Align policy with values of transparency and assuming positive intent

Because of how broadly this line is written, this applies to nearly everybody in the company. Almost everyone has access to information which can be considered "highly sensitive", so this policy can only be applied selectively.

candidates for employment will not occupy a position in which they may be privy to confidential, highly sensitive information that the significant other or relative should not have access to

If the policy is to not allow significant others anywhere in the company, it should be written that way.

The departments where this is being applied across the board are:

• People Ops
• Recruiting

It could easily, and may already be applied to:

• Production Engineering
• Database Engineering
• IT Operations
• Security
• Finance
• Any management role
• Probably others...

By only applying the policy to all People Ops and Recruiting roles, rather than on a case by case basis with specific requirements and reasoning, we are sending some very incongruent messages.

1. There is information that the company keeps about each of us which we should not know.
2. It assumes that we all want to know damaging information about our co-workers.
3. It implies that we are hiring people into jobs which require confidentiality, and we do not trust those people with confidential information.
4. It also implies that we do not trust the people in those roles not to share confidential information with their partners and family. Yet we are ok with them doing that as long as those family members do not also work at GitLab (and have not signed an NDA).
5. There is an expectation that people will abuse their family relationships to gain access to information that they shouldn't have. However, they will not abuse their relationships with close friends and colleagues. We should not accept referrals at all for any roles which have this concern.
6. Recruiting folks regularly access confidential information about people long after they are hired.

In a company which aspires to be transparent and to assume good intent, it makes no sense to have a sweeping policy like this. Especially without a legal or compliance requirement attached to it.

If specific roles have a specific requirement that a person be single, or that their partner not work in the company, those roles should be listed out along with the justification for why this is required.

Similarly, if there is specific information which is too sensitive, it should be identified. Passwords are sensitive information and everybody has them.

It appears that this language was added here: !14037 (merged)- there was probably a specific concern that it was trying to address. That concern should be addressed directly, rather than via vague language which encourages departments to each have their own unwritten policies.

We cannot have unwritten policies and transparency at the same time.