Organisations that handle personal data are expected to do so responsibly. Under Lesotho’s Data Protection Act, 2011, entities may only collect personal information if it is necessary, appropriate to the context, and directly related to a clearly defined and lawful objective. But what happens once that data is collected, can it then be used for other purposes?
The answer is no, unless very specific conditions are met. The law expressly prohibits repurposing personal information in a way that contradicts the initial reason for which it was obtained. This means that data controllers are not permitted to re-use or process information for unrelated objectives unless certain criteria are fulfilled.
The legislation outlines several scenarios in which further use of the information would not be regarded as a breach. These include situations where the individual has provided informed consent, where the data is publicly accessible, or where the continued use is required for reasons such as maintaining public order, conducting legal proceedings, protecting national security, or preventing serious threats to health, safety, or life.
Additionally, personal data may be used for research or statistical analysis, provided that appropriate safeguards are implemented to ensure the data is not exploited for other ends.
Importantly, the law places the onus on the data controller to demonstrate that any further processing is consistent with the original lawful purpose. While the Act provides a list of acceptable justifications, it does not exclude other instances, so long as the core principle of purpose compatibility is satisfied.
Navigating the complexities of data protection compliance can be challenging. For guidance on how your organisation can align with the legal requirements under the Data Protection Act, contact Mayet & Associates Attorneys for tailored legal support.