What is processing which is ‘incompatible with original purpose’ mean? The data controller must ensure that if data is then used for other processes different from the initial reason for collection, that additional use must be compatible with the original collection process. The data subject must ensure that they are not accepting additional uses without reading terms and conditions of services for instance when opening accounts, you might be asked if you accept promotional materials to be sent to your address or credit facilities asking if they can share your details with other loan providers. POINTS TO REMEMBER While the law prohibits further processing, remember that: • if the new purpose is compatible with the original purpose, then it’s acceptable • if the data subject agrees or gives specific consent to further processing though incompatible with original collection then it becomes lawful • if there are legal grounds allowing for further processing in the public interest then such is lawful Specific, explicit and legitimate processing enables transparency, and accountability and data subject control of personal information ILLUSTRATION OF ORIGINAL USE AND COMPATIBLE USE processing30. The data controller must specify the Data Collected Original Use Compatible Use data before commencing processing. Nasal fluids COVID-19 testing Genome sequencing to trace virus This must be clear. It must not be uncertain or for illegal or unlawful Cell number Voter registration Notifying of your polling station purposes. Further data processing must Educational qualifications Accreditation Register of Qualified professionals be compatible with original purposes unless if public interest purposes Nasal fluids COVID-19 testing Trading with medical insurance firms. exceptions apply, or the data subject has consented31. It is also possible Cell phone number Voter registration Unsolicited messages by political that data might have multiple parties. purpose when collected. Then the Educational qualifications Accreditation Selling of third-party training data controller must for each programmes. purpose be specific, meaning compliance with all data processing requirements for each purpose32. However, there other legitimate purposes, which do not need to satisfy the compatibility test. These are usually public interest purposes not the original purpose but will be deemed acceptable if they satisfy conditions issued by the Authority. These conditions include further processing for historical, statistical, or scientific research or archiving purposes. That said, the Authority must include in its conditions for further processing that the information must not be identifiable to a data subject. 30 31 32 Article 29 Data Protection Working Party Opinion 03/2013 on purpose limitation 13. GDPR art 6(4); GDPR Art 14 (1) (a)-(f); POPIA s12(2)(a) -(f); see Article 29 Data Protection Working Party (203) 24-27. Article 29 Data Protection Working Party ‘Opinion 03/2013 on Purpose Limitation 12; 16. ORIGINAL USE LEGITIMATE USE Nasal fluids Scientific medical research of viruses (medical) Cell phone Measurement of cell phone coverage (statistical) Educational qualifications Audit of professional skills movement (historical) M I S A Z I M B A B W E • G U I D E T O T H E Z I M B A B W E A N C Y B E R A N D D A T A P R O T E C T I O N A C T - 2 0 2 2 17