In privacy-by-design, what principle focuses on restricting access to the minimum necessary to perform duties?

The main concept is the principle of least privilege: only give individuals the minimum access they need to perform their duties. In privacy-by-design, this approach reduces data exposure by ensuring people can view or handle only what their role requires, using controls like role-based access and need-to-know access. This best matches the idea of restricting access to the minimum necessary to perform job duties and minimizing data exposure, which keeps sensitive information safer and limits the potential for misuse or accidental disclosure. Giving everyone full access would defeat privacy-by-design and increase risk, while limiting the rule to administrators or saying it’s not applicable misses the universal need to protect data across all roles.