Data Minimisation – Why less is best!

by Johanna King, Head of Data Protection & Freedom of Information Office. 

The laws on data protection are changing and from May 25 2018, the UK, along with the rest of the European Economic Area, will be implementing the General Data Protection Regulation (GDPR). The GDPR will be the biggest change in data protection law for 20 years and will mean a transformation to how the University manages personal data.

One of the Principles of the GDPR is the concept of data minimisation which means ensuring that all personal data is limited to what is adequate, relevant and necessary to the purpose or requirement for processing. So how can personal data be minimised? The easiest way is to ask yourself a series of questions:

  • The first and most obvious is, do I actually need to collect and process personal data at all?
  • Can my task or purpose be served by using data that does not allow an individual to be identified/identifiable? If the answer is yes, the GDPR and its obligations simply do not apply and the risk of personal data breaches and falling foul of the GDPR is removed.
  • If personal data are/have been required, does this data still need to be retained? Has it served its purpose, is it a duplicate copy or is it being kept “just in case”? Have you inherited filing cabinets of unknown records that you have never looked at (or have lost the key to!) or have you been given ownership of unidentified data on a communal shared drive when colleagues have left the University? If the data is not used and you cannot justify the retention, then securely and confidentially destroy it.
  • Do you have an approved records retention schedule? If so, use it and delete and destroy records accordingly.

The GDPR will bring a whole host of additional responsibilities and obligations on the University, extra rights for us all as data subjects as well as new and potentially debilitating financial penalties up to a maximum of 20,000,000 Euros for the University. With such significant financial and reputational stakes, it is imperative that we have appropriate protections and processes in place when dealing with personal data.

Further advice and guidance on other aspects of data protection and the University’s approach to managing this major step change will appear in the new year, as part of a University-wide programme in Colleges and Services covering all personal data, regardless of format or location. However, in the meantime, have a think about the personal data you hold and manage and if it is no longer required then delete, destroy and minimise. In the new world of the GDPR and processing personal data, less really is best!

For further information on data protection, data minimisation, personal data breaches or records and information management please see www.gla.ac.uk/dpfoioffice/


First published: 12 December 2017