Data minimisation and doing business
Joanna Marzouca
Business
With Joanna Marzouca  
February 1, 2022

Data minimisation and doing business

Legal Notes

TODAY information is being collected, stored, and transferred at an increasing rate. In some cases that data is among a business’ most- valued and treasured assets.

However, with the explosion in the use of technology to expand one’s online presence, this opens the door for new issues and challenges for businesses in the area of data privacy and data protection.

Data Minimisation in Principle

Data minimisation is the practice of minimising the overall amount of personal data collected. It requires a data controller to limit the collection of personal data to what is relevant and necessary for the purpose it is being processed and retained for only as long as is necessary to achieve that purpose.

Data minimisation is also a data protection standard and is included in the Data Protection Act of Jamaica. Section 26 of the Data Protection Act requires that personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed. As a result, data controllers in Jamaica have a duty, pursuant to the Data Protection Act, to comply with this principle.

But how exactly does one practice data minimisation?

Data Minimisation

It may be a challenge for businesses to integrate data minimisation into practice where their business is data analytics or where it heavily relies on the information produced by data analytics such as market trends and consumer preferences. The benefit of the information to be gained from data is undeniable, however, if not processed in accordance with relevant data protection legislation, it has the potential to pose challenges for data controllers.

Adequate, Relevant, Limited

The three key elements of data minimisation are ensuring the personal data is adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Adequate, relevant and limited are not defined by the Data Protection Act of Jamaica or other similarly drafted data protection legislation. Notwithstanding, the UK data commissioner indicates that:

1) adequate means sufficient to properly fulfill your stated purposes;

2) relevant means has a ration link to that purpose; and

3) limited to what is necessary means you do not hold more than what you need for that purpose.

Data controllers should assess the purpose for processing and determine what data are necessary for that specific purpose. In practice, a helpful tool to achieve this is to conduct periodic evaluations of the data, the purpose for processing and relevant policies and systems implemented. This will assist data controllers in ensuring the data are adequate, relevant and limited and highlight appropriate retention periods. Taking the ‘save everything’ approach is not best practice.

An interesting area that the relevance of data comes into play is the employee-employer relationship. When a business is collecting data on current or potential employees, it is important that the data collected are necessary and relevant for the position. For example, for the employer to adhere to their statutory responsibilities they require data to carry out the payment of income tax, PAYE, National Insurance Scheme and National Housing Trust obligations. In this area, periodic evaluations of the data should be done at hiring, promotion, demotion and even firing to aid in the determination of any adjustment, deletion or anonymisation of the data being processed.

The time in which data are retained is not only an element of data minimisation, but is a separate principle in itself. Record keeping is an important part of every business and the appropriate retention time will vary across businesses and industries. For instance, financial institutions and designated non-financial institutions are required by statute to retain records for seven years for anti-money laundering and counter-terrorism purposes. As a result, to hold customer’s records for a period beyond seven years, unless instructed otherwise by the relevant regulator or some other compelling business reason or court order, may not be considered compliant with data minimisation.

In 2018, the Danish Data Protection Authority fined Taxa 4×35, a taxi company for approximately US$180,000.00 for retaining personal data of passengers from approximately nine million taxi rides beyond the statutorily required two-year period. While Taxa erased the name and address of each customer within the prescribed retention period, the phone numbers were retained and used as account numbers. Taxa itself admitted that the retention of the phone numbers was not necessary as an anonymised number could have been used.

Benefits of Data Minimisation

In approaching the concept of data minimisation, data controllers should keep in mind the benefits which include:

1) reduction in cost on data retention and storage;

2) reduction in the likelihood of a breach;

3) reduction in the number of records that may be affected in the event of a breach;

4) compliance with relevant data protection legislation resulting in efficiency, improved customer experience, improved risk management and reduced likelihood of breaches resulting in fines;

5) improved data management;

6) faster responses to data requests; and

7) improved customer trust.

When assessing the need for data minimisation, businesses should also consider the reputational risks of data breaches and potential loss of consumer confidence. A study done in 2020 by Braze, a US customer engagement platform, indicates that 84 per cent of customers decided against engaging with a company who requested ‘too much information’.

All in all, in the realm of data minimisation, less can certainly be more. Data controllers can gain more in compliance, cost-saving, reputation and trust by ensuring the data being processed are adequate, relevant and limited. Data controllers should keep in mind that while data are easy to collect, there are responsibilities that come with its collection to ensure compliance with the laws and a need to have controls in place to ensure the proper use of that data. This is especially relevant now, with specific provisions of the Data Protection Act having come into force on December 1, 2021 as the two-year transitional period afforded by the Act has begun to run, making principles like data minimisation more important than ever. Preparing your business for compliance with the Data Protection Act is a new area but with proper advice and awareness you will be able to prepare to meet the challenge. If you are unsure, you should seek the advice of a competent attorney.

Joanna Marzouca is an associate in Myers, Fletcher & Gordon’s Commercial Department. She may be contacted via joanna.marzouca@mfg.com.jm or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.

img img
0 Comments · Make a comment

ALSO ON JAMAICA OBSERVER

Vatican employees voice discontent in first poll
International News, Latest News
Vatican employees voice discontent in first poll
January 21, 2026
VATICAN CITY, Holy See (AFP) — Vatican employees have expressed dissatisfaction with their management in a first-ever poll of staff published this wee...
US Supreme Court to hear Trump bid to fire Fed governor
International News, Latest News
US Supreme Court to hear Trump bid to fire Fed governor
January 20, 2026
WASHINGTON, United States (AFP)—The US Supreme Court hears arguments on Wednesday over President Donald Trump's attempt to fire a Federal Reserve gove...
Sections of communities in Westmoreland now have light
Advertorial, Latest News
Sections of communities in Westmoreland now have light
January 20, 2026
With the energisation of power lines leading to the National Water Commission (NWC) Roaring River Pump, customers in sections of Petersfield, sections...
‘Shots started to ring out’: Politician gives chilling account of triple fatal police shooting
Latest News, News
‘Shots started to ring out’: Politician gives chilling account of triple fatal police shooting
Senior gov’t official recalls witnessing killings from window in murder trial of six cops
DANA MALCOLM, Observer Online reporter, malcolmd@jamaicaobserver.com 
January 20, 2026
A senior politician who lived close to the scene where three men were killed by police 13 years ago on Arcadia Drive in St Andrew testified Tuesday th...

HOUSE RULES

  1. We welcome reader comments on the top stories of the day. Some comments may be republished on the website or in the newspaper; email addresses will not be published.
  2. Please understand that comments are moderated and it is not always possible to publish all that have been submitted. We will, however, try to publish comments that are representative of all received.
  3. We ask that comments are civil and free of libellous or hateful material. Also please stick to the topic under discussion.
  4. Please do not write in block capitals since this makes your comment hard to read.
  5. Please don't use the comments to advertise. However, our advertising department can be more than accommodating if emailed: advertising@jamaicaobserver.com.
  6. If readers wish to report offensive comments, suggest a correction or share a story then please email: community@jamaicaobserver.com.
  7. Lastly, read our Terms and Conditions and Privacy Policy

Polls

Recent Posts

Archives

Logo Jamaica Observer
Breaking news from the premier Jamaican newspaper, the Jamaica Observer. Follow Jamaican news online for free and stay informed on what's happening in the Caribbean
Featured Tags
Categories
Ads
img
Jamaica Observer, © All Rights Reserved