Less is More – Data Minimization and Cyber Risk Management

Data minimization is a fundamental principle of Canadian personal information protection laws, and can be an effective way to manage cyber risks.

Data minimization refers to the practice of limiting the collection and retention of information to that which is directly relevant and necessary for a specified purpose. Data minimization is reflected in the Fair Information Principles, which are the foundation of Canadian personal information protection laws.

Data minimization does not necessarily require the deletion of personal information when it is no longer necessary for the purpose for which it was collected. Instead, the data can be modified (e.g. aggregated or otherwise anonymized) so that it no longer constitutes personal information.

Data minimization can be an effective cyber risk management practice, because the less personal information an organization collects and retains, the less personal information will be vulnerable to data security incidents and the less effort (and cost) will be required to safeguard the personal information or respond to data security incidents.

The Privacy Commissioners of Canada and Alberta in their 2007 joint findings regarding the Winners and HomeSense data breach stated:

TJX/WMI’s experience illustrates how maintaining custody of large amounts of sensitive information can be a liability, particularly if the information does not meet any legitimate purpose or if the retention period is longer than necessary. … Collecting and retaining excessive personal information creates an unnecessary security burden. Thus, organizations should collect only the minimum amount of information necessary for the stated purposes and retain it only for as long as necessary, while keeping it secure.

… One of the best safeguards a company can have is not to collect and retain unnecessary personal information. This case serves as a reminder to all organizations operating in Canada to carefully consider their purposes for collecting and retaining personal information and to safeguard accordingly.

For legal compliance and cyber risk management purposes, Canadian organizations should establish and implement written policies and procedures that comply with data minimization requirements. In particular, organizations should collect personal information only when necessary for legitimate business purposes, and should securely dispose of, or effectively de-identify, collected personal information when it is no longer required for the relevant purposes.

Read more here.


Settlement of Nationwide/Allied Data Breach Investigation – Cybersecurity Guidance

Settlement of Ashley Madison Data Breach U.S. Class Action Lawsuits