewing and those who may have access to view the content displayed. For example, when screen sharing to manage security breaches or when doing so in the approval of a provider, we must look at the specific data processing, not at the fact of screen sharing, and we must analyse to whom we are showing the information and who has access to view it.
Once we know what data processing we are carrying out, the legitimising basis will give us the answer to the question we started with: is it OK to show personal data in streaming? We can only share personal data in streaming when the legitimising basis allows us to do so and we can only show data of individuals who are covered under that legitimising basis; taking care not to show data related to other customers in the background, or that compromise personal data or the security of the company itself or third parties.
For example, if we process personal data to provide an audit service to a customer, our legitimising basis would be the performance of a contract (art. 6.1.b GDPR). This basis would legitimise the processing of the data necessary for the performance of that contract with the client. Consequently, we may only share screen sharing and display personal data that we process for the purposes stipulated in the contract and with the persons involved in the service.
It is not correct to display personal data, with some exceptions. This is not a loose judgement, based solely on GDPR, but also on internal operational and confidentiality issues. Therefore, in addition to considering the regulatory or sanctionable part, confidentiality, organisational responsibility, and common sense must also be taken into account.
Displaying inappropriate information can lead to a privacy or security breach. To avoid this and address the inherent risks involved, here are a number of recommendations:
- Knowing the processing of personal data that we carry out, as well as its legitimising basis.
- Knowing if there are confidentiality agreements and the internal functioning of NTT DATA.
- Before starting screen sharing, organising all the information that is going to be shown or that may be shown during the session. Closing all documents containing information from other projects.
- Being careful to show only the application you want to display, and not the general screen.
- Not projecting an e-mail from the inbox, as this will project the other e-mails with senders and other data.