Public data restraint
Navigating informed consent and data governance in public service
In our recent civic glossary entry on personally identifiable information (PII), we explored how public systems rely on personal data to recognize people and make decisions about their lives. Names, dates of birth, case histories, clinical records, demographic information—these become the institutional memory of those we serve.
But defining PII is only the beginning.
The harder leadership question is this:
When should we choose not to collect certain information at all?
In public service, the instinct to gather more is understandable. More data promises more insight. More demographic detail promises better equity measurement. More background promises greater precision.
The intent is often good.
But every additional field added to a form is also a governance decision—and governance decisions echo beyond the present moment.
Information does not stay where it is collected. Once entered into systems, it moves—shaped by policies, interpretations, and time.
Not all information carries the same burden
Some categories of data are operationally necessary. Appointment dates. Program status. Service delivery records. Without these, systems cannot function.
Other categories—demographic indicators, income ranges, geographic markers—may help identify disparities and shape policy.
But some forms of information carry a different weight entirely: immigration status, mental health history, clinical records, criminal justice involvement, tribal affiliation or other protected identity categories. These are not merely descriptive. They shape safety, eligibility, legal standing, and belonging.
The more sensitive the category, the more demanding consent must be.
Consent requires more than good intent
In our recent essay on who bears the cost of AI innovation, we examined what open and informed consent truly demands. Consent is not secured simply because a form includes a disclosure statement.
For consent to be meaningful, people must understand:
what is being collected
why it is necessary
who will have access
how long it will be retained
and how it may be used, now and in the future
The future is where this becomes complicated.
If leadership cannot reasonably anticipate how information might be accessed, shared, subpoenaed, or repurposed under different leadership or policy conditions, then the consent being requested is inherently limited. You cannot fully inform someone about conditions you cannot explain.
Consent is only as strong as our ability to anticipate future conditions.
Information outlives leadership
Information persists beyond the leadership contexts in which it was collected.
The ethical burden of collecting sensitive information does not end with the current team’s intentions.
Boards change composition. Executive directors retire. Agency heads are appointed and replaced. Leadership teams change—sometimes gradually, sometimes abruptly—and with them, priorities, interpretations, and enforcement philosophies shift.
The information collected under one set of values does not disappear when those values change. Records persist. Databases remain. Policies are reinterpreted. What was gathered to advance equity in one era may be analyzed differently in another. Information shared to coordinate care may later be requested for compliance, enforcement, or investigation.
None of this requires malicious intent. It is simply how institutions function over time. Structures are durable; leadership philosophies are not.
This is why foresight matters. The ethical burden of collecting sensitive information does not end with the current team’s intentions. It extends into contexts that cannot be fully predicted—only anticipated.
The question is not only whether a piece of information serves today’s mission. It is whether its continued existence can be responsibly defended under tomorrow’s governance.
If information persists beyond our tenure, then restraint becomes a leadership responsibility, not a limitation.
The discipline of restraint
Stewardship is often discussed in terms of what we build—new programs, new platforms, new analytic tools.
But stewardship is also about what we choose not to store.
Before adding another question to an intake form, leaders might pause and ask:
Is this essential to service delivery?
Is the benefit proportional to the risk?
Could the goal be achieved with aggregated or de-identified information instead?
Are we prepared to explain and defend this collection decision under future leadership?
If the answers are uncertain, the information may be a “nice to have.” And nice to have is not always sufficient justification.
Trust is not built in a single leadership team. It accumulates—or erodes—over time.
Trust over time
Data minimization is not anti-innovation. It is pro-governance.
Public trust is shaped not only by how institutions use information today, but by whether communities believe that information will remain protected across time and transitions.
Data minimization is not anti-innovation. It is pro-governance.
Collect what you need to serve well.
Be transparent about why you need it.
Design for consent that is genuinely informed.
And exercise restraint when the long-term risks outweigh the short-term convenience.
Sometimes the most responsible act of leadership is deciding not to ask.
Illustration by Spring 2026 intern, Haimeng Ge.
