Purpose limitation is a fundamental principle in the Data Protection Act No.18 of 2025 (DPA) that mandates that organizations collect personal data exclusively for specific, clear, and lawful purposes. Per the DPA, personal data “means any information relating to an identified or identifiable natural person, or data subject…” Personal data has emerged as one of the most valuable assets in modern businesses, thus the guard against misuse. Continue reading as we elaborate on this principle.
Legal framework
In Botswana, the DPA emphasizes lawful and responsible processing of personal information. Organizations must ensure that data is collected for legitimate purposes and processed in a manner consistent with those purposes. Section 20 of the DPA states that “Personal data shall be collected for a specified, explicit and legitimate purpose, and shall not be further processed in a manner that is incompatible with the initial purpose…”
Importance
Purpose limitation is important because it protects the privacy of individuals and promotes fairness in data processing activities. It fosters accountability by requiring organizations to explicitly explain why they need personal data and how it will be used. For example, a clinic collecting patient information for medical treatment should not later use the same information for unrelated marketing campaigns unless the patients have provided separate consent. Similarly, an employer collecting employee details for payroll administration should not disclose that information to external parties without lawful justification.
Best practices implementation
Implementing purpose limitation requires organizations to establish practical procedures and controls throughout the data life cycle. It involves identifying the exact purpose for collecting personal information before any collection occurs. Organizations can communicate their purposes of collecting personal data openly through privacy notices, consent forms, and internal policies. Continuous employee training and awareness programs are critical. Staff members at all levels should understand their responsibilities regarding data protection and the importance of handling personal information ethically and lawfully. By adopting these best practices, organizations can maintain compliance and uphold the integrity of their data protection frameworks. Internal data protection audits should be conducted to ensure ongoing compliance.
Failure to comply
Failure to comply with purpose limitation requirements can result in hefty fines of up to P50million. Information and Data Protection Commission may impose administrative fines or issue compliance orders. Section 83 (3) states that “an administrative fine not exceeding P50 000 000, or in the case of an undertaking, not exceeding four per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher, shall apply to a contravention of — (a) the basic principles for processing, including conditions for consent, under Parts IV to VI.”
Our services
The Data Protection Act (DP Act) mandates that every organisation put strict safeguards regarding personal data and in that regard, we can assist with crafting Data Protection Policies in line with the said Act. Some organizations, such as schools, hospitals, regulatory bodies, etc, are required to have full-time Data Protection Officers (DPO). If you cannot afford a full-time DPO, we can act as your organization’s DPO on a contract basis. If you need training for your staff on the provisions of the Data Protection Act and other business courses such as Leadership & Supervisory Skills, Customer Care, Team Building as well as secondments of Tax, HR and DPOs, contact us at: +267 76 213 233 or +267 393 9435 or skills@aupracontax.co.bw. This article is general, and written advice or training is recommended if decisions are to be made. If you wish to join our free WhatsApp groups or to know more about our services, please send us a text/WhatsApp on the numbers above.
