Less Is More
The Promise and Progress of Data Minimization
February 12, 2026
#PrivacyInPracticeCA
Introduction: Technology That’s Ready Today
The ability to verify “over 19” without revealing birthdates represents one of the most significant privacy advances in digital trust and identity. This capability, known as selective disclosure, transforms the fundamental equation of identity verification. Instead of sharing complete documents to prove single attributes, individuals can share only what is necessary for each transaction.
Data minimization is a foundational principle established by the FPT Joint Resolution. The commissioners explicitly called for systems where “only necessary information should be collected, used, disclosed or retained.” They noted that “the collection or use of particularly intimate, sensitive and permanent information such as biometric data should be considered only if it is demonstrated that other less intrusive means would not achieve the intended purpose.”[1]
This article examines where Canada leads in data minimization, why over-collection persists despite available technology, and how government and industry can work together to make selective disclosure the norm rather than the exception.
Why Minimization Matters: The Risk Equation
Every piece of personal information collected creates risk; this risk compounds over time and across systems. Data minimization addresses this risk at its source by preventing unnecessary data from entering organizational systems.
The mathematics of data risk is unfavourable for collectors. Each additional data element creates additional breach surface, compliance obligations, and potential for misuse. Organizations that collect data they do not strictly need accumulate risk without a corresponding benefit.
Breach Prevention Through Non-Collection
The most effective breach prevention is non-collection. Data that is never collected cannot be breached, misused, sold, or subpoenaed. This principle seems obvious, but system designers frequently overlook it.
The OPC’s 2024–2025 annual report documented that breach reports from federal institutions increased to 615 from 561 the previous year, while the number of individuals affected more than doubled, growing from 138,434 to 309,865.[2] Each of these breaches involved data that was collected and retained. Often, the data collected was not strictly necessary for the original purpose.
When organizations collect birthdates to verify age, they create a permanent record that can be breached. When they use selective disclosure to verify “over 19,” they never possess the birthdate at all. No collection means no breach risk for that data.
Limiting Function Creep
Organizations that collect data for one purpose often use it for other purposes. This “function creep” is a persistent pattern in information systems. The FPT Joint Resolution addressed this directly, stating that “personal information in an identity ecosystem should not be used for purposes other than assessing and verifying identity or other authorized purpose(s) necessary to provide the service.”[3] Customer records collected for transaction processing become marketing databases. Identity verification data collected for fraud prevention becomes input for behavioural profiling.
Data minimization constrains function creep by limiting the data available for repurposing. Organizations cannot misuse data they never collected.
Reducing Compliance Burden
Privacy regulations impose obligations on data collectors: notice requirements, access rights, retention limits, and security requirements. The more data an organization collects, the larger its compliance burden. Globally, a 2024 IBM report found that the average cost of a data breach for a business reached approximately $4.88 million USD.[4] Minimization reduces this burden while improving privacy protection.
Technical Solutions: Where Canada Leads
Canada has genuine technical achievements in data minimization that demonstrate selective disclosure works at scale.
BC Wallet: Selective Disclosure in Production
British Columbia’s digital credential system exemplifies selective disclosure. Users approve every use and can share individual attributes rather than entire credentials. BC’s documentation states that it is “possible to prove things about yourself without providing the information itself”. For example, “you could prove you’re over 19 without providing your actual date of birth.”[5]
The technical implementation uses cryptographic techniques that allow verification without disclosure. A verifier can confirm that a credential holder is over 19 without learning their birthdate, name, or any other attribute. The mathematical proofs underlying this capability are well-established; what BC has demonstrated is that they work in real-world deployment.
Alberta Wallet: User Control and Strong Encryption
Alberta’s implementation emphasizes user control and consent-based sharing. The Alberta Wallet is secured with advanced encryption and built to comply with the Freedom of Information and Protection of Privacy Act, the Health Information Act, and Pan-Canadian and international data security standards. Users decide “when, how and with whom to share” their digital documents, and the wallet does not collect location information or track user activity.[6]
Alberta’s approach demonstrates that privacy-protective design can coexist with strong security. As the wallet adds additional credential types beyond the current Mobile Health Card, opportunities for more granular selective disclosure will continue to expand. Security and privacy reinforce each other in well-designed systems.
Private Sector Innovation
Private-sector organizations have made substantial investments in data-minimization technology. Identity verification providers have developed solutions that support attribute verification without requiring full document retention. Financial institutions have implemented KYC processes that verify required attributes while minimizing data collection.
