Step 9. Collect Only What You Need.
The data collection limitation principle is part of the Fair Information Practice Principles (FIPPs) which are considered the Northern Stars of Data Protection practices. Businesses are encouraged to limit the collection of PII to information that they need for some defined and justified purpose. There should be no intentional or accidental collection of PII without a clear purpose. Businesses are safe keepers of PII they collect. The fewer data that is collected, the fewer efforts and resources that are needed to protect it.
Step 10. Dispose of Unnecessary PII.
Once a business has used information for an intended purpose, it should put protocols in place to securely dispose of such information without delay. Storing sensitive data for no valid purpose exposes business entities to unnecessary risks. In the event of a data breach, storing less personally identifiable information (“PII”) means that businesses will have to spend fewer resources to comply with data breach notification requirements. Some of the states in the U.S. have statutes that impose minimum information disposal requirements. It would not be considered reasonable to dispose of the sensitive PII in a way that such information may be later recovered by a third party and potentially used for an unauthorized purpose. If a third-party vendor is used to dispose of PII, such vendor shall contractually commit that it complies with minimum state requirements for PII disposal.
To read more see the Intro to 12 Steps blog:
“Steps 11 & 12” coming soon…