Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Ghana - Data Protection Overview
workspace-icon
Back

Ghana - Data Protection Overview

December 2023

1. Governing Texts

Ghana is a Republic and sovereign country. It is a member of the African Union and the Commonwealth Countries. It is also a member of the Economic Community of West African States. It is a signatory to the African Continental Free Trade Agreement ('AfCFTA') and hosts the Secretariat of the AfCFTA.

There are 16 Regions in Ghana, and the capital is Accra. Ghana has a policy that promotes the use of Information Communications Technology. The Ghana Information Communication Technology Policy ICT4AD Policy ('the Ghana ICT4AD Policy') which was launched in 2003 would be replaced shortly with the Ghana Digital Economy Policy ('the Digital Economy Policy') which is expected to be launched soon. The Digital Economy Policy centers digitalization for transformational impact generation on all three technology ecosystems. The three technology ecosystems comprise of the Government ecosystem, the private sector ecosystem, and the citizens, residents, and global community ecosystem. It anchors on the strengthening and development of each of the five pillars within each of the three ecosystems:

  • universal access and connectivity;
  • digital skills and research;
  • digital Government;
  • digital entrepreneurship; and
  • data and emerging technologies.

Within the context of each of these five pillars, issues relating to data subjects, which are regulated by the Data Protection Act, 2012 ('the Data Protection Act'), would arise for data controllers.

Ghana recognizes that as part of the inherent nature of technology, issues relating to data subject rights, data controller responsibility, and regulatory oversight and efficiency require a legal framework that ensures that data subject privacy rights are not violated in the pursuit and implementation of technology by data controllers.

Upon the launch of the Digital Economy Policy, its new and deepened initiatives would review existing legal gaps and would lead to the passage of relevant and appropriate legal frameworks.

1.1. Key acts, regulations, directives, bills

The 1992 Constitution of the Republic of Ghana ('the Constitution') is the supreme law of Ghana and it is the instrument from which every piece of legislation derives its validity in Ghana. The primary legislation that protects data privacy is the  Data Protection Act. The purpose of the Data Protection Act is to establish a Data Protection Commission ('DPC'), to protect individuals' privacy and personal data by regulating the processing of personal information, to outline the process to obtain, hold, use, or disclose personal information, defining the rights of data subjects, prohibited conducts of processing, third country processing of data relating to data subjects covered by the Data Protection Act, third country data subject processing in Ghana, and related matters.

The Data Protection Act provides key definitions for different areas of individual data privacy. One of the key areas under the Data Protection Act relates to assessable processing. Under the Data Protection Act, the Ministry of Communications and Digitalisation ('the Minister of Communication') is given power by an executive instrument to specify actions that constitute assessable processing if the Minister of Communication considers the assessable processing likely to:

  • cause substantial damage or substantial distress to a data subject; or
  • otherwise significantly prejudice the privacy rights of a data subject.

Another key feature of the Data Protection Act is the creation of a register of data controllers known as the Data Protection Register ('the Register'). The DPC is required to keep and maintain the Register. Data controllers are required to register with the DPC under Section 27 of the Data Protection Act. The DPC is required to consider whether the processing referred to in each application is assessable, or if the assessable processing complies with the provisions of the Data Protection Act.

A further key feature of the Data Protection Act is that it applies to State and public authorities and bodies. This ensures that the State and public authorities and bodies comply with the binding privacy provisions of the Constitution, subject to the exception stated in the Constitution. In order to substantiate this key feature, the Data Protection Act provides that every Government department be treated as a data controller. It also makes it mandatory for each Government department to designate an officer to act as a data supervisor.

The Data Protection Act provides for the use of subsidiary legislation to further deepen the effective application of the principles and objects of the Data Protection Act.

The Data Protection Act outlines what constitutes lawful processing, exempt processing, the scope and duties of data controllers, data processors, the DPC, and data subjects. It balances the need to ensure privacy rights with the rights of the State to remain inviolable, maintain law and order, function effectively, and protect its citizens effectively.

Currently, the DPC is taking steps to have the relevant legislative instruments drafted and passed and it is expected that by the end of 2024, such subsidiary legislation would be in place. The subsidiary legislation is expected to address aspects of new and emerging technology as they relate to data subject matters under the Data Protection Act.

The Cybersecurity Act No. 1038 of 2020 (the Cybersecurity Act') regulates cybersecurity activities in Ghana. It promotes the development of cybersecurity and related matters. The Cybersecurity Act has implications for data controllers insofar as cybersecurity-related matters require regulatory compliance. Currently, the Cyber Security Authority ('CSA'), established under the Act, is in the process of developing the subsidiary legislations provided under Section 96 of the Cybersecurity Act, which provides as follows:

The CSA may, by legislative instrument, make regulations to provide for:

  • the forms for applications;
  • authorizations and licenses;
  • the use of equipment to intercept or disable a digital technology service or product by authorized persons to execute an interception warrant;
  • accreditation of cybersecurity professionals and practitioners;
  • the operationalization of a platform for cross-sector engagement on matters of cybersecurity for the effective coordination and cooperation between key public institutions and the private sector;
  • the promotion and development of cybersecurity to ensure a secure and resilient digital ecosystem;
  • certification of cybersecurity products and technology solutions;
  • implementation of an early warning system;
  • receipt of complaints by the National Computer Emergency Response Team from sectoral computer emergency response teams, citizens, and other similar international bodies;
  • the modalities for:
    • the preservation of data; and
    • the retention of data;
  • dispute resolution;
  • amendment of the administrative penalties specified in the Second Schedule of the Cybersecurity Act; and
  • any other matters necessary for the effective implementation of the Cybersecurity Act.

Data controllers would be required, to the extent that their activities relate to matters under the Cybersecurity Act, to ensure compliance with both the Cybersecurity Act and the subsidiary legislation passed pursuant to the Cybersecurity Act. Given the advanced stage at which this effort is undergoing, it would be appropriate to expect that the subsidiary legislation would be passed and become effective in 2024.

