Implement and Maintain Data Minimisation Practices
System owners should limit data collection and storage to what's necessary.
Plain language
System owners should only collect and keep the data they truly need. This is important because storing unnecessary information makes an organisation more vulnerable to data breaches, which can lead to financial losses and harm to reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cyber security rolesSection
System ownersOfficial control statement
System owners implement and maintain data minimisation practices for each of their systems.
Why it matters
Excessive data retention increases the risk of data breaches, leading to potential financial loss and reputational damage.
Operational notes
Regularly review what data is collected and retained, delete data no longer required, and record retention periods. Document and justify any exceptions to minimisation.
Implementation tips
- System owners should make a list of all the data they collect: Identify what information is needed for their operations. They could consult with team members who use the data to ensure they aren't collecting more than necessary.
- Managers should train staff on data minimisation: Organise training sessions where employees learn why and how to collect only essential data. Use simple examples to show how unnecessary data can expose the organisation to risk.
- The IT team should set up a regular data review: Schedule periodic checks to see what data is being stored and used. Delete or anonymise any information that isn’t necessary for business operations.
- Procurement officers should evaluate data needs when acquiring new systems: Before purchasing software or services, ensure they align with the principle of data minimisation. Check with the vendor to ensure their systems don’t require excessive data inputs.
- HR should update data handling policies: Work with legal advisors to ensure data collection practices comply with privacy laws. Provide clear guidelines and distribute them to all staff to reinforce a culture of data minimisation.
Audit / evidence tips
-
Askthe data inventory list: Request documentation of all types of data the organisation collects
Goodis a current, detailed data inventory with justifications for each data type
-
Askto see data review schedules: Obtain the timetable for regular data assessments
Goodschedule includes completed review dates and future review plans
-
Askstaff training records: Check documentation of training sessions focused on data minimisation
Goodrecord includes participant names, dates, and summarised training materials
-
Askprocurement evaluations: Review the documentation from recent purchases regarding data needs
Goodshows how data minimisation was considered in procurement decisions
-
Askupdated data handling policies: Request the latest version of data management policies
Goodpolicy clearly outlines data collection limits and guidelines for staff
Cross-framework mappings
How ISM-2021 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| Annex A 5.34 | ISM-2021 requires system owners to limit data collection and storage to what is necessary, reducing exposure from excessive retained info... | |
| Annex A 7.14 | ISM-2021 requires system owners to minimise data held in their systems by limiting what is collected and retained | |
| Annex A 8.33 | ISM-2021 requires system owners to implement data minimisation so only necessary data is collected and stored in each system | |
| link Related (1) expand_less | ||
| Annex A 8.10 | ISM-2021 requires system owners to implement and maintain data minimisation practices for each system, limiting collection and storage to... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.