The organization must maintain a clear and documented procedure for cases where personal data is processed for a purpose other than the one for which it was originally collected. This procedure should ensure that any additional processing remains lawful, necessary, and transparent.

To ensure compliance, the procedure must:

• Clearly define, justify, and document new processing purposes.
• Use tools such as data mapping or necessity assessments to identify which data elements are needed and how they will be securely processed and safeguarded.
• Limit processing to the minimal amount of personal data required to achieve the new purpose.
• Apply appropriate organizational and technical measures to protect the data throughout processing.
• Record all updates or changes in the organization’s processing activity records.
• Inform affected individuals of the new purpose and provide all required details before beginning additional processing.

The organization must maintain a structured procedure for responding to data disclosure requests from public authorities. The process should ensure that:

• Each request is verified to be lawful, necessary, and properly authorized
• All details of the request and the organization’s response are clearly documented
• Only the specific types of personal data relevant to the request are accurately identified and disclosed
• Disclosures made for reasons such as public security, legal compliance, or the protection of health and safety follow the same verification and accountability standards

When processing personal data to achieve a public interest purpose different from its original collection purpose, the organization must ensure that such processing is necessary, clearly defined, and within its legal mandate. Only the minimum personal data required should be collected and processed, with appropriate administrative and technical controls implemented to prevent harm and ensure staff compliance. All related processing and disclosure activities must be documented and recorded in the organization’s data processing records.