Data Minimisation in Practice: A Strategic Imperative in Today’s Digital Landscape

Published at 12:25 on 22 Feb 2024

The age-old idiom “less is more” is gaining traction in the privacy sphere. Data minimisation is a thing and is quickly rising to the top of lots of privacy ‘must-do’ lists. And because it brings significant business benefits, like risk mitigation, better customer relations, and decreased costs of compliance, we aren’t surprised to see increasing interest. But many businesses aren’t accessing these benefits, opting to collect more data than ever and relying on more complex privacy policies and disclosures instead of genuine attempts to minimise data collection.  

This article will outline what data minimisation looks like in practice and why it’s a good idea plus some tips on how your business can achieve it.  

Data Minimisation Meaning: What is the principle of data minimisation?  

Data minimisation is the practice of limiting the collection, processing, and storing of all information but especially personal information, limiting to that which is adequate, relevant and necessary to accomplishing the specified purpose.  

This means you should understand what you want to do with the data you are collecting and then collect only the data that you need to achieve that purpose – no more, no less.  And you shouldn’t keep it once that purpose has been achieved. 

Data Minimisation and The Law

Data minimisation became part of data protection law when it was included in Article 5(1)(c) of Europe’s General Data Protection Regulation (GDPR). This Article requires that personal data collected be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.  The principle is the same under the UK’s law.  

Although a thread that has traditionally be included in privacy principles, it was given it’s own special place as a stand-alone principle, in recognition of the importance of the concept. 

For example, in Australia, APP 3 (which still uses the more traditional privacy principles), refers to limited collection, and  requires covered entities to only collect personal information when it is “reasonably neccessary” for the entity’s functions or activities.  

The OAIC provides the following examples of where the collection of personal information was not reasonably necessary:  

  • A job applicant being asked to disclose whether they had suffered a work-related injury or illness, when this information was not relevant for the position advertised.  
  • A person applying to open a bank account being asked about their marital status. 
  • A medical practitioner photographing a patient for their records, when this was not necessary to provide the health service.  

Changes coming to data retention laws in Australia 

The Australian Privacy Act Review proposed a number of changes relating to data retention, including:  

  •  More detailed guidance on what are ‘reasonable steps’ to destroy or de-identify personal information; 
  • Requirement for organisations to identify the maximum and minimum retention periods for the personal information they hold, which should be periodically reviewed; 
  • Retention periods to be included in every organisations’ Privacy Policy; 
  • A review of all legal retention requirements across Commonwealth and State entities (De-identification and the treatment of de-identified data will be covered in a separate post.) 

On the topic of data minimisation more broadly, the Privacy Act Review report highlighted the importance of data minimisation but did not go as far as introducing a specific data minimisation principle.  

You can read more about this in our detailed blog post about the Privacy Act Review and retention periods. 

 Why is data minimisation important? 

The more information you hold about a person, the more identifiable they are – and the greater the risk to the individual in the event of a data breach. By minimising the amount of personal information data your business holds, you minimise risk of damage to your reputation from a data breach and your legal risk too.   

Some other compelling reasons for adopting a more minimalistic approach to data collection:  

  • Easier to maintain: Other privacy obligations include ensuring the accuracy and completeness of the data you hold.  This is difficult if you’re retaining data that is old and which may relate to people who’ve not been a customer for many years.  Remember how surprised people were to learn they were still in the Optus data base? 
  • Reduced Attack Surface. Cyber criminals often target data troves, especially with sensitive personal information. By reducing the amount of data that you collect and store, you also make your organisation less attractive a target to cyber criminals.  
  • Streamlined Data Landscapes. With fewer data points to manage, your security team can better focus their resources.  
  • Cost Optimisation. Data storage, retention, governance, and protection comes with significant costs. Minimising the amount of data you collect also minimises the costs associated with managing the data.  
  • Increased Trust and Brand Loyalty. Customers are becoming more privacy-alert and in some cases will prefer brands that adopt data minimisation.  
  • Future-Proof Privacy Practices. Regulators, too, are becoming more alert to the impact of data overcollection. Adopting privacy minimisation may help to future proof your privacy practices.  

How to implement data minimisation in your business 

Start with a culture of decreased collection

Your company should make business decisions with data minimisation in mind. In practice, this requires you to ask a series of questions before you start to collect personal information:  

  • Why does the business need this data? Answering this question is imperative to collecting and storing data with purpose.    
  • How will this data be used?  
  • Can I achieve this same purpose without collecting the data?  
  • If I can’t, how long does the data need to be stored to achieve the specified purpose?  

The earlier in the product development or project cycle these questions are asked, the better.  

Bear in mind that data minimisation comes with significant business benefits. You aren’t collecting and storing data without purpose – which can result in an oversupply of data and reduced access to valuable insights. Instead, you’re collecting the data you need and will use.  This starting point allows you to really focus on data points that will move the needle for your business.  

