What we collect is strictly what is necessary to fulfill the objectives of the program. That's the framework. We collect not one piece of information more than what is actually needed to fulfill those objectives.
Once you have collected the information, you must ensure that it is kept absolutely secure, which is the step about data protection. That would be our stance when reviewing, for example, a trusted traveller program.