The Cybersecurity Act defines 'critical information infrastructure' to mean a computer or computer system designated under Section 35(1) of the Cybersecurity Act:

 The Minister may, on the advice of the CSA, designate a computer system or computer network as a critical information infrastructure if the Minister considers that the computer system or computer network is essential for:

  • national security, or
  • the economic and social well-being of citizens.

Data controllers whose computers, computer systems, or computer networks constitute part of the critical information infrastructure would also be regulated under the Cybersecurity Act. Section 35(1)(b) of the Cybersecurity Act includes data subjects under the Data Protection Act. It is important to appreciate that the inter-regulatory legal framework would ensure that there is certainty and simplicity in activities and designs of the computers, computer networks, and designs.

Data controllers need to appreciate that the DPC is a regulator of data controller activities as they relate to data subjects. Digital security-related designs are part of the measures which data controllers are required to ensure in order to prevent data breaches. It is important to appreciate that the design that a data controller puts in place to ensure that data subject breaches are prevented and protected goes beyond the regulatory powers of the DPC.

The regulatory powers under the Cybersecurity Act cover such additional and specialized security regimes which have to be adhered to by data controllers under the Cybersecurity Act. Section 35 of the Cybersecurity Act is a full ecosystem compliance regulatory approach and is not limited to data subjects under the Data Protection Act.  Any computers, computer systems, or computer networks that form part of the critical information infrastructure that is essential for national security or the economic and social well-being of citizens are under the regulatory scope of the Cybersecurity Act. Under the Data Protection Act exempt processing must still comply with the Cybersecurity Act and its subsidiary legislations.

The Digital Economy Policy in line with the convergent nature of technology recognizes that multiple regulatory compliance would be required in order to fulfil its goals. The Digital Economy Policy recognizes that this must be done in a manner that does not disrupt innovation, private sector growth, global digital economy gains participation, and benefits gained from the transformational impact of digitalization.

The National Information Technology Agency ('the NITA') was established under the National Information Technology Agency Act No. 771 of 2008 ('the IT Agency Act'). Section 3 of the IT Agency Act provides, among other things that:

For the purpose of achieving its object, the NITA shall:

  • perform the functions of the certifying Agency established under the Electronic Transactions Act No 772 of 2008 ('Electronic Transactions Act');
  • implement and monitor the national information communications technology policy;
  • implement and enforce the provisions of the IT Agency Act, the Electronic Transactions Act and regulations made thereunder; ensure the systematic implementation of national information communications technology policy; and
  • issue and publish on its website and in the Official Gazette the necessary guidelines and standards.

The Digital Economy Policy which is expected to be launched shortly and the different aspects of the inter-regulatory and the inter-institutional cooperation under Section 3(1)(b) and (o) of the Digital Economy Policy are matters for which the NITA is given the statutory responsibility of monitoring and implementing.

Section 28 of the IT Agency Act, relating to the scope of legislative instruments, provides, among other things, that :

The Minister may, on the advice of the Board by legislative instrument make Regulations to:

  • prescribe fees chargeable;
  • provide procedures for the systematic implementation of a national information communications technology policy;
  • provide for the issue of guidelines and standards to ensure the quality of service standards; and
  • provide for any matter necessary for the effective implementation of the provisions of the IT Agency Act.

Issues relating to the inter-regulatory and inter-institution cooperation legal framework are governed by Section 28(e) and (g) of the IT Agency Act.

The NITA is at an advanced stage in the preparation of the legislative instrument under Section 28 of the IT Agency Act, an aspect of which would be applicable to data controllers. It is important to note that data controller activities cut across many areas of business activities including regulated, unregulated, partially regulated, and different combinations. Data controllers must, as part of the approach to ensure compliance, identify the various regulatory scope within which their core business operates and ensure compliance therewith.

Additionally, data controllers should ensure that their activities comply with the Data Protection Act and the Cybersecurity Act at all times. The various regulators outside the Data Protection Act and the Cybersecurity Act, as part of their regulatory activities, are to ensure that entities under respective regulations comply with the regulatory oversight of the Data Protection Act and the Cybersecurity Act. Similarly, the Data Protection Act and Cybersecurity Act must ensure that data controllers under the regulatory oversight of business operations of different regulatory Bodies are registered accordingly. This creates the combined regulatory synergies needed for private sector data controller's regulatory clarity and sector growth.

Currently, there are additional steps being taken which are expected to fully crystallize in 2024, relating to a legal framework for data center and cloud storage. It should be noted that in the context of both data center and cloud storage ecosystems, the activities of data controllers under the Data Protection Act, the Cybersecurity Act, and the IT Agency Act would similarly arise.

The legal framework that is relevant to the Digital Economy Policy goal attainment, digitalization, and transformational impact is expected to be passed in 2024. It is important for data controllers to monitor the development of the introduction of the relevant legislation in 2024 to ensure compliance.

1.2. Guidelines

It is important to note that the Data Protection Act is the primary legislation, and its contents are binding and enforceable. The legal status of the Data Protection Act is above that of a policy document as it is a law. In areas where legislation is not the most effective tool, the Data Protection Act gives room for policy to be created to fill in that gap or where such policies are needed pending the inclusion of such policy in future legislation.

As a result of the status of the Data Protection Act, matters which under the policy may have been dealt with by implementing guidelines are under the Data Protection Act, matters which are dealt with by giving the Minister of Communication power to make directives, prescriptions, legislative instruments, executive instruments, and designated codes of practice for, among other things, strengthening compliance and improving the effectiveness of the Data Protection Act, and attainment of its objectives. The Minister of Communication may also give directives to the Board of the DPC on matters of policy.

1.3. Case law

The nature of the Data Protection Act is to provide data subjects with the ability to enforce their rights against data controllers in a cheap and effective manner. The DPC is given the function to implement and monitor compliance with the provisions of the Data Protection Act and to investigate any complaint under it and determine it in a manner the DPC considers fair.

