One of my very first interactions with my new co-workers at ClearStar was to explain the term “collection limitation”. It is such an important concept in any industry that processes personally identifiable information (PII). I’ve had dreams of coming into the office wearing a sash that says “Collection Limitation”. (Should it be purple? I love purple.)
Collection limitation is exactly what it says. It is limiting the amount of PII collected. Information should only be collected if it is needed and when it is needed. It should be retained only as long as necessary.
This explanation should sound familiar. Most, if not all, privacy regulations have a collection limitation requirement.
The EU Privacy Directive 95/46/EC Article 6(1)1 indicates
c) personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
Canada’s PIPEDA Fair Information Principles2 include
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
(For a fascinating look into the potential ramifications of over collection, take some time to review a ruling by the British Columbia Privacy Office, February 2010.3 It reads like a story (a guy goes into a bar…), but had some serious ramifications for the organization involved. This Order is a great tool for any privacy training to help staff understand what may or may not be considered reasonable with respect to data collection.)
Pull up any privacy regulation and you will find similar language.
Not only does practicing collection limitation help an organization to meet privacy regulations – it is also good risk management practice. Retaining any type of personally identifiable information is an obligation for an organization that creates risk. There is the risk of loss, such as through a breach or accidental disclosure, and a risk of misuse.
But what does collection limitation mean for our day to day practices in global screening?
First, take a look at the PII your company is requesting. Do you really need the information you require all of the time? For example, are you asking for date of birth all of the time? Do you really need a date of birth to process a reference check? Are you asking for a country ID number or copy of ID for every search? Have you asked your data provider if that information is needed for every search? Yes, it is far more work to match ordering requirements to true need, but in the end, it is the right thing to do.
Next, establish a process where someone with an understanding of data privacy and/or security is involved in new data collection requests. I once had an office in Asia contact me to request permission to collect a copy of the subject’s ID for every search requested. Their research indicated that 30% of the time an ID is required for a search. The ID copy was rarely provided by their client, causing a lot of trouble for all parties involved to obtain the ID after the search had begun. Asking for the ID upfront, they reasoned, would help reduce turnaround time and effort involved in a missing information process. You can imagine my response. I started by thanking them for asking me. We had obviously created a culture where our offices are cognizant of data protection and are a first resort. Then, I asked them to confirm my understanding that in 70% of the searches, they wished to collect a copy of an ID, a document containing a lot of PII, even when they did not need that document. When put in this light, the office decided it was over collecting and that they did not need the ID for every search after all.
Start working with clients to get them used to the potential of a missing information process. Explain that in order to meet global privacy regulations and data security best practices, you will be asking for PII when needed, which may be after a search is started.
Challenge your data providers when they ask for PII for every search. When required information seems odd for the search, ask why. I’ve often challenged my provider network, and in many cases, they have good reasons for requiring the data or asking for it optionally. These discussions are very insightful and will help you learn more about individual global searches.
Keep in mind that these practices do not only pertain to data that is from outside of the U.S. – they apply just as well to U.S. data.
Finally, if you are in need of a hug, go tell the person in your company that is responsible for information protection that you are embarking on a collection limitation exercise. You’ll get a hug.
3 Order P10-01, HOST INTERNATIONAL OF CANADA LTD, February 10, 2010 https://www.oipc.bc.ca/orders/1418
|Kerstin Bagus – Director, Global Initiatives
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.
Kerstin is a passionate participant in the National Association of Professional Background Screeners (NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.