This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
Forgive me, but to fully appreciate the impact of state data privacy laws on managing records retention and disposing of unnecessary data, a bit of history is needed (if you’re allergic to history, skip this post). Our focus is through the narrow lens of two key elements of data privacy regimes: data minimization (only collecting the minimum of personal data needed for the collection purposes) and storage limitation (only keeping personal data for as long as needed for these purposes).
United States data privacy law is a global outlier. That’s ironic, given that the building blocks of modern data privacy law, the Fair Information Privacy Practices (FIPPs), were first expressed in a 1973 report by the U.S. Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens. As originally framed, the FIPPs (Transparency, Access, Choice, Correction, and Quality/Protection) did not speak directly to data minimization or storage limitation. At least at the outset, the FIPPs did not expressly call for minimizing collection of personal data or deleting personal data once its collection purpose was satisfied.
If data privacy were a religion, and the FIPPs its original Word, what came next was inevitable – inspiration spread globally and resulted in various denominations, each restating and taking the core beliefs in different directions, as influenced by cultural factors and, with data privacy law, governing philosophies:
Continue Reading Less data is more than ever: for context, a ridiculously brief history of U.S. data privacy law