This requires that resorting to case law as the index to determine the robust nature to which data controllers are held accountable would not give the complete picture. Once the DPC is fully effective and data subjects obtain redress through the use of the DPC, case law as the vehicle for monitoring the effectiveness of the Data Protection Act would not be the best approach. The focus therefore ought to be on monitoring the levels of complaints made to the DPC, the rate of the determination of complaints, the notices and the sanctions handed out, the appeals made against the decisions and findings of the DPC, and the fate of such appeals.

In respect of enforcement notices, the Data Protection Act provides that:

'An enforcement notice shall contain a statement of the data protection principle which the DPC is satisfied has been contravened and the reasons for that conclusion. Subject to this Section, an enforcement notice shall not require any of the provisions of the notice to be compiled before the end of the period within which an appeal may be brought against the notice and, if the appeal is brought, the notice may not be complied with pending the determination or withdrawal of the appeal.'

Another area where case law may supplement the work of the DPC would be under Section 48(2) of the Data Protection Act. This provides that:

Where the DPC refuses an application for registration as a data controller, the DPC shall inform the applicant in writing within 14 days:

  • a refusal of an application for registration is not a bar to reapplication;
  • the applicant may apply for judicial review to the High Court against the refusal; and
  • of its decision and the reasons for the refusal.

Another area under the Data Protection Act where case law may supplement the work of the DPC is found in Section 60 of the Data Protection Act relating to exemptions and the issue of a certificate issued by the Minister. It provides as follows:

a person who is directly affected by the issue of a certificate under this section may apply for judicial review at the High Court.

2. Scope of Application

2.1. Personal scope

The object of the DPC is to 'protect the privacy of the individual and personal data by regulating the processing of personal information, and provide the process to obtain, hold, use, or disclose personal information.'

The Data Protection Act also specifies the rights of law enforcement agencies responsible for the prevention, detection, investigation, prosecution, or punishment of offenses in processing personal data. Provision is made for the law enforcement agencies responsible for:

  • the enforcement of laws that imposes a pecuniary penalty;
  • the protection of national security in processing personal data; or
  • concerning revenue collection, preparation, or conduct of proceedings before a court or tribunal that have been commenced or are reasonably contemplated.

2.2. Territorial scope

The Data Protection Act applies to a data controller in respect of data where:

  • the data controller is established in this country and the data is processed in this country;
  • the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data; or
  • processing is in respect of information that originates partly or wholly from this country.

The effect of this approach is to ensure, among other things, that there is a certainty at all times as to who the data controllers are in respect of any form of data subject processing. It also ensures that where business process outsourcing ('BPO') operations are conducted wholly by a data processor in Ghana, the authorizing data controller is identifiable at all times. It also ensures that in situations of the fluidity of data processing activities, which have the potential for multiple jurisdictional compliance claims, there is clarity of applicable jurisdictional regimes.

The law of nations does not have an extraterritorial effect. This essentially means that no country can compel any country to apply its laws by the simpliciter passage of its laws. The scope of a country's laws, however, may impact residents and non-residents in different jurisdictions depending on the scope and the contents of such laws. Data protection laws are one area where the impact is on residents and data controllers both within and outside a country's territory. This is not a breach of the sovereignty of other nations, it is a recognition that sovereignty has an impact within and beyond traditional borders in the area of technology. This is very prevalent in matters relating to data subject information processing. Data protection laws and directives seek to ensure that data subjects are not rendered helpless at the hands of data controllers. The data subject's primary right of privacy forms part of the focus of such data protection laws.

The Data Protection Act recognizes this principle by making it mandatory for any person processing the data of individuals in third countries to ensure that processing is done in a manner consistent with such third-country processing laws. This is critical for the promotion and growth of the BPO sector. Similarly, it ensures that where there is a BPO outflow to third countries, such third-country data controllers are required to comply with the provisions of the Data Protection Act in relation to data subjects under the Data Protection Act. These are areas where further and specialized subsidiary legislation would provide the operational legal framework for deepening and operationalizing the Data Protection Act further.

In the areas of data Centers and cloud storage the legal framework that would spell out the complementing roles of CSA, NITA, DPC, etc. as regulators relative to their primary legislation through various subsidiaries and additional legislation is expected to bring legal clarity for ease of business planning and understanding of the compliance regime. The ongoing inter-regulatory approach of stakeholder workshops on this provides the needed assurance that the transition and legal framework clarity would not be disruptive to data controller business operations and would provide the needed legal framework certainty.

It important that the data policy of data center hosting businesses must provide clarity on the nature of activities of such data center hosting businesses for ease of ascertaining where they function as data controllers and where they function as hosting platforms and do not engage in any form of data controller activities. Where the data centers engage in data controller activities, it is expected that clarity would be given into the countries of data subject processing to enable ease of ascertaining whether or not such data center activities fall under the Data Protection Act.

Similarly, the data policy of data center hosting businesses must provide clarity on the nature of activities of such data center hosting businesses for ease of ascertaining where any of their functions, whether as data controllers or not, covers hosting platforms that constitutes designated computer system or computer network which fits the definition of a critical information infrastructure, that is considered as a computer system or computer network is essential for national security or the economic and social well-being of citizens.

Where any of the data centers fall within such scope, then it would have to ensure full compliance with the Cybersecurity Act.

It is important that the data policy of data center hosting business must provide clarity on the nature of activities for ease of ascertaining where any of their functions, whether as data controllers or not, cover hosting platforms under the IT Agency Act. Section 3 of the IT Agency Act states that in such cases, compliance with the IT Agency Act would be required relating to:

  • the monitoring and implementation of the national information communication technology policy issues;
  • the IT Agency Act; and
  • the issues under the Electronic Transactions Act.

2.3. Material scope

Processing of personal data under Section 18 of the Data Protection Act must be done in a manner that ensures that the personal data is processed:

  • without infringing the privacy rights of the data subject;
  • in a lawful manner; and
  • in a reasonable manner.