Re-Think Your Collection of Low Value-High Risk Data

We regularly see examples of companies collecting low value and high risk data. This category of data includes any personal or sensitive information that offers very little advantage for businesses, but is given at a high risk to the customer. For example:  

  • Dates of birth. The month or year alone will suffice in almost every instance. We regularly see organisations asking for dates of birth for customer loyalty programs for example, with the business purpose for the collection being the execution of the loyalty program. However, there are very simple mechanisms you could introduce to avoid this collection. For instance, the customer could provide just the month of their birth in lieu of the exact date, and the loyalty reward could be collected at any point during this month.  
  • Religious affiliations, political views, and sexual preferences are all regarded as ‘sensitive’ data and strict controls apply to the collection and use of this sort of data.  
  • Precise financial details beyond what’s required for payment processing. It’s generally advisable to avoid collecting personal financial information, for instance, income levels (estimated or actual), bank account details, spending habits – beyond purchase data. This information can present a high risk for identity theft and financial fraud, while offering minimal business benefit. This is true even in the context of a rental business or financial providers. These companies could gather this information without overcollecting data by asking for a ‘range’ relating to their income.  
  • Gender. Knowing a customer’s gender often has very little bearing on their purchases, so it’s largely irrelevant but significantly risky. You can focus on individual preferences and interests instead. It’s likely that this will lead to more relevant business insights too.  

In every case, it’s helpful to ask “is there a way I can achieve the same means without collecting personal information?”. If the answer is yes, opt to not collect it.  

Signal App – An Example of Data Minimisation Executed Well 

Signal is a free, privacy-focused messaging and video chat app. Instead of collecting data or pushing ads, it relies on donations from users to fund the app.  

The app only requires individuals to provide their phone number to sign up. Users can voluntarily add their name and photograph if they wish.  

Contrast this with the Meta-owned Whatsapp messaging service, which requires users to share information with the other Meta companies. The categories of data Whatsapp shares with Meta include (but aren’t limited to) your phone number, transaction data, information about how you interact with businesses, and your IP address.  

De-identify the data you hold  

If you can achieve what you need to achieve with de-identified data, you should implement processes to do so at the earliest possible stage.   

You might consider some of the following deidentification techniques: anonymisation, pseudonymisation, generalisation, or differential privacy 

An Example of Poor Data Management 

A taxi company in Denmark was fined under the GDPR because it retained customer phone numbers for longer than the specified period. The company had deleted other personal information but retained the phone numbers because it used them as an account identifier. The fine was levied (partially) on the basis that the phone number could easily be substituted with another account number and achieve the same purpose.  

If you’ve adopted lazy data management because de-identifying the data you hold is difficult, consider updating your processes.   

Manage the data you hold 

The longer you store data, the less likely it is that the data is accurate and the more likely it is that your customers will be upset if that data is breached.  Plus you will have breached your Privacy Act obligation to ensure it is accurate and up-to-date. 

Some Examples of Data Retention Gone Wrong 

  • The mammoth Latitude Financial breach in 2023, which involved more than 14 million records, remains one of Australia’s largest data breaches to date. However, the staggering volume of data the company had retained emerged as one of the most worrying takeaways from the breach. The New Zealand Privacy Commissioner noted “[s]ome of the 14 million New Zealand and Australia records taken are up to 18 years old, which isn’t okay”. 
  • In 2017, misconfiguration of a backup of the RedCross DonateBlood website resulted in personal details of 550,000 prospective donors who had made an appointment to donate blood via the website between 2010 and 2016 publicly available.  Not only were these details unlikely to be accurate, there was no reason for them to be stored on the website for the length of time that they were. The application of data minimisation principles would have significantly reduced the risk of harm from the disclosure.  
  • Data minimisation was also one of the key issues for the Joint Australian and Canadian Privacy Commissioner investigation into the Ashley Madison breach, which exposed the details of over 36 million users of the site in 2015.   Of particular interest to the regulators was Ashley Madison’s retention and use of personal information even after profiles had been deactivated or deleted, as well as its failure to confirm the accuracy of data held before collecting or using it.  

Screenshot of Ashley Madison home page

Your company should implement policies and processes to ensure that data is stored only while it is needed and either deleted, reduced, or updated at regular intervals.   

Privacy108 Can Help Your Business Implement Data Minimisation Practices 

Your business can benefit from reducing the amount of data you hold and creating a culture of data minimisation. Privacy108 will work with you to design and implement programs to uplift your privacy maturity including governance, policies, training and privacy assessments. 

We use Privacy by Design Principles when developing your business privacy program:

Privacy by design principles

 Table outlining Privacy by Design principles 

Contact us to discover how this can benefit your business.

 

Want to receive updates like this in your inbox? Subscribe

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.

Tags:
, ,