Today, many organizations believe that the more data you have the more valuable it is. However, the over collection of personal information can dramatically increase the potential harm to individuals in case of a data breach. In addition, collecting unnecessary or indirect information that is loosely tied to a purpose is increasingly viewed as exceeding the scope of consent.
Data Minimization is a key privacy principle to respecting individual privacy and reducing risks associated with a data breach. Under this principle, only personal information that is directly relevant and necessary to a specified purpose is collected and kept for only as long as needed for that purpose.
Collection limitation: What information do I need?
- Identify what type of personal information is required for a given process (e.g. birthdate as a mandatory field). Evaluate if this information should be mandatory, voluntary, or not collected at all (reducing risk). Consider whether the requested personal information is necessary to complete the transaction or purpose of the collection. Tip: Ask for personal information when needed, even if it creates a separate round of data collection. Oftentimes it can seem easier to collect more information upfront in case it is needed later. This is a common trap that leads to unnecessary and risky data collection.
- If personal information is used as a unique identifier (such as a social security number), consider whether it is possible to use or create an alternate ID. Ensure that individuals are aware of the types of information being collected and understand why that information is being collected. Tip: For information whose purpose is not obvious, an individual should be aware why the information is being collected and how information will be used. For good privacy practice, do not simply list the types of data being collected in terms of service agreements or other fine print. Rather, describe the purpose at the point of collection.
- Consider legal risk requirements for the collection and retention of personal information. Tip: Certain types of personal information may trigger various legal obligations (such as health information) or unintended legal risks. For example, the collection of a birthdate could expose a website operator to the Federal Trade Commission's Children's Online Privacy Protection Act (COPPA). Although a site may not be targeted at children, if a user indicates they are under 13 years old, COPPA obligations may still apply to the information collected.
Data inventory: What types of information do I have and where are they found?
Identify which departments have data within the organization, who is responsible for the data, and what types of data the organization has that may contain personal information. For example:
- Financial data.
- Health information.
- System/device information.
- Emails, documents, photos, videos.
- Databases.
Document where the information is stored. For example:
- On-premise servers.
- Cloud servers.
- Backup storage drives.
- Desktops.
- Laptops.
- Remote offices.
- Employee-owned devices.
- Paper files.
Map where data is shared internally and to third-party organizations. Consider how data can be recovered from the various storage locations and whether necessary data could be restored.
Data retention: What is the lifespan of my data?
After identifying what types of information the organization stores, consider any legal retention requirements for particular types of data. For example, data related to:
- Employment.
- Medical / health services.
- Taxes.
- Trade.
Document retention policies for the various data types. For example, "retain email data daily for 90 days", or "retain employment data every year-end for 5 years."
For personal information that does not have a retention requirement, identify when and how that information is being deleted/purged. (Tip: Personal data should only be retained as long as needed for a specific purpose.) Investigate solutions for deleting personal information upon an individual's request. Establish periodic reviews of retained data.
Accountability
Identify individuals or roles who are responsible for data collection and maintenance and train them on data minimization practices.
Identify what tools are used for privacy assessments, data mapping and data retention. For example:
- Informally via emails or in-person communication
- Spreadsheets
- Internally developed system
- Compliance software
- External audits or consultants
List challenges to data minimization implementation. For example:
- Lack of resources to complete data inventory
- Low priority for the organization
- Inability to maintain period reviews
Discuss challenges to improve privacy practices with the organization's leadership or privacy officer.