Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: The intranet - some privacy considerations

It is now more important than ever to ensure compliance with data privacy laws, including for your intranet. Sofia Calado, Lead Privacy Counsel at Cloudflare, discusses the key concerns regarding intranet compliance and explores two cases of noncompliance. 

sankai / Signature collection / istockphoto.com

Intranet key considerations 

'Restricted access' is a key characteristic underlying the notion of intranet. We are talking about a private network used by public organizations or private companies that enables their employees to create and share information, to communicate and collaborate, and to manage events and tasks. Although intranet uses the same Internet Protocol (IP) standards and Transmission Control Protocol/Internet Protocol (TCP/IP) infrastructure as the internet, the latter is a public network with unlimited access, irrespective of the network technology and the terminal equipment used. 

Typically, each employee will have a password to connect to the intranet. Remote workers shall have access via a virtual private network (VPN) or other secure connection. A firewall will also track incoming and outgoing data packets and confirm they don't contain unauthorized or suspicious requests like malware or other malicious attacks. If part of the intranet is available to a broader group of users, like partners or customers (called an extranet), then the firewall is particularly important. Finally, third-party software applications can provide intranet solutions, and these can either be on-premises or cloud-based solutions. 

Many would say this restricted access makes an intranet more secure. It is true to some extent. However, there are still internal vulnerabilities, like mishandling of workplace devices, and external threats lurking. 

To tackle them, intranet users need to be subject to requirements concerning password complexity and change or, as an alternative, use a single sign-on (SSO) authentication. Strict access controls should be in place, based on role and seniority. The data exchanged between an intranet and its users should also be encrypted by a Secure Sockets Layer (SSL) certificate. All devices must have the latest security patches and software updates installed and measures against unwanted personal data exfiltration may be adopted. 

An interesting way to reinforce restricted access to the intranet could be through a Zero Trust Network Access (ZTNA) solution. ZTNA ensures that no user is trusted by default and implements an independent verification process for each request, taking into account the identity of the user, the context around the request (e.g., the device information or its IP range), and the security measures adopted (e.g., whether antivirus software has been installed).  

Whatever security controls an entity may adopt towards its intranet, it is important to create a dedicated record for processing activities, in accordance with the General Data Protection Regulation (GDPR). The record should define the legal basis and purpose of processing, the categories of personal data, its retention periods and data subjects involved, potential data transfers, and the technical and organizational measures applicable. Any software vendor should support the controller in its documentation efforts. In this latter case, it is important to clarify what personal data can be accessed, for example, via log files, and who has visibility over them. 

To fulfil the transparency obligation under the GDPR, any personal data collection and further processing performed by the intranet should be disclosed in the relevant privacy policy (e.g., the employee's privacy policy). Companies must list any intranet service provider as a recipient of personal data, i.e., a sub-processor. 

The intranet can also be used as a data subject rights platform. For example, an employer may confirm what personal data it processes regarding its employees. In this case, the French data protection authority (CNIL) specifies that the employer should not require any identity card's evidence before replying to an access request because the data subject in question is already identified (i.e., they are an intranet user).  

Cookies and similar technologies 

Let's now think about cookies and similar technologies. The Directive on Privacy and Electronic Communications (the ePrivacy Directive) sets out that any storage of or access to information in the terminal equipment, meaning the user's device, is subject to prior consent, according to Article 5(3). 

There are only two exceptions to the prior consent rule:  

  • a communications exception, where the cookies are needed to carry out transmissions over a network (e.g., to prevent transmission errors); or 
  • a strictly necessary exemption, where the cookies are fundamental to provide an information society service, i.e., by electronic means and normally against remuneration, to the user (e.g., for load balancing purposes or to ensure the website's security). 

However, if we analyze the scope of application of the ePrivacy Directive, in particular its Articles 2 and 3, it is stated that it applies to publicly available electronic communications services in public communications networks[1]. Therefore, what happens regarding an intranet? 