Special categories for which data processing is prohibited except within the limited scope prescribed are found in Section 37 of the Data Protection Act. They include data which relates to:

  • a child who is under parental control in accordance with the law; or
  • the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behavior of an individual.

The areas for limited scope are prescribed in situations where:

  • processing is necessary; or
  • the data subject consents to the processing.

The processing of special personal data is necessary where it is for the exercise or performance of a right or an obligation conferred or imposed by law on an employer. The processing of special personal data must be presumed to be necessary where it is required:

  • for the purpose of or in connection with a legal proceeding;
  • to obtain legal advice;
  • for the establishment, exercise, or defense of legal rights;
  • in the course of the administration of justice; or
  • for medical purposes and the processing is:
    • undertaken by a health professional; and
    • pursuant to a duty of confidentiality between patient and health professional.

Purely transitory data, i.e., data that is transiting through networks and routing through telecommunication networks and infrastructure and not the subject matter of any intervention or activity of data controllers and data processors, is not covered under the Data Protection Act. It must be noted that transitory data, to the extent that it moves through a network, would form part of the security measures for which data controllers under the Data Protection Act would be required to take responsibility. Transitory data is treated as data which, subject to the qualification provided under the Constitution, ought to be given privacy protected status under the Constitution.

Interception of such transitory data would be the subject matter of a different legal regime in situations where such data is related to national security or the prevention of crime. Monitoring by law enforcement agents under a different legal regime would apply where the exemptions provided under the Data Protection Act do not apply.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The main regulator under the Data Protection Act is the DPC, which has a statutorily prescribed board composition as outlined in Section 4 of the Data Protection Act.

It is important to note that the Data Protection Act does not oust the relevance and compliance requirement under the Cybersecurity Act, Electronic Transactions Act, and the IT Agency Act. It is important to note that the data controller activities relate to the business objects of the incorporated entity or business operations.

Data controllers must aim to comply with the full ecosystem in addition to compliance under the Data Protection Act where their respective nature of business covers areas of regulation, self-regulation, and best international practice. Digitalization and the growing scope for the application of artificial intelligence ('AI') have transformed data controller activities and business models combining possibilities to cut across multiple regulated and unregulated areas. Data Protection Act compliance ought to be seen as the first step of multiple regulatory compliance. It is the first step of acknowledgment given that data controller activities are so well known and defined that no data controller can genuinely dispute knowledge of what constitutes data controller activities. The next step is to identify the different regulatory authorities to which the business operations would attract multiple regulatory compliance requirements.

3.2. Main powers, duties and responsibilities

The objectives of the DPC are as follows (Section 2 of the Data Protection Act):

  • protect the privacy of the individual and personal data by regulating the processing of personal information; and
  • provide the process to obtain, hold, use, or disclose personal information.

The DPC is required to implement and monitor compliance with the Data Protection Act, make the administrative arrangements it considers appropriate for the discharge of its duties, investigate any complaint under the Data Protection Act and determine it in the manner the DPC considers fair, and to keep and maintain the Register.

4. Key Definitions

Data controller: A person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed (Article 96 of the Data Protection Act). 

Data processor: The Data Protection Act defines a data processor in relation to personal data to mean 'any person other than an employee of the data controller who processes the data on behalf of the data controller' (Article 96 of the Data Protection Act). From the meaning of data processor under the Data Protection Act, a clear distinction is made between an employee of the data controller whose activities constitute the activities of the data controller and that of a data processor. In addition, the definition of the data processor subordinates the data processor to the data controller in the hierarchy of command in matters relating to personal data processing.

Personal data: Personal data is defined under the Data Protection Act to mean data about an individual who can be identified from the data or other information in the possession of or likely to come into the possession of the controller.

Sensitive data: Sensitive data is defined as information that relates to (Article 37 of the Data Protection Act):

  • personal data relating to children;
  • the race, color, or ethnic or tribal origin of the data subject;
  • the political opinion of the data subject;
  • the religious beliefs or other beliefs of a similar nature, of the data subject;
  • the physical, medical, mental health, or mental condition, or DNA of the data subject;
  • the sexual orientation of the data subject;
  • the DPC or alleged commission of an offense by the individual; and
  • proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings.

Health data: The Data Protection Act does not provide a definition for 'health data', however, it defines 'medical purposes' to include the purposes of preventive medicine, medical diagnosis, medical research, provision of care and treatment, and the management of healthcare services by a medical or dental practitioner or a legally recognized traditional healer (Article 96 of the Data Protection Act).

Biometric data: Under the Interpretation Act, 2009, Act 792, technical words are to be interpreted using their technical definition accorded to them. This approach means that the definition of biometric data in different legislation in Ghana would be the defining scope of this technical word. Where biometrics is used in any legislation that is to be construed by an international industry term of art, then the meaning of such term of art would be given the same meaning for purposes of biometric data of a data subject under the Data Protection Act.

Pseudonymization: Under the Data Protection Act, personal data which is processed only for research purposes is exempt from its provisions if:

  • the data is processed in compliance with the relevant conditions; and
  • the results of the research or resulting statistics are not made available in a form that identifies the data subject or any of them.

The technical process of pseudonymization where it achieves compliance with the provisions of the Data Protection Act therefore would be permissible as consistent with research purposes.

5. Legal Bases

5.1. Consent

The Data Protection Act requires that a person must not process personal data without the prior consent of the data subject unless the purpose for which the personal data is processed is (Section 20(2) of the Data Protection Act):

  • necessary for the purpose of a contract to which the data subject is a party;
  • authorized or required by law;
  • to protect the legitimate interest of the data subject;
  • necessary for the proper performance of a statutory duty; or
  • necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

A data subject may object to the processing of personal data unless otherwise provided by law (Section 20(2) of the Data Protection Act). Where the data subject has objected to the processing of personal data, the person processing the personal data will stop the processing (Section 20(3) of the Data Protection Act).

