In our previous blog post on Data Minimization, we discussed what the key concepts are, why data minimization is so important to information governance, and how data minimization is a “must have” to properly comply with global privacy laws. To help demonstrate good (and bad) practices regarding data minimization, we’ve gathered up a few real-world examples for you to consider.
What are good examples of Data Minimization?
- Notifying visitors that the purpose of collecting their biometric data as part of a fingerprint check at the entrance of a building is to prevent unauthorized persons from entering the premises.
- Allowing website visitors to opt in to future mailings and information (as opposed to opting out)
- Asking for the emergency contact information in situations where there is potential for physical harm or other medical concerns.
- Properly deleting data per the organization’s stated retention policies, once it reaches the end of its useful life. Note this example applies to data in general, not just formal records.
What are examples of Data Minimization mistakes?
- An organization is looking to identify a Mr. John Q. Public about something (he is a creditor, he is a witness, he is a beneficiary, etc.). As it is a common name, the organization collects personal data on numerous potential JQP’s until they home in on the proper one. Instead of deleting all the information from the “wrong” JQP’s, they keep it without realizing that they are over-retaining PII from people who are not directly relevant to the goal or intent.
- An online food delivery app collects your cell phone number in order to “aid in the delivery of your food, in the event there is a problem, or we need to contact you.” However, at the end of your transaction (and the food is delivered and paid for), they maintain your cell number “for marketing purposes,” a new and unrelated use that was not disclosed at the point of acquisition, nor strictly required to deliver the service you requested.
- Using a generic form to ask all job applicants for personal data, such as health conditions, that are only applicable to certain manual or hazardous jobs, and not all roles.