These investments reflect both privacy values and business pragmatism. Organizations that minimize data collection reduce their breach risk, compliance burden, and storage costs. Privacy-protective design often proves more efficient than data-maximizing approaches.
Technology companies have developed on-device processing capabilities that keep sensitive data local. Biometric matching that occurs entirely on a user’s device never exposes biometric templates to the service provider. The OPC’s August 2025 guidance on processing biometrics reinforces the importance of such approaches, urging organizations to assess whether biometric collection is necessary and proportionate carefully.[7]
Emerging Technologies: Zero-Knowledge Proofs
Zero-knowledge proofs take selective disclosure further. These cryptographic techniques allow statements about data to be proven without revealing the data itself, not even to the verifier.
The EU Digital Identity Wallet project is actively exploring zero-knowledge approaches. The European Commission’s Architecture and Reference Framework includes a dedicated discussion topic on integrating zero-knowledge proof schemes, noting that they enable privacy-preserving selective disclosure for both remote and proximity verification flows.[8] The European Data Protection Supervisor’s December 2025 TechDispatch on Digital Identity Wallets noted that, while the Commission has not yet adopted zero-knowledge proofs as the standard approach due to current limitations in mobile device suitability and technical maturity, it is actively monitoring developments in research and industry for possible future integration.[9]
Canada and the EU are deepening collaboration on digital credentials. In December 2025, Canada and the European Union announced expanded cooperation on artificial intelligence and digital credentials through the first meeting of the Canada-EU Digital Partnership Council.[10] Canadian researchers and companies are contributing to this technical frontier, and DIACC monitors these developments to incorporate emerging capabilities into the Pan-Canadian Trust Framework as they mature.
Why Over-Collection Persists: Understanding the Barriers
Despite available technology, over-collection remains common. Understanding why helps identify solutions.
Legacy Systems and Technical Debt
Many organizations designed identity verification systems before the selective disclosure technology matured. When organizations designed these legacy systems, capturing complete documents was the only option available.
Replacing legacy systems is expensive and disruptive. Organizations face difficult decisions about when to invest in modernization versus continuing with existing approaches. Privacy improvements compete with other priorities for limited technology budgets.
This challenge affects both government and industry. Public sector systems often have longer replacement cycles and more complex procurement requirements. Private sector systems face pressure to deploy rapidly, which can deprioritize privacy features.
Regulatory Uncertainty
Some organizations over-collect as a precaution, uncertain about what regulators will require. Financial institutions subject to KYC requirements may collect more than strictly necessary, concerned that selective disclosure might not satisfy examination expectations.
This uncertainty reflects a gap in regulatory guidance. When regulators clarify that selective disclosure satisfies compliance requirements, organizations can confidently minimize collection. Until then, risk-averse organizations may over-collect as a hedge.
Integration Complexity
Even organizations committed to minimization face ecosystem challenges. If a verifier implements selective disclosure but the credentials they accept do not support it, minimization is impossible. If a credential supports selective disclosure but verifiers do not request it, the capability goes unused.
Ecosystem-wide adoption requires coordination across credential issuers, wallet providers, and verifiers. This coordination takes time and sustained effort from multiple stakeholders.
Organizational Inertia
Organizations develop habits around data collection. Processes that have collected complete documents for years continue doing so unless deliberately changed. Staff may not know that alternatives exist. Business processes assume complete data availability and may require redesign to work with minimized datasets.
Changing organizational practices requires training, process redesign, and often technology updates. These changes are achievable but require deliberate effort and leadership commitment. Organizations that have successfully implemented minimization report that the initial investment pays off through reduced storage costs, simplified compliance, and improved customer trust.
Change management is as important as technology in achieving data minimization. Leaders must communicate why minimization matters, provide resources for implementation, and hold teams accountable for results.
The AI Dimension: Challenge and Opportunity
Artificial intelligence creates both new challenges and new opportunities for data minimization.
The Training Data Challenge
The OPC’s 2024–2025 survey of Canadians found that 88% are at least somewhat concerned about their personal information being used to train AI systems, with 42% being extremely concerned.[11] This concern is well-founded. AI systems trained on personal data can reproduce that data in unexpected ways. Research presented at the first Conference on Language Modelling found that more than 70% of queries to an AI chatbot contained personally identifiable information.[12] Minimizing the amount of training data reduces this risk.