Section 21(1) of the Data Protection Act states that personal data should be collected directly from the data subject. However, data may be collected indirectly where (Section 21(2) of the Data Protection Act):

  • the data is contained in a public record;
  • the data subject has deliberately made the data public; or
  • the data subject has consented to the collection of the information from another source.

The Data Protection Act notes that a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including that the data subject has consented to the retention of the record, except where the personal data has been retained for historical, statistical, or research purposes (Section 24 of the Data Protection Act).

In addition, where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data must be for that specific purpose.

The further processing of data is considered to be compatible with the purpose of collection where, among other things, the data subject consents to the further processing of the information (Section 25 of the Data Protection Act).

The Minister may through consultation with the DPC make supplementary regulations to specify further conditions for consent to be given (Section 94 of the Data Protection Act).

5.2. Contract with the data subject

Please see the section on consent above.

In addition, the Data Protection Act establishes that where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data shall be for that specific purpose. A person who processes data shall take into account, among other things, the contractual rights and obligations between the data subject and the person who processes the data (Section 25 of the Data Protection Act).

Moreover, a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including retention of the record is required by virtue of a contract between the parties to the contract (Section 24 of the Data Protection Act).

5.3. Legal obligations

Please see the section on consent above.

In addition, the Data Protection Act establishes that a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including that the retention of the record is required or authorized by law or that the retention of the record is reasonably necessary for a lawful purpose related to a function or activity (Section 24 of the Data Protection Act).

5.4. Interests of the data subject

The Data Protection Act notes that unless otherwise provided for by the Act, a person must not process personal data that relates to (Section 37(1) of the Data Protection Act):

  • a child who is under parental control in accordance with the law; or
  • the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behavior of an individual.

A data controller may process special personal data in accordance with this the Data Protection Act where the Data Protection Act (Section 37(2) of the Data Protection Act):

  • processing is necessary; or
  • the data subject consents to the processing.

5.5. Public interest

The Data Protection Act sets out that processing of personal data is exempt from the provisions of this Act for the purposes of (Section 60(1) of the Data Protection Act):

  • public order,
  • public safety,
  • public morality,
  • national security, or
  • public interest.

It is important to note that the provisions of the Cybersecurity Act remain applicable to the data controllers where matters that are covered by exempt processing relate to computer systems or computer networks that fit the definition of a critical information infrastructure which is considered a computer system or computer network is essential for national security or the economic and social well-being of citizens.

The Data Protection Act further requires that a person must not process personal data unless (Section 64 of the Data Protection Act):

  • the processing is undertaken by a person for the publication of a literary or artistic material;
  • the data controller reasonably believes that the publication would be in the public interest; and
  • the data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.

Processing and the public good

The processing of personal data for the protection of members of the public in statutorily prescribed circumstances is permitted under the Data Protection Act, for example, against loss or malpractice in the provision of banking, insurance, investment, other financial services, or management of a body corporate.

Similarly, the processing is lawful where it aims to protect the public against dishonesty or malpractice in the provision of professional services or against the misconduct or mismanagement in the administration of a non-profit-making entity amongst other situations. The Data Protection Act addresses in detail the processing of personal data for research purposes and issues relating to retention periods of such data.

5.6. Legitimate interests of the data controller

Please see the section on consent above.

5.7. Legal bases in other instances

Indirect collection of personal data

To ensure that the data subject has some control over how their data are assessed in cases where there is no direct consent on their part, Section 21 of the Data Protection Act prescribes that personal data may be collected other than directly from the data subject in the following circumstances:

  • the data is contained in a public record;
  • the data subject has deliberately made the data public;
  • the data subject has consented to the collection of the information from another source;
  • the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject;
  • the collection of the data from another source is necessary:
    • for the prevention, detection, investigation, prosecution, or punishment of an offense or breach of the law;
    • for the enforcement of a law which imposes a pecuniary penalty;
    • for the enforcement of a law which concerns revenue collection;
    • for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated;
    • for the protection of national security; or
    • for the protection of the interests of a responsible or third party to whom the information is supplied; or
  • compliance would prejudice a lawful purpose for the collection; or
  • compliance is not reasonably practicable.

Processing of data for historical statistical and research

The circumstances under which the processing of personal data can be carried out for historical, statistical, or research purposes are set out under the Data Protection Act.

The further processing of data used for historical, statistical, or research purposes and the preconditions that must be put in place for such processing are provided under the Data Protection Act.

Processing in relation to religious or philosophical beliefs

Exceptions relating to the processing of personal data which relates to the religious or philosophical beliefs of a data subject are provided for under the Data Protection Act. This falls under the category of a spiritual or religious organization or a branch of the organization, and the processing must be in respect of persons who are members of the organization.

For institutions founded on religious or philosophical principles, processing must be carried out with respect to the members, employees, or other persons belonging to the institution, consistent with the objects of the institution, and necessary to achieve the aims and principles of the institution.

Direct marketing

The use of data for direct marketing is regulated by the Data Protection Act, which provides that a data controller must not provide, use, obtain, procure, or provide information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject. Furthermore, a data subject is entitled at any time by notice in writing to a data controller to require the data controller not to process personal data of that data subject for the purposes of direct marketing.

In this regard, 'direct marketing' includes the communication by whatever means of any advertising or marketing material that is directed to particular individuals.

Employee data

With respect to the employer/employee relationship, the processing of data subject matters is regulated by the Data Protection Act. The employer is required in all matters relating to such processing to adhere to and take into account the privacy of the employee as a data subject by applying the principles of the Data Protection Act as listed above.

Where the processing is related to the processing of special personal data, this can only be done where such processing is necessary. The objective standard for which an employer must satisfy is the ability to demonstrate that such processing is necessary for the exercise or performance of a right or an obligation, conferred or imposed by law on an employer.

Automatic processing in the employment context

Under the law, where a decision that significantly affects an individual is based solely on that processing the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis. The individual is then entitled, by notice in writing, to require the data controller to reconsider the decision within 21 days after receipt of the notification from the data controller. The data controller must within 21 days after receipt of the notice, inform the individual in writing of the steps that the data controller intends to take to comply with the notice.

