Notes and Applied Theory Small Data Ethics

By Laini Byfield

GDPR data minimisation

A practical standard for small data: do not collect, retain, or expose more than is necessary for the purpose.

AdequateRelevantLimited
What minimisation means in small data

Three operational implications

Fields

Resist “just in case” columns. Every extra field increases identifiability and misuse potential. If you cannot name the decision it serves, remove it.

Retention

Keep data only as long as needed for payouts, audits, and appeals — then reduce or delete. Retention without a documented reason is exposure without a purpose.

Access

Small data requires tighter role-based access. Fewer people should see raw records. The person who runs the load should not be the same person who approves exceptions.

Reference: UK ICO guidance on data minimisation (UK GDPR).

How it fits Small Data Ethics

Minimisation is necessary but not sufficient

Small Data Ethics adds what minimisation cannot provide on its own:

  • Contestability: a path to challenge decisions made on the data
  • Traceability: what file, load date, and rule created the outcome
  • Repair: correction and reprocessing when errors occur

Read: Small Data Ethics is not Small Data Privacy →

“Nice to have” becomes risk in small systems. Every field you collect is a field that can be wrong, exposed, or used against the person it describes.