DATA MINIMIZATION
THE INQUISITIVE INTERROGATOR
An important privacy principle is data minimization — to collect, use, access, or disclose the minimum necessary personal information to accomplish one’s purpose.
This principle appears in many laws. For example, the HIPAA Minimum Necessary Rule states, “A covered entity must make reasonable efforts to limit the scope of the PHI it uses, discloses or requests to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.” The European Union’s General Data Protection Rule (GDPR) states, “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”
N
ot only will being careful with how much information is used, accessed and shared ensure an organization is in compliance with various laws, it will also increase efficiency and reduce risk for the organization. Storing more personally identifiable information (PII) than required leaves an organization open to unnecessary risk from data breaches. It also can be unwieldy to sift through reams of irrelevant data to find what you are looking for.
Data minimization should be a principle that is applied throughout the entire life cycle of personal information. In addition, data should not be retained when there is no longer a purpose for keeping it. In the era of big data, it is important to keep data minimization principles in mind and identify the purposes of stored personal information at regular intervals.
This training video (~4.5 minutes) demonstrates the importance of data minimization in a humorous way. The vignette shows how accessing and using more data than necessary can make people uncomfortable. This program was developed with the privacy team at Intel.
Learning Objectives
- Understand why it is important to collect, use, access, or disclose the minimum necessary personal information to accomplish one’s purpose
- Learn about the risks to an organization for collecting and storing more data than is needed
Please Contact Us to Evaluate this Program or Others
We can provide you with a login so you can evaluate the programs.
About TeachPrivacy and Our Training Philosophy
TeachPrivacy was founded by Professor Daniel J. Solove, the leading expert on privacy and data security law. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.
According to Professor Solove: “Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training is made with genuine passion – to make people love training, it must be made with love. Excellent substance is essential. The material must be explained clearly, understandably, and concretely. The content must be short and to the point – and it must be engaging. Slickness and gimmicks can’t compensate for lackluster substance.”
TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics.
Professor Solove is a law professor at George Washington University Law School. He has taught privacy law every year since 2000, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 1 million followers. Click here for more information about Professor Solove.