The areas of exemption for automated processing, which the employer has to demonstrate when challenged by the data subject or the DPC in relation to an investigation based on a complaint, include where the decision is made:

  • in the course of considering whether to enter into a contract with the data subject;
  • with a view to entering into the contract;
  • in the course of the performance of the contract;
  • for a purpose authorized or required by or under an enactment; or
  • in other circumstances prescribed by the Minister of Communication.

It is important to note that the nature of AI use and application extends to issues inclusive of but beyond data subject processing under the Data Protection Act. The issues related to automated processing and decisions extend beyond the Data Protection Act's scope when it relates to matters outside data subject processing and decision-making matters. This means that whilst the Data Protection Act may provide guidelines for such automated decision processing as they relate to data subjects, those guidelines should not be extended as applicable to areas beyond the regulatory mandate of the Data Protection Act. There is work being done on the legal framework for AI and it is at different stages of development.

6. Principles

The principles of data subject privacy which every data controller is obligated to take into account in processing data are:

  • accountability;
  • the lawfulness of processing;
  • specification of purpose;
  • compatibility of further processing with the purpose of collection;
  • quality of information;
  • openness;
  • data security safeguards; and
  • data subject participation.

It is important to note that the Data Protection Act does not oust the relevance and compliance requirement in relation to security matters under the Cybersecurity Act, the Electronic Transactions Act, and the IT Agency Act. Data controllers must aim at full ecosystem compliance in addition to compliance under the Data Protection Act where their respective nature of business covers areas of regulation, self-regulation, and best international practice.

7. Controller and Processor Obligations

Responsibilities

Section 17 of the Data Protection Act provides for the principles, as listed above, that every data controller and data processor is required to take into account.

Every person who processes personal data is required to ensure that such processing is done without infringing the privacy rights of the data subject, in a lawful and reasonable manner.

The Data Protection Act provides the data subject with a legislative standard by which the data controller's activities, which become the subject matter of dispute, may, among other things, be measured.

The Data Protection Act requires that personal data may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. These yardsticks must be used in measuring all claims by the data controller in determining the soliciting and processing of data subjects' information.

The obligation for the data subject to consent to the processing of personal data is a condition that must be fulfilled by the data controller unless the data controller can demonstrate that such processing is (Section 20 of the Data Protection Act):

  • necessary for the purpose of a contract to which the data subject is a party;
  • authorized or required by law;
  • to protect the legitimate interest of the data subject;
  • necessary for the proper performance of a statutory duty; or
  • necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

Matters to be used in the determination of the actions of a data controller are set out under the Data Protection Act. Data controllers are, therefore, given clear indications and pointers to actions that would be inconsistent with the Data Protection Act, leave their conduct open to challenge, and attract potentially applicable sanctions.

The Data Protection Act provides details of matters to be considered by data controllers in further processing of data. The Data Protection Act requires that the data subject must consent to the further processing of the information, or that the data should be publicly available or have been made public by the person concerned or that further processing is necessary:

  • for the prevention, detection, investigation, prosecution, or punishment of an offense or breach of law;
  • for the enforcement of a law which imposes a pecuniary penalty;
  • for the enforcement of legislation that concerns the protection of revenue collection;
  • for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated; or
  • for the protection of national security.

The Data Protection Act provides for further processing of data which is necessary to prevent or mitigate a serious and imminent threat to public health or safety, or the life or health of the data subject or another individual.

7.1. Data processing notification

Registration by data controllers is a requirement under Section 27 of the Data Protection Act and concerns a registration, rather than a notification, process. It provides that a data controller who intends to process personal data must register with the DPC. An application for registration as a data controller must be made in writing and must contain (Section 47(1) of the Data Protection Act):

  • the business name and address of the applicant;
  • the name and address of the company's representative where the company is an external company;
  • a description of the personal data to be processed and the category of persons whose personal data are to be collected;
  • an indication as to whether the applicant holds or is likely to hold special personal data;
  • a description of the purpose for which the personal data is being or is to be processed;
  • a description of a recipient to whom the applicant intends to disclose the personal data;
  • the name or description of the country to which the applicant may transfer the data;
  • the class of persons or where practicable the names of persons whose personal data is held by the applicant;
  • a general description of measures to be taken to secure the data; and
  • any other information that the DPC may require.

If the data controller intends to keep personal data for two or more purposes, it has to make separate applications for each purpose. The data controller must notify the DPC of changes in the registered particulars within 14 days (Article 55 of the Data Protection Act).

A certificate of registration is issued which is valid for two years, and which must be renewed whilst any person or entity's activities remain that of a data controller under the Data Protection Act.

An application for registration may be submitted on the DPC's Registration Portal.

In accordance with Article 49 of the Data Protection Act, large data controllers, and data processors will have to pay a registration fee of GHS 1,500 (approx. $125), medium controllers and processors GHS 750 (approx. $62.3), and small controllers and processors GHS 100 (approx. $16.54) (Page 13 of the Guidelines).

Data processors

The Guidelines state, 'Though not mandatory, data processors are also encouraged to register with the DPC to instill confidence when processing personal data on behalf of their customers (data controllers) who are mandated by law to register with DPC' (the Guidelines, page 3).

Assessable processing

Certain types of processing may constitute assessable processing (Article 57(1) of the Data Protection Act). The DPC must assess if the processing is likely to cause substantial damage or substantial distress to a data subject, or otherwise significantly prejudice the privacy rights of a data subject (Article 57(2) of the Data Protection Act).

The DPC must respond to the data controller within 28 days of receiving the registration application (Article 57(3) of the Data Protection Act). The DPC may extend this initial period by a period that does not exceed 14 days or another period that the DPC may specify (Article 57(4) of the Data Protection Act). The assessable processing cannot be carried out unless the data controller receives a notice from the DPC, or the period of 28 days from the day the DPC received the application for assessment has elapsed, during which the DPC is obliged to inform the data controller whether the processing is likely to comply with the provisions of the Act (Article 57(5) of the Data Protection Act).

