Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket:
Configure a Pub/Sub topic to publish notifications when new files are uploaded to the administrator's bucket.
Create a Cloud Function that is triggered by the Pub/Sub topic. This function uses the Cloud Data Loss Prevention (DLP) API to scan the uploaded files for PII.
If the scan does not detect PII, the function moves the file to the shared Cloud Storage bucket. This ensures that only non-sensitive data is accessible to analysts, while PII remains secure in the administrator's bucket.
[References:, Using Pub/Sub with Cloud Functions, Cloud Data Loss Prevention API, , , , , , ]
Submit