Which control requires ensuring that the collection of PII is for purposes authorized by law or regulation?

Minimizing PII collection means only gathering the data elements that are necessary to accomplish a defined purpose and doing so within the bounds of law or regulation. This control, Minimization of PII, enforces that the organization’s data collection is purpose-limited and justified, reducing the chance of over-collection and unnecessary exposure of individuals’ information. For example, when registering a user for an online service, collecting just what’s needed to create an account (such as a username and email) and not extra personal details unless they’re truly required supports this principle and aligns with legal authorities that govern what can be collected. Other options address different privacy program aspects. Privacy reporting focuses on documenting and communicating privacy activities, not on limiting what data is collected. Inventory of PII centers on cataloging what data the organization already holds, rather than restricting new data collection. The general TR Privacy Control covers other privacy protections but does not specifically mandate limiting collection to legally authorized purposes.