Google spooked employees last week when it sent a company-wide “reminder” that sharing certain kinds of data, even with colleagues within the company, can be a fireable offense.
Some employees that Business Insider spoke with saw the email as part of a push to clamp down on leaks at a time of unrest at the company. And they worried that the reminder email was actually a tightening of data sharing rule that could chill workplace collaboration and that Google could use as a pretext to discipline certain employees.
The note caused enough internal agitation that Google took steps to calm the waters on Tuesday with a follow-up note designed to clarify the rules around sharing “need to know” information.
The update — which was formatted as a Q&A with Google’s Chief Legal Officer, Kent Walker — reiterated the reason for having controls on data access and tried putting to rest fears that collaboration across teams would be harmed.
Tuesday’s update states that Google’s internal data controls and classifications have been around since 2007, but that it has “periodically updated the policy language to make it easier to understand and apply.” Some of those updates include adding examples of “need-to-know” information, like project plans and customer data, but that there’s been no change to the “intent of the policies.”
“[The policies] contribute to a culture where people can have candid conversations, collaborate on joint projects, and share post-mortems or design docs with others as useful for their work,” Walker said in the note. “Particularly at our scale, it’s important that we have clear rules and are all on the same page.”
A tool to squash leaks about controversial projects?
Still, two current employees who spoke to Business Insider said Walker’s most recent remarks didn’t go far enough to address internal fears that Google will use its broad definitions around data sharing to retaliate against employees who raise concerns over controversial projects or participate in workplace organizing efforts, like the November Walkout to protest Google’s approach to sexual harassment complaints.
“It mostly ignores the concern about the policy possibly being used to retaliate arbitrarily,” one current employee told us.
Walker’s email last week reminded employees that improperly accessing, copying, or sharing “need-to-know” or “classified” information — whether or not it was labeled as such — could result in disciplinary action and, firing. In Tuesday’s note, Walker said those disciplinary actions were “generally taken” against individuals who intentionally violated its policies, especially in a way that caused serious risk to user privacy or was harmful to co-workers.
A Google spokesperson told Business Insider that a certain level of common sense was used by the company when assessing a violation of its policies and whether or not it warranted disciplinary action.
But another current employee told Business Insider that Google’s response “actually confirms that the intent is to make it explicitly against the rules for Googlers to do research into what the company is working on with the intent of having some say in it.”
Both of the employees who spoke to Business Insider questioned the timing of these update emails — amid heightened fears of retaliation against organizers at Google — and say it is unclear how the policy will be applied.
Here’s the company-wide email sent to Googlers on Tuesday with answers from Chief Legal Officer, Kent Walker:
Subject: [Daily Insider] More on data classifications
Last week, Kent Walker sent Googlers a reminder of our data classification policies. We sat down with Kent to learn a bit more.
What’s the goal of the policies? Our security policies around data are designed to protect the various kinds of sensitive user, partner, and business information we work with. That includes things like user data, partners’ payment information, healthcare records, product plans, device specs, or financial projections, or our own internal sensitive materials. The policies have always had a few purposes. They contribute to a culture where people can have candid conversations, collaborate on joint projects, and share post-mortems or design docs with others as useful for their work. They enable us to meet our commitments to users, and confidently tell partners that Googlers are treating, accessing, and sharing their data appropriately. And there are legal consequences for Google and our employees if we don’t treat user and partner data carefully — especially as we work with partners (ranging from healthcare companies to ad agencies to OEMs) who have serious obligations and an expectation that we’ll access their information only as necessary.
How long have we had these kinds of policies? We’ve had a number of access controls for many years, and have had policies around various categories and classifications of data since 2007. So these polices are longstanding. Particularly at our scale, it’s important that we have clear rules and are all on the same page. We have periodically updated the policy language to make it easier to understand and apply. For example, we added examples of things we’ve always considered Need-to-Know data, like project plans and customer data. But there’s been no change in the intent of the policies.
What if I access Need-to-Know data even if I don’t have a business reason to do so? Even if the data isn’t clearly marked, if you think the content should be labeled Need-to-Know, please let the relevant people or the team at misdirected data know that the file may not have the right access controls. And obviously don’t share the document or its contents with others. I do want to note that we’ve generally taken disciplinary action over intentional violations of these policies, typically involving serious leaks of data, risks to user privacy or harm to co-workers, or actions that jeopardized our business operations or potentially violated our legal obligations. Fortunately, those instances have been rare.
What about documents that aren’t labeled? Good labelling and appropriate access controls reduce the chances of inadvertent access. But while labels are helpful, the nature of the data determines its classification, so if you access something that is unlabeled or you believe is mislabeled, reach out to the owner or team working on the issue. If you want to raise concerns about a project, including about content in a document, please email Security & Privacy, contact Ethics & Compliance, or raise a concern through pages [deleted]
Do I need to go back and examine all my existing data? While we don’t expect people to go back through all of their documents, please do consider any sensitive information you’ve worked on and whether relevant documents are shared only with appropriate audiences (and, ideally, labeled correctly). For existing documents, you can use the Drive Visibility tool to check and correct access settings. And make sure you and your team are following the policies moving forward.
What if I’m not sure whether my data or project is Need-to-Know or Confidential? In the first instance, it’s the responsibility of the data owner to determine whether data is Confidential or Need-to-Know, and to establish appropriate access controls. Documents incorporating data should use markings and access controls appropriate for the data. To determine whether data or a document is Need-to-Know or Confidential you can review the policy guidelines at [deleted]. If you aren’t sure how something you’re working on should be classified, check with your [deleted]
How can I learn more? Email …. if you have any questions, and stay tuned for more refresher trainings to be rolled out across the company.
Do you work at Google? Got a tip? Contact this reporter via Signal or WhatsApp at +1 (209) 730-3387 using a non-work phone, email at firstname.lastname@example.org, Telegram at nickbastone, or Twitter DM at @nickbastone.