TODAY information is being collected, stored, and transferred at an increasing rate. In some cases that data is among a business’ most- valued and treasured assets.

However, with the explosion in the use of technology to expand one’s online presence, this opens the door for new issues and challenges for businesses in the area of data privacy and data protection.

Data Minimisation in Principle

Data minimisation is the practice of minimising the overall amount of personal data collected. It requires a data controller to limit the collection of personal data to what is relevant and necessary for the purpose it is being processed and retained for only as long as is necessary to achieve that purpose.

Data minimisation is also a data protection standard and is included in the Data Protection Act of Jamaica. Section 26 of the Data Protection Act requires that personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed. As a result, data controllers in Jamaica have a duty, pursuant to the Data Protection Act, to comply with this principle.

But how exactly does one practice data minimisation?

Data Minimisation

It may be a challenge for businesses to integrate data minimisation into practice where their business is data analytics or where it heavily relies on the information produced by data analytics such as market trends and consumer preferences. The benefit of the information to be gained from data is undeniable, however, if not processed in accordance with relevant data protection legislation, it has the potential to pose challenges for data controllers.

Adequate, Relevant, Limited

The three key elements of data minimisation are ensuring the personal data is adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Adequate, relevant and limited are not defined by the Data Protection Act of Jamaica or other similarly drafted data protection legislation. Notwithstanding, the UK data commissioner indicates that:

1) adequate means sufficient to properly fulfill your stated purposes;

2) relevant means has a ration link to that purpose; and

3) limited to what is necessary means you do not hold more than what you need for that purpose.

Data controllers should assess the purpose for processing and determine what data are necessary for that specific purpose. In practice, a helpful tool to achieve this is to conduct periodic evaluations of the data, the purpose for processing and relevant policies and systems implemented. This will assist data controllers in ensuring the data are adequate, relevant and limited and highlight appropriate retention periods. Taking the ‘save everything’ approach is not best practice.

An interesting area that the relevance of data comes into play is the employee-employer relationship. When a business is collecting data on current or potential employees, it is important that the data collected are necessary and relevant for the position. For example, for the employer to adhere to their statutory responsibilities they require data to carry out the payment of income tax, PAYE, National Insurance Scheme and National Housing Trust obligations. In this area, periodic evaluations of the data should be done at hiring, promotion, demotion and even firing to aid in the determination of any adjustment, deletion or anonymisation of the data being processed.

The time in which data are retained is not only an element of data minimisation, but is a separate principle in itself. Record keeping is an important part of every business and the appropriate retention time will vary across businesses and industries. For instance, financial institutions and designated non-financial institutions are required by statute to retain records for seven years for anti-money laundering and counter-terrorism purposes. As a result, to hold customer’s records for a period beyond seven years, unless instructed otherwise by the relevant regulator or some other compelling business reason or court order, may not be considered compliant with data minimisation.

In 2018, the Danish Data Protection Authority fined Taxa 4×35, a taxi company for approximately US$180,000.00 for retaining personal data of passengers from approximately nine million taxi rides beyond the statutorily required two-year period. While Taxa erased the name and address of each customer within the prescribed retention period, the phone numbers were retained and used as account numbers. Taxa itself admitted that the retention of the phone numbers was not necessary as an anonymised number could have been used.

Benefits of Data Minimisation

In approaching the concept of data minimisation, data controllers should keep in mind the benefits which include:

1) reduction in cost on data retention and storage;

2) reduction in the likelihood of a breach;

3) reduction in the number of records that may be affected in the event of a breach;

4) compliance with relevant data protection legislation resulting in efficiency, improved customer experience, improved risk management and reduced likelihood of breaches resulting in fines;

5) improved data management;

6) faster responses to data requests; and

7) improved customer trust.

When assessing the need for data minimisation, businesses should also consider the reputational risks of data breaches and potential loss of consumer confidence. A study done in 2020 by Braze, a US customer engagement platform, indicates that 84 per cent of customers decided against engaging with a company who requested ‘too much information’.

All in all, in the realm of data minimisation, less can certainly be more. Data controllers can gain more in compliance, cost-saving, reputation and trust by ensuring the data being processed are adequate, relevant and limited. Data controllers should keep in mind that while data are easy to collect, there are responsibilities that come with its collection to ensure compliance with the laws and a need to have controls in place to ensure the proper use of that data. This is especially relevant now, with specific provisions of the Data Protection Act having come into force on December 1, 2021 as the two-year transitional period afforded by the Act has begun to run, making principles like data minimisation more important than ever. Preparing your business for compliance with the Data Protection Act is a new area but with proper advice and awareness you will be able to prepare to meet the challenge. If you are unsure, you should seek the advice of a competent attorney.

Joanna Marzouca is an associate in Myers, Fletcher & Gordon’s Commercial Department. She may be contacted via joanna.marzouca@mfg.com.jm or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.