CNIL, in its guidelines on cookies or similar technologies, published in September 2020, considers that an entity's intranet or even extranet with restricted access is not subject to the French's transposition of the ePrivacy Directive. To a similar extent, the European Data Protection Board (EDPB) Guidelines 2/2023, still under public consultation, reinforce that Article 5(3) of ePrivacy Directive applies only in the context of 'public availability' of the network or service. Consequently, cookies or similar technologies to be deployed in an intranet environment do not require any prior consent. 

Cases of noncompliance 

Finally, let's focus on the regulatory approach to complaints concerning intranets.  

Unauthorized access to personal data 

The Irish Data Protection Commission (DPC), received a data breach notification in 2021 (Case Study No. 5), which concerned the unauthorized access to personal data during a dismissal situation. First, the company itself notified the DPC that a legal submission to the Workplace Relation Commission (WRC) was wrongly stored in a folder accessible by all employees, instead of the HR-dedicated folder. This mistake was apparently detected two days after and immediately corrected.  

One month later, the dismissed employee also notified the DPC, mentioning that not only the WRC submission but also the internal investigation report was available on the company's intranet. This included a device that could be used by both employees and visitors to the company's premises. The employee submitted statements from former colleagues that stated having access to the internal investigation.  

The company replied saying that only the WRC submission was subject to unauthorized access for a short period of time and was never available to non-employees. 

In view of this, the DPC decided that it was unable to confirm whether any personal data was unduly disclosed via intranet, but it was indeed disclosed via the shared folder. The DPC considered that the company had failed to adopt enough security measures, which could mitigate the risk of human error in storing the WRC submission documents. The DPC finally advised the company to train its personnel in data handling and incident response practices. There is no information on whether the company was subject to a financial penalty or not. 

Access to performance evaluations 

The case above is a good reminder of how important it is to apply robust security measures in this context. Another complaint, this time submitted to the Italian data protection authority (Garante) illustrates the same point. 

In 2021, the 750 employees of a public hospital claimed that their performance evaluations and promotion results were freely available on their intranet, accessible to one another. The hospital argued that this information was deemed to be public due to existing legislation and the agreement that had been signed with the relevant trade unions. The final rankings were published for 20 days and allowed responses to any access requests, as well as to clarify any questions around classification criteria and thus avoiding any further jurisdictional claims. 

The Garante considered that the hospital failed to correctly interpret the existing legislation, which does not prescribe that full performance results be available to all employees. In other words, the publication of the final rankings is not mandatory. Therefore, the hospital did not comply with the minimization principle towards the personal data to be processed and, in fact, lacked an appropriate legal basis to present the individual classification of each hospital worker to other employees.  

The Garante also highlighted that the hospital did not adopt enough technical and organizational measures to ensure that its portal implemented data protection by Design and by Default. The hospital should have presented information in such a way where each employee could only access their personal data, meaning their individual results.  

In conclusion, given that the intranet generally processes a great amount of HR-related data, it must be subject to strict access controls and up-to-date authentication methods. Individuals should have access to personal data only when it serves a purpose, as identified in the privacy policy, and falls under an appropriate legal basis. Also, employees' personal data is to be retained for a limited period of time and many European countries have specific retention schedules. They apply in an intranet environment as well.  

Finally, staff training and awareness are key. The intranet itself may be a good way to promote security training or to foster awareness about potential threats, e.g., via regular updates and relevant guidelines. 

Conclusion 

Intranets are a great tool for connecting colleagues across different departments or even locations and time zones. They help employees find information and facilitate organizational clarity. They can also facilitate onboarding and promote recognition and reward.  

There is personal data involved, including sensitive data but, with adequate compliance programs in place, an entity can benefit from advantages without jeopardizing its employees' privacy. Reviewing your intranet's policies and procedures to reinforce data protection could be a nice 2024 goal. Think about it. 

Sofia Calado Lead Privacy Counsel 
[email protected] 
Cloudflare, Lisbon 


[1] Please refer to the definitions of 'electronic communications network' and 'electronic communications service' pursuant to the European Electronic Communications Code (EECC).

Feedback