Data Protection & Freedom of Information Office

Data minimisation

Principle (c) of the GDPR states that personal data shall be "adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed". This principle is sometimes referred to as the "data minimisation" principle.  

In practice, data minimisation means that you should hold only the minimal amount of information required for your activities. It requires you to thoughtfully consider your reasons for processing personal data and your intentions towards that data. If it turns out that you have collected more personal data than is strictly necessary for your tasks, it is advisable to destroy or otherwise get rid of it. The practice of data minimisation also encourages you to regularly review your processing activities as you may find that your personal data needs have changed over time and where you once held data for a specific purpose, that purpose no longer applies. 

If you can reasonably claim that the personal data you are holding or using is adequate, relevant and strictly limited to your purposes, than you are more likely to remain in compliance with data protection legislation and avoid accidental loss or mishandling of that data.  

More information on Principle (c) is available on the ICO website.