They should follow the principle of least privilege. Why not use differential privacy?