Exemptions

With regard to exemptions, the processing of personal data is exempt from the provisions of the Data Protection Act (including the registration requirement) for the purposes of (Articles 60 to 74 of the Data Protection Act):

  • national security;
  • crime and taxation;
  • health, education, social work;
  • regulatory activity;
  • journalism, literature, art;
  • research, history, statistics;
  • disclosure required by law or made in connection with a legal proceeding;
  • domestic purposes;
  • confidential references given by the data controller;
  • armed forces;
  • judicial appointments and honors;
  • public service or ministerial appointment;
  • examination marks;
  • examination scripts; or
  • professional privilege.

7.2. Data transfers

The principles relating to data processing listed above are also applicable to data transfers.

The data transfer can arise from two different fronts. Where it is a BPO business from a third country and the processing is done in Ghana, the data controller is obligated to ensure that they comply with the data protection laws relating to such third country data subject which the BPO business processing in Ghana. This means that the Data Protection Act cannot be used by a BPO business to transfer into Ghana data for processing where such a BPO business violates the data subject's third-country data protection laws.

The other BPO operation relates to where personal data protected by the Data Protection Act is outsourced to third-country BPO operations to process. The Data Protection Act requires the third-country BPO business to strictly comply with its provisions. This means they can be held responsible and accountable to the DPC for any infractions that relate to the data subject in Ghana in respect of which the Data Protection Act provides protection.

Issues relating to the legal framework for data centers and cloud storage would be impacted by the inter-regulatory and inter-institutional legal framework document which would deepen the understanding of and provide additional clarity as a result of emerging trends in technology and national interests to which all countries base their respective technology legislations.

7.3. Data processing records

The principles relating to data retention also carry with them the obligation to maintain data processing records and ensure that data is not kept beyond the retention period.

7.4. Data protection impact assessment

Data Protection Impact Assessments ('DPIA') is a practice that every data controller should commit to. This is because the Data Protection Act places the DPC in a regulatory position vis-à-vis all data controllers, meaning that data controllers ought to ensure that compliance monitoring is done at all times to ensure that there are no breaches of the Data Protection Act. Where there are security breaches, the disclosure regime required under the Data Protection Act means that DPIAs are a core practice that every data controller ought to engage in. Security breaches and violations trigger DPIA at all times.

The Data Protection Act requires that a data controller must take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical, and organizational measures to prevent:

  • loss of, damage to, or unauthorized destruction; and
  • unlawful access to or unauthorized processing of personal data.

The Data Protection Act requires that to give effect to this, the data controller must take reasonable measures to:

  • identify reasonably foreseeable internal and external risks to personal data under that person's possession or control;
  • establish and maintain appropriate safeguards against the identified risks;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies.

A data controller is required to observe:

  • generally accepted information security practices and procedures; and
  • specific industry or professional rules and regulations.

These all form the basis of DPIA as a continuous culture and not as a knee-jerk response. Data security is treated as an imposed obligation to monitor and take all reasonable steps to prevent and to notify the data subject of any breaches and compromises to their data.

7.5. Data protection officer appointment

The Data Protection Act refers to data protection officers as data protection supervisors ('DPS'). It is not compulsory for data controllers to engage the services of a DPS. Under the Data Protection Act, a DPS is responsible for the monitoring of the data controller's compliance with the provisions of this Data Protection Act.

DPS requirements and responsibilities

The DPS is responsible for the monitoring of the data controller's compliance with the provisions of the Data Protection Act. The DPS would also be required to comply with any authorization that imposes a duty on a DPS in relation to the DPC and confers a function on the DPC in relation to a DPS.

The DPS is not required to be a third-party institution. Such a supervisor may be an employee of the data controller. The DPC is given the power to provide qualifying criteria for appointment as a data protection supervisor. In such situations, any person who does not meet such qualifying criteria cannot be appointed as a DPS.

Section 58 of the Data Protection Act makes clear that the appointment of a DPS is not legally mandated. Given the scope of the Data Protection Act and the definition of 'data controllers', it ought to be noted that DPS mandatory appointment can only be pursuant to an amendment to primary legislation. Encouragement to appoint a DPS must be based on analysis of the nature and extent of data processing and its implication for data subjects' risk, violations, and sharing of data between company groupings, affiliation, and direct marketing. It would be useful if the DPC would provide indicative advisory guidelines over time for applicants to consider in their decisions to engage a DPS.

A DPS must be certified and qualified (Section 58(1) of the Data Protection Act). The DPC will provide the criteria for qualification and, unless the person satisfies these criteria, they cannot be appointed as a DPS (Section 58(6) and (7) of the Data Protection Act). The DPC has not yet issued such criteria.

7.6. Data breach notification

A data controller is required to observe generally accepted information security practices and procedures and specific industry or professional rules and regulations.

Each of these principles necessarily requires that any security breach is made known in a timely manner to the data subject, the data controller takes steps to prevent further breaches, and the data controller remains accountable to the data subject and provides information necessary to enable the data subject to take such remedial measures as to further protect their privacy rights. The principle that the data subject has a right as part of their privacy rights to participate in matters that relate to their data being processed also imposes a disclosure obligation on the data controller.

The notice regimes under the Data Protection Act provide an additional timetable for compliance and investigation where complaints are also made by the data subjects and where the filing of returns at renewals requires the data controller to make disclosures, some of which relate to security standards and breaches.

The Data Protection Act provides for the mandatory data subject and DPC notification in prescribed circumstances (Section 31 of the Data Protection Act). These include instances where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorized person. The notification is required to provide sufficient information to allow the data subject to take protective measures against the consequences of unauthorized access or acquisition of the data.

The notification period is defined as soon as reasonably practicable after the discovery of the unauthorized access or acquisition of the data. The data controller is under a statutory obligation to take steps to ensure the restoration of the integrity of the information system. The notification to a data subject must be communicated by:

  • registered mail to the last known residential or postal address of the data subject;
  • email to the last known email address of the data subject;
  • placement in a prominent position on the website of the responsible party;
  • publication in the media; or
  • any other manner that the DPC may direct.

