The minimality requirement
The requirement of minimality is one of the conditions for processing personal information in the Protection of Personal Information Act (POPIA). The POPIA provides that personal information can only be processed ”if, given the purpose for which it is processed, it is adequate, relevant and not excessive”. This is referred to as the minimality requirement or data minimisation.
The equivalent article of the GDPR provides that “personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).”
The minimality requirement shouldn’t be confused with minimalism. It’s not about clearing clutter, and it won’t help you live a life that sparks joy.
So what does minimality mean then?
Minimality means that you should only collect and keep information that you need – nothing more. Your first step would be to establish what your purpose is with the personal information. This you can determine by unpacking and clearly stating why you have to process the personal information in the first place.
Now that you’ve got a grip on your purpose, you must decide how much personal information will be adequate, relevant, and not excessive in fulfilling your purpose. You may need to consider this for every individual or group of individuals whose information you are processing.
The personal information you work with must not be excessive but it must still be satisfactory or acceptable in quality or quantity and it must always be closely connected or appropriate to your purpose. The ‘bigger is always better’ and ‘let’s get that information just in case’ approach won’t fly. Or, in the (slightly altered) words of Marie Kondo; cherish the information you really need and let go of the rest with gratitude.
Could data minimisation become a trend?
Maybe. Much like with minimalism, some people have caught on to the benefits of data minimisation. Some have even suggested that computer science curriculums should focus on data minimisation. But privacy naturally conflicts with capability when it comes to data analytics, and fans of big data won’t easily ‘let go with gratitude’.
Here are some benefits of data minimisation:
• it reduces storing and analytic costs;
• it reduces the consequences of a data breach (or ransomware attack);
• it reduces the chances of unethical surveillance and profiling;
• it delivers happier customers who work with shorter forms;
• it increases your chances of being POPIA (and GDPR) compliant; and
• it reduces your chances of getting into trouble with the Regulator.
The Berlin Commissioner for Data Protection recently imposed a EUR14.5 million fine on Deutsche Wohnen SE (a real estate company) for not complying with the data minimisation requirements of the GDPR. Quite a hefty fine for having information ‘just in case’!
When it comes to personal information ‘less is more’, and having accurate, appropriate information is much more valuable than having ALL the information.