Organizations developing AI for identity verification face difficult decisions about training data. More data typically improves model performance, which can conflict with minimization principles. Responsible organizations are developing approaches that achieve acceptable performance with minimized training sets.
Privacy-Preserving AI Techniques
AI also enables new privacy-preserving approaches. Federated learning trains models across distributed datasets without centralizing personal information.[13] Synthetic data generation creates training sets that preserve statistical properties without containing real personal information. On-device AI processing keeps sensitive data local while enabling sophisticated analysis.
Canadian identity verification providers are at the forefront of these techniques. The combination of AI capability and privacy protection creates a competitive advantage in markets increasingly concerned about data practices.
DIACC’s Commitment: Standards That Require Minimization
DIACC’s Pan-Canadian Trust Framework incorporates data minimization as a core principle. As DIACC has stated, “Data minimization must be the standard,” requiring that organizations share only the information necessary to verify a user’s identity and the data needed to fulfill the transaction at hand.[14]
The technology exists and works. BC and Alberta implementations prove it at scale. Private sector providers have developed production solutions. What remains is organizational change – including updating processes, training staff, and prioritizing privacy in system design.
DIACC commits to several specific actions:
We will continue to provide guidance and shared resources for organizations implementing minimization.
We will advocate for regulatory clarity to confirm that selective disclosure satisfies compliance requirements, reducing the uncertainty that drives over-collection. The FPT Joint Resolution supports this direction, calling for systems that apply “the principle of minimizing personal information…at all stages of the digital identity process.”[15]
We will document and share successful implementations, helping organizations learn from peers who have successfully implemented minimization.
The Vision: Minimization as Default
The goal is a digital trust and identity ecosystem where data minimization is the default, where systems are designed to collect only what is necessary, and over-collection requires justification.
This vision is achievable. The technology exists. Leading implementations demonstrate feasibility. What remains is broader adoption and sustained commitment.
Achieving this vision requires collaboration across sectors. Governments must modernize legacy systems and provide regulatory clarity. Industry must prioritize privacy in system design and implementation. Standards bodies must incorporate minimization requirements. Civil society must continue advocating for minimization principles.
DIACC is committed to this collaborative effort. Data minimization serves everyone’s interests by protecting individuals, reducing organizational risk, and building the trust necessary for digital trust and identity to succeed.
Next Week
Article 4 examines No Tracking: Building Trust Through Architecture
Why BC and Alberta’s wallet architectures make government tracking technically impossible.
Footnotes:
[5] Government of British Columbia, “BC Wallet.” See “More control over personal information” section.
[6] Government of Alberta, “Alberta Wallet Fact Sheet,” August 29, 2025. See also Government of Alberta, “Alberta Wallet.”
[7] Office of the Privacy Commissioner of Canada, “Guidance for processing biometrics,” August 11, 2025.
[8] European Commission, EU Digital Identity Wallet Architecture and Reference Framework, “Topic G – Zero Knowledge Proof.” See also European Commission, “Security and Privacy” page for the EU Digital Identity Wallet.
[12] Mireshghallah, N., Antoniak, M., More, Y., Choi, Y., & Farnadi, G. (2024). “Trust No Bot: Discovering Personal Disclosures in Human-LLM Conversations in the Wild.” Proceedings of the First Conference on Language Modeling. DOI: 10.48550/arXiv.2407.11438. Cited in OPC Annual Report to Parliament 2024–2025.
[13] Kairouz, P. et al., “Advances and Open Problems in Federated Learning,” Foundations and Trends in Machine Learning, Vol. 14, Nos. 1–2, 2021. See also ACM Queue, “Federated Learning and Privacy.”
[14] Digital ID & Authentication Council of Canada (DIACC), “Canada’s Community of Digital Identity Leaders Grows to Over 100 Members,” May 2021. See also DIACC, “Trust Framework.”
[15] Federal, Provincial and Territorial Privacy Commissioners and Ombuds with Responsibility for Privacy, “Ensuring the Right to Privacy and Transparency in the Digital Identity Ecosystem in Canada,” Joint Resolution on Digital Identity, September 20–21, 2022, St. John’s, Newfoundland and Labrador.
The Privacy Scorecard
A practical tool for measuring digital identity services against the FPT privacy principles. Assess your organization’s implementation across architecture, policy, user experience, and ecosystem coverage. It is not a compliance checklist or legal advice. Use it to spark conversation, explore unfamiliar concepts, and identify areas worth digging into further.