Background and Legal Framework
Ghana’s constitutional guarantee of privacy, in Article 18(2), laid the groundwork for contemporary comprehensive data‐protection legislation. The Data Protection Act, 2012 (Act 843), which came into force in 2012, established the Data Protection Commission (DPC) as an independent regulator responsible for implementing, monitoring compliance, enforcing the Act, investigating complaints, and maintaining the Data Protection Register.
Conceptual Framework and Importance of Data Protection
Data protection encompasses legislative, regulatory, and administrative measures to safeguard personal information of individuals from unauthorized access, alteration, compromise, or loss. It also governs how data may be collected, and how it may be used, shared or processed. According to Paul Lambert data protection regimes impose a twofold obligation: one which organizations must comply with when dealing with when dealing with personal data of individuals, and one providing individuals with various data protection rights.
The right to privacy is a fundamental human right guaranteed under international treaties and Ghana’s constitution. Internationally, it is guaranteed under Article 12 of the Universal Declaration of Human Right (UDHR) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Domestically, it is rooted in Article 18(2) of the 1992 Constitution. Effective data management fosters trust with stakeholders and customers, prevents fraud and cybercrimes, saves time and cost associated with security incidents, helps identify and resolve breached quickly, while non‐compliance risks legal penalties and reputational damage.
Key Principles and Data Protection Strategies
Act 843 codifies eight principles: accountability; lawfulness of processing; specification of purpose; compatibility of further processing with purpose of collection; quality of information; openness; data security safeguards; and data‐subject participation.
To ensure robust data security, organizations should implement strong access controls to ensure that only authorized personnel can view or modify critical information; encrypt or transform sensitive date into unreadable code such that it is inaccessible to unauthorized users, and even when intercepted, it remains secure; conduct frequent security audits to help identify vulnerabilities and ensure compliance with data protection standards; train and educate staff on recognizing phishing attempts and how to handle data responsibly; establish well-defined incident response plans for data breach instances
Personal Data Protection and Obligations of the Data Controller/Processor
Personal data is defined in Act 834 to include any information which, on its own or in conjunction with other information, makes individuals identifiable such as names, addresses, identification numbers, and biometric data. To ensure the protection of such personal data, the law stipulates that the data controllers must demonstrate compliance with data protection principles [Section 17]; that controllers/processors must register with the DPC [Section 27]; The controller must ensure that the subject is aware of certain details of the processing, such as the nature of the data that is being collected, the name and address of the collector, the purpose for which the data is being collected, among others [Section 35]; that controllers must take security measures to maintain the integrity of personal data [Section 28]; that processors shall also ensure that he only processes data with the prior knowledge of the data controller [Section 29]; that processors shall ensure that the personal data of subjects is processed without upsetting their privacy and in a lawful manner [Section 20]; also, where there has been a security compromise, and the data has been breached, the controller or the processor shall notify the Commission or the data subject of the breach [Section 31]
Rights of the Data Subject
Data subjects enjoy the various rights such as: the right of access, allowing data subjects to request access to their personal data held by a data controller [Section 32]; the right to have inaccurate data corrected [Section 34]; the right to be informed about the collection and processing of their data [Section 35]; the right to request a data controller to destroy or delete a record of their personal data [Section 33(b)]; among others.
Enforcement and Penalties
As outlined in Sections 1 to 10 of Act 834: the Data Protection Commission shall keep a register to which controllers shall apply to register; where the Commission determines that a controller has contravened or is contravening the data protection principles, the Commission may serve an enforcement notice on the controller, preventing him from processing certain data; any data subject who is affected by the processing of data may request the Commission to make an assessment as to whether or not the processing is in accordance with Act 834; where the Commissioner determines after the assessment that the data is not being processed in a manner that the Commissioner shall make a determination in writing to that effect and serve an information notice detailing the determination to the controller. Furthermore, it is an offence for a controller to fail to comply with an information notice or an enforcement notice, and the controller shall be liable to pay a fine not exceeding one hundred and fifty penalty units or to a term of imprisonment of not more than one year or to both the fine and the imprisonment on a summary conviction.
Challenges to Data Protection Compliance
The key challenges and criticisms impacting the effectiveness and acceptance of Act 834 includes: the possible overreach of the investigation powers of the Data Protection Authority (DPA) vis-à-vis individual right to privacy; the low compliance rates by organizations despite the institution of the Data Protection Authority (DPA); the general lack of awareness and understanding of the Data Protection Act among the public and businesses alike; insufficient funding and technical capacity hindering the authority’s ability to perform its functions effectively; and external influences compromising the impartiality of the DPA.
Recommendations
To strengthen Ghana’s data‐protection ecosystem, there must be:awareness national campaigns targeting citizens and organizations via media and workshops to educate individuals on the value of their personal data, how it is used, and their rights to access, correct and object to its processing; increased budgetary allocations for the Data Protection Commission (DPC) and the establishment of regional DPC offices across the country; periodic reviewing and amendment of the Act 834 to incorporate clear frameworks for cross-border transfers, among others; implementation of robust data governance policies and the conduct of regular data protection impact assessments (DPIAs) for new processing activities and internal gap analyses.
– by Caroline Obeng and Prisca Bennett