Data minimisation is where a business only collects and retains the personal information reasonably necessary to achieve specific business purposes. It is an easy and essential tactic for Australian businesses to adopt to manage risks associated with cyberattacks.
Legal obligations to minimise data
The Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) promote data minimisation. The Office of Information Commissioner (OAIC) has provided helpful guidance on these APPs:
- APP 3: Limited Collection
APP 3 only permits an organisation to solicit and collect personal information which is reasonably necessary for one or more of the organisation’s functions or activities. This is an objective test looking at why the information is collected, how it will be used and whether the relevant business activity could proceed without the information.
Commonwealth government agencies must comply with a higher threshold and may only solicit and collect personal information “directly related to” one or more of the agency’s functions or activities.
The OAIC has noted that collecting personal information on the basis that it may become relevant later is generally not reasonable grounds for collecting the information.
- APP 11: Limited Retention
APP 11 requires organisations to take active measures to ensure personal information is held securely, and to actively consider if it is permitted to retain that personal information.
Organisations must take reasonable steps to protect information from misuse, interference and loss, and unauthorised access, modification or disclosure. They must take reasonable steps to destroy or de-identify personal information no longer needed for the purposes that information was initially collected.
Benefits of data minimisation
- Reduced cybersecurity risks
The more data you hold, the more susceptible you are if your organisation suffers a cyberattack. Minimising the amount of personal information your organisation holds will mitigate the impact of any cyberattack on your business, employees and customers, as fewer individuals will be affected by any data breach or the impact will be less.
- Building trust with consumers
Consumers appreciate choosing why and how their personal information is collected and used. The OAIC’s 2023 Australian Community Attitudes to Privacy Survey reported that 62% of Australians consider the protection of their personal data as one of their major concerns in their life. In addition to this finding, 92% of Australian respondents would like businesses to do more to protect their personal information, with 84% indicating that they would like more control over their information and how it is used.
This highlights the importance of implementing data minimisation practices across your organisation and how it can build trust with stakeholders, showing that you respect their values and privacy.
- More accurate data
Businesses should get in the habit of erasing data that has already served its purpose of initial collection. Apart from reducing the impact of a data breach this allows businesses to more efficiently retrieve stored information and ensures that the information held is accurate, relevant and legal.
- Improved compliance with legal obligations
Implementing data minimisation practices assists compliance with privacy laws. We anticipate reform to these laws in coming years which will continue to prioritise the safety of individuals.
How to effectively implement data minimisation practices
- Collect only essential data
Personal information should only be collected for purposes that relate to the functions and activities of you organisation. If no use is directly attached to the data, you should not collect the data.
An easy way for businesses to adopt data minimisation practices is to consider:
- What data is being collected?
- What is it being collected for?
- Does the data subject know it is being collected, and for what purpose?
- Where is it being stored?
- How long is it being stored?
- Internal training and policies
Implement employee training on data minimisation practices to ensure your organisation understands whether to collect or retain personal information, and how it should be managed. Maintain a transparent and accessible privacy policy that outlines the purpose of collecting and disclosing personal information to ensure clarity for customers and employees.
- Delete data following use
After collected data has served its purpose, or no longer serves the purpose for which it was collected, you should securely erase or de-identify that data.
Maintaining a data retention and destruction policy helps to manage information held by an organisation and assists employees to decide whether or when information and data should be retained or destroyed. This aids to safeguard data, reduce the risk of unauthorised access or data breaches, ensure compliance with regulations, and facilitate informed decision making.
- Conduct regular data audits
Regular data audits allow organisations to assess what data they have on file, how it is being stored, and whether it remains necessary. This assist with deciding whether data should be deleted or de-identified.
Key takeaways
Data minimisation is a fundamental cybersecurity measure that all Australian businesses should adopt, especially in today’s data-driven world. Your business should only collect and retain information necessary to provide your goods and services and to run your business. Through minimising data collection and the associated good data governance practices, organisations can enhance their cybersecurity, earn customer loyalty and trust, and encourage data accuracy, privacy compliance.
Contact Sainty Law if you require assistance implementing an effective data minimisation framework for your business, or for advice on complying with your data minimisation and other data governance legal obligations.