Sec. 201. Minimization
558 words·~3 min read·
/bill/119/hr/8014/ih/section-201·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity shall have a reasonable, articulated basis for collecting, processing, maintaining, and disclosing of personal information that takes into account the reasonable business needs of the covered entity and minimum amount of personal information necessary for providing the service, balanced with the intrusion on the privacy of, potential privacy harms to, and reasonable expectations of individuals to whom the personal information relates. A covered entity may not collect more personal information than is reasonably needed to provide a product or service that an individual has requested.
A covered entity may not process personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity. A covered entity may not maintain personal information once such information is no longer needed for the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity.
A covered entity may not disclose personal information for a purpose other than the purpose for which such information was originally collected from the individual or in the case of a service provider, a purpose other than that which is in accordance with the directions of a covered entity. Notwithstanding subsection (b), a covered entity may collect, process, disclose, or maintain personal information beyond limitations under subsection
(b)only if such covered entity complies with this subsection. A covered entity may collect, process, or maintain personal information without additional notice or consent if the purpose for such collecting, processing, or maintaining is substantially similar to the type of personal information and purpose for which such personal information was originally collected and such ancillary collecting, processing, or maintaining will not result in additional or increased privacy harms. A covered entity shall provide notice of ancillary collecting, processing, maintaining, or disclosing of personal information in the case of one, but not more than one, of the following instances: Such ancillary collecting, processing, maintaining, or disclosing may result in additional or increased privacy harms (but not increased significant privacy harms), and is substantially similar to the purpose for which such personal information was originally collected. Such ancillary collecting, processing, maintaining, or disclosing is not substantially similar to the purpose for which such personal information was originally collected, but will not result in additional or increased privacy harms. Such ancillary collecting, processing, maintaining, or disclosing may result in additional or increased privacy harms (but not increased significant privacy harms), and the purpose is not substantially similar to the purpose for which such personal information was originally collected, so long as the personal information is secured using privacy-preserving computing. For scenarios not covered under paragraph
(1)or (2), and notwithstanding sections 208(b)(2) and (3), a covered entity shall provide notice of and obtain consent for ancillary collecting, processing, maintaining, or disclosing of personal information. In cases in which personal information can be replaced with artificial personal information, personal information that has been de-identified, or the random personal information of one or more individuals without substantially reducing the utility of the data or requiring an unreasonable amount of effort, such a replacement shall take place.