Data minimization 101
Data minimization is collecting and keeping the information you need and nothing more. It’s a core part of data privacy. Think of it this way: data privacy is the goal of protecting a person's information. Data minimization is a crucial way you achieve that goal.
Ask before collecting data:
- Do I really need this information to fulfill my goal?
- Will I actually use it to deliver a service or meet a legal requirement?
- If the answer is no, don’t collect or store this data.
Why data minimization and data privacy matter
People expect the government to use their data carefully and only for a good reason. Data minimization helps make that happen.
Building public trust
State departments serve the public. People should be able to trust us with some of their most personal information. It can include their address, income, health history, or immigration status. This information helps us deliver important programs like:
- Food and housing assistance
- Unemployment benefits
- Medical care and insurance
Protecting that information shows we respect their privacy and take our responsibility seriously. When people feel safe sharing their information, they’re more likely to apply for services, continue in government programs, and answer questions honestly.
But if we lose that trust, people may hesitate to get the help they need. This can lead to lower use of public programs or fewer responses to surveys. Strong privacy practices help us earn and keep that trust every day.
Reducing risk
Protecting personal data also helps prevent problems. If personal information is shared by mistake or stolen in a data breach, it can lead to:
- Identity theft
- Financial or other harm to individuals
- Loss of public confidence
- Costly legal penalties or investigations
It’s safer and cheaper to get it right the first time than to fix it later.
Following laws and regulations
Data privacy is the law. In California, we have strong privacy policies governing state departments:
- The Statewide Information Management Manual (SIMM) requires departments to tell you when they collect your information. It sets privacy policies and impact assessments for IT systems.
- California Information Practices Act (IPA) covers more extensive rights. It tells departments how to collect and share data. It also tells departments to only keep the data they need to get the job done.
State departments must follow these laws. That means being careful about what information we collect, how we store it, and who we share it with. This helps us keep the public’s trust, protects us from legal trouble, and makes sure we do our job the right way.
When you follow these policies and regulations, you apply 2 key concepts of data privacy.
 Purpose limitation |  Minimum necessary use and disclosure |
|---|---|
| Data collected is only used for the reason you collected it. It is not used for other purposes without proper justification or consent. | Only access or share the amount of data that’s needed to do the job. |
| Example: Someone gives their address to get mailed benefits. You can’t use their address to send program outreach materials without asking first. | Example: A financial aid worker needs to check someone’s eligibility for student grants. You don’t need to look at someone’s full medical history. |
The concepts reinforce each other. You can't follow the minimum necessary standard without first defining your purpose.
The IPA is the legal foundation for these principles. The SIMM gives the administrative and technical standards to put them into practice. Together they limit what data we collect (minimum necessary) and the why (purpose limitation) we use it. They make sure we protect and responsibly manage data from the start.