What does control A.1.4.2 require?
The organisation shall limit the collection of PII to the minimum that is relevant, proportional and necessary for the identified purposes.
This control sits within the PII minimization objective (A.1.4), which ensures that organisations collect and process only the personal data they genuinely need. A.1.4.2 specifically addresses the point of collection, requiring organisations to critically assess every data field they gather against the purposes they have documented under A.1.2.2.
What does the implementation guidance say?
Annex B (section B.1.4.2) provides the following guidance:
- Define and document data needs — For each processing purpose, the organisation should clearly define and document exactly what PII is needed, creating a direct link between purpose and data fields
- Review collection practices periodically — Collection practices should not remain static; they should be reviewed at regular intervals to ensure they still reflect actual processing needs
- Do not collect “just in case” — The organisation should not collect PII speculatively on the basis that it might be useful in the future
- Consider alternatives — Before collecting PII, consider whether the purpose can be achieved with less PII or with anonymised data instead
- See also A.1.4.4: Accuracy and Quality for related requirements
- See also A.1.4.7: Temporary Files for related requirements
The practical effect is that every form field, every data capture point and every intake process should be justified against a documented purpose. If a field cannot be tied to a specific, documented purpose, it should not be collected.
How does this map to GDPR?
Control A.1.4.2 maps to two key GDPR articles:
- Article 5(1)(b) — Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes
- Article 5(1)(c) — Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Together, these GDPR principles require that collection is both purpose-bound and minimised, which is exactly what A.1.4.2 operationalises within the ISO 27701 framework.
How does this relate to ISO 29100 privacy principles?
This control directly supports the ISO 29100 principle of Collection limitation, which states that the collection of PII should be limited to that which is within the bounds of applicable law and strictly necessary for the specified purpose. The principle emphasises that organisations should evaluate whether the collection of PII is truly necessary before implementing it.
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
What evidence do auditors expect?
When assessing compliance with A.1.4.2, auditors will typically look for:
- Data collection justification records — Documentation showing that each PII field collected has been mapped to a specific processing purpose
- Form and intake reviews — Evidence of periodic reviews of data collection forms, web forms and intake processes to remove unnecessary fields
- Data minimisation assessments — Records of assessments considering whether anonymised or pseudonymised data could serve the purpose instead
- Change control — Evidence that new data collection fields require approval and justification before being added
- Training records — Evidence that staff involved in designing data collection processes understand minimisation requirements
What are the related controls?
| Control | Relationship |
|---|---|
| A.1.2.2 Identify and document purpose | Collection limits derive from documented purposes |
| A.1.4.3 Limit processing | Processing limits complement collection limits throughout the data lifecycle |
| A.1.4.5 PII minimization objectives | Defines the overarching minimisation mechanisms that support collection limitation |
| A.1.4.6 De-identification and deletion | Where collected PII is no longer needed, it must be de-identified or deleted |
| A.1.2.4 Determine consent | Consent should only cover PII that is genuinely needed |
What changed from ISO 27701:2019?
For a step-by-step approach, see the Transition from 2019 to 2025.
In the 2019 edition, collection limitation was addressed under Clause 7.4.1 (limit collection). The 2025 control is substantively the same in its requirements, but the restructured Annex A and Annex B format provides a clearer separation between the normative control statement and its implementation guidance. The language around proportionality has been slightly strengthened. See the Annex F correspondence table for the full mapping.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why choose ISMS.online for managing PII collection limits?
ISMS.online gives you the structure to enforce and demonstrate collection limitation across your organisation:
- Data inventory mapping — Map every PII field to its documented purpose, making it immediately clear which fields are justified and which are candidates for removal
- Collection review workflows — Schedule periodic reviews of data collection practices with automated reminders and approval workflows
- Change request tracking — Require justification and approval before new PII fields are added to any collection process
- Purpose linkage — Automatically cross-reference collection points with your processing purpose register to identify gaps or over-collection
- Audit trail — Maintain a complete history of collection decisions, reviews and changes for auditor evidence
FAQs
How do you decide what PII is “necessary” for a purpose?
Ask whether the processing purpose can be fulfilled without each data field. If removing a field would not prevent you from achieving the stated purpose, it is likely unnecessary. Consider whether the purpose could be achieved with less granular data (e.g. age range instead of date of birth) or with anonymised data. Document the rationale for each field you retain.
Can optional fields on forms still comply with this control?
Optional fields are not automatically non-compliant, but they do require scrutiny. Each optional field should still be tied to a documented purpose, and the organisation should be able to explain why the field exists even if it is not mandatory. If an optional field serves no documented purpose, it should be removed regardless of whether it is required or optional.
How often should collection practices be reviewed?
The standard does not prescribe a specific review frequency. However, best practice is to review collection practices at least annually as part of your PIMS management review, and additionally whenever a new processing purpose is introduced, an existing purpose changes or a data protection impact assessment is conducted.