Sectoral obligations

The Data Protection Act permits other supplemental sector-specific legislation to further add to the data subject's rights but not to detract from the Data Protection Act. The Credit Reporting Act, 2007 ('CRA') is one such piece of legislation. The Cybersecurity Act, the Electronic Transactions Act, and the IT Agency Act's primary and subsidiary legislation would constitute such supplemental sector-specific legislation to which data controllers would have to comply.

7.7. Data retention

The Data Protection Act recognizes that there is no one-size-fits-all approach to retention periods. There is also recognition that the period for which data subject records may be held is capable of being benchmarked against specific issues. One statutory prescribed retention principle is that a data controller must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless:

  • the retention of the record is required or authorized by law;
  • the retention of the record is reasonably necessary for a lawful purpose related to a function or activity;
  • retention of the record is required by virtue of a contract between the parties to the contract; or
  • the data subject consents to the retention of the record.

The retention period for which personal data may be held may be the subject matter of specialized legislation relating to different aspects of activities. The actions of the data controller may trigger a data subject to submit a request for information, and in such circumstances, the data controller would be required to provide the requested information in line with the provisions of the Data Protection Act.

The data retention regime for personal data retained for historical, statistical, or research purposes provides for different treatments under the Data Protection Act. The data controller is required to ensure that records that contain personal data are adequately protected against access or use for unauthorized purposes.

The Data Protection Act treats issues relating to retention periods as matters subject to multiple-perspective computation. It may arise by virtue of a specific period being prescribed by law or under a contract, or from the requirement that records are kept ensuring that they remain available for the resolution of potential areas of dispute between the parties. Under the Data Protection Act, where a person uses a record of the personal data of a data subject to make a decision about the data subject, that person is required to:

  • retain the record for a period required or prescribed by law or a code of conduct; or
  • where there is no law or code of conduct that provides for the retention period, retain the record for a period that will afford the data subject an opportunity to request access to the record.

It imposes an obligation on the data controller to destroy or delete a record of personal data or de-identify the record at the expiry of the retention period.

The Data Protection Act provides for the standard to be complied with by data controllers in the destruction or deletion of a record of personal data, which aims to ensure that intelligible reconstruction is prevented.

Similarly, the retention period is approached by ensuring that retention obligations under the CRA are recognized by the Data Protection Act. The Data Protection Act provides that an individual must not request information that is held beyond the retention period specified in Section 30 of the CRA unless the credit bureau has provided the information to third parties beyond the retention period.

It is important when deciding retention period to appreciate that different areas of operations and different regulators may prescribe retention periods that constitute best practices and protect data subject records under their areas of regulation. It is advised that data controllers should be guided by a legal due diligence inquiry into the different areas of data collection and data use by their respective entities, the various regulatory areas under which compliance is required for their business operations, the various areas of law for which records where be treated as relevant evidence under the Evidence Act and also periods which are within the limitation periods provided under the Limitation Act 1972, N.R.C.D. 54.

7.8. Children's data

Under the provisions of the Children's Act, 1998, a child is a person who is below the age of 18 years. Under the Data Protection Act, the processing of data relating to a child who is under parental control in accordance with the law is prohibited unless otherwise provided by the Data Protection Act.

The Data Protection Act provides exemptions for processing where it relates to medical purposes and also where processing is necessary. The latter would include the right of schools to process such data for purposes of ensuring compliance with age for the admission of babies, infants, and pupils in educational institutions and related matters. The principles relating to data processing are to be upheld at all times.

7.9. Special categories of personal data

The circumstances under which special personal data can be processed are set out under the Data Protection Act and include where processing is necessary, or where the data subject consents to such processing.

Unless otherwise provided by the Data Protection Act, a person must not process personal data which relates to:

  • a child who is under parental control in accordance with the law; or
  • the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behavior of an individual.

Furthermore, a data controller may process special personal data in accordance with the Data Protection Act where:

  • processing is necessary; or
  • the data subject consents to the processing.

Special personal data must not be processed unless the processing is carried out for the protection of the legitimate activities of a body or association which:

  • is established for non-profit purposes;
  • exists for political, philosophical, religious, or trade union purposes;
  • relates to individuals who are members of the body or association or have regular contact with the body or association in connection with its purposes; and
  • does not involve disclosure of the personal data to a third party without the consent of the data subject.

The Data Protection Act defines 'necessary' to cover situations where it is for the exercise or performance of a right or an obligation conferred or imposed by law on an employer. Special personal data cannot be processed where (Section 37(4) of the Data Protection Act):

  • it is impossible for consent to be given by or on behalf of the data subject;
  • the data controller cannot reasonably be expected to obtain the consent of the data subject; and
  • consent by or on behalf of the data subject has been unreasonably withheld, may be processed if it can be established that the processing is necessary for the protection of the vital interests of the data subject.

The scope of activities under which special personal data may be processed which would constitute legitimate activities of a body or association and the circumstances under which the processing of special personal data is presumed necessary are set out under Section 37 of the Data Protection Act and include the following:

  • for purposes relating to legal proceedings;
  • obtaining legal advice;
  • in the exercise or defense of legal rights;
  • administration of justice; and
  • for medical purposes where this is undertaken by a health professional, and pursuant to a duty of confidentiality between patient and health professional.

Under the Data Protection Act, the Minister may in consultation with the Commission by legislative instrument prescribe further conditions which may be taken by a data controller for the maintenance of appropriate safeguards for the rights and freedoms of a data subject related to processing of special personal data.

Under the Data Protection Act the processing of personal data is exempt from the provisions of the Act for the purposes of:

  • public order;
  • public safety;
  • public morality;
  • national security; or
  • public interest.

Provisions are made in the law for challenge and for judicial review of processing which is certified as exempt processing under the Data Protection Act.

7.10. Controller and processor contracts

The Data Protