There is a range of web applications that enable online file sharing. The feature can also be part of a larger product, such as within online word processing software where documents can be shared with a range of users to enable collaboration.

An organisation using a file sharing application would typically transmit data to be stored on a server and accessed, over the internet, from a remote location. This could be achieved by the data controller hosting their own system or by using a service managed by a third-party cloud provider.

Use of a secure transfer protocol (eg TLS) will ensure that data is not able to be intercepted whilst in transit. However, it is important to remember that without additional encryption methods in place the data will only be encrypted whilst in transit and not encrypted on the server or client device.

If the purpose of the online service is merely to provide a storage area from where the recipient can collect the data then the data controller can encrypt the personal data prior to upload. This will ensure that no third-party (including a service provider) can gain access to the personal data. The data controller can then grant the recipient access to the encrypted package. The sender will then need to transfer the key to the recipient.

If the web application performs some processing on the personal data (eg word processing) then insisting that data remains in an encrypted form on the cloud server is a complex requirement. It either means that the service provider overlays their own encryption solution (for which they will likely hold the key) or requires a sophisticated key management system, which is not a feature found on most cloud-based file-sharing systems today.

It is more common that a web application offers the ability to ‘share a private URL’ or grant specific users access to individual files or folders. Whilst this can provide a secure and auditable means to share information, unless additional encryption methods are in place the files should not be regarded as being stored in an encrypted form. Even if data was stored encrypted a robust user authentication process, eg requiring a username and password, would still be a necessary component.

Read our further guidance on protecting personal data in online services for more information: