What should information collection be based on according to regulations?

Information collection should be based on the principles of need and relevance because this approach ensures that the data gathered is directly related to specific business objectives or compliance needs. By focusing on what is necessary and relevant, organizations can prevent the collection of extraneous or sensitive information that may not serve a legitimate purpose. This method aligns with best practices for data management and protection, reducing the risk of oversharing or mishandling sensitive information, thereby enhancing overall data security and privacy.

Legal requirements, company policies, or personal discretion may play a role in guiding the processes of information collection, but solely relying on these aspects can lead to gaps in accountability and increase vulnerability to insider threats. Collecting information based on a rational assessment of needs and relevance ensures that all gathering efforts are purposeful, aligned with organizational goals, and compliant with applicable laws and regulations.