Do you collect, process, or store demographic information?
Explanation
Demographic data handling is the subject, namely whether you collect, process, or store demographic information about individuals. Demographic information includes characteristics that describe a population, such as age, gender, ethnicity, education level, religion, geographic location, or occupation.
Why this is asked in a security assessment:
- Regulatory compliance: Many privacy regulations (like GDPR, CCPA, HIPAA) have specific requirements for handling demographic data, especially when it can be used to identify individuals.
- Risk assessment: Demographic data can be sensitive and may require additional protection measures.
- Data minimization: Organizations should only collect data they need for legitimate purposes.
- Privacy impact: Collection of demographic data raises privacy concerns that need to be addressed through proper controls.
How to best answer:
- Be truthful about whether you collect any demographic information.
- If you do collect such data, be prepared to explain:
* What specific demographic data you collect
* Why you collect it (business purpose)
* How you protect it
* How long you retain it
* Whether it's anonymized or pseudonymized
- If you don't collect demographic data, simply state that clearly.
- Consider whether your definition of demographic data aligns with relevant regulations that apply to your organization.
Guidance
Demographic information is generally defined as the statistical characteristics of a population used to study and understand certain aspects of that population. It can include characteristics such as age, gender, ethnicity, education, religion, geolocation, and occupation. If the information being collected, processed, or stored falls under a particular regulation (or law), check that regulation for a specific definition of demographic information.
Example Responses
Example Response 1
Yes, our organization collects and processes demographic information as part of our HR system and customer analytics platform For employees, we collect age, gender, ethnicity, education level, and location for compliance with employment laws and diversity reporting For customers, we collect age ranges, general location (city/state), and occupation to improve our product offerings and marketing strategies All demographic data is stored with encryption at rest, access is limited to authorized personnel only, and we have implemented data retention policies that align with applicable regulations We anonymize customer demographic data for analytical purposes whenever possible.
Example Response 2
No, our organization does not collect, process, or store demographic information Our service is designed to be used without requiring personal demographic details from users Our account creation process only requires a username, password, and email address We intentionally avoid collecting demographic data to minimize privacy risks and regulatory compliance requirements Our business model and service functionality do not depend on demographic analysis.
Example Response 3
Yes, we collect limited demographic information, but we do not meet all security requirements for this data We collect age ranges and zip codes from our users to provide localized content, but we currently store this information in our main database without additional encryption or special access controls We recognize this as a gap in our security posture and are in the process of implementing enhanced controls including data encryption, access restrictions, and formal retention policies Until these controls are fully implemented, we acknowledge that our handling of demographic information does not meet best practices for data protection.
Context
- Tab
- Privacy
- Category
- Privacy of Sensitive Data
Related questions
- Do you capture or create genetic, biometric, or behaviometric information (e.g., facial recognition or fingerprints)?
- Do you combine institutional data (including "de-identified," "anonymized," or otherwise masked data) with personal data from any other sources?
- Is institutional data coming into or going out of the United States at any point during collection, processing, storage, or archiving?
- Do you capture device information (e.g., IP address, MAC address)?
- Does any part of this service/project involve a web/app tracking component (e.g., use of web-tracking pixels, cookies)?
- Does your staff (or a third party) have access to institutional data (e.g., financial, PHI, or other sensitive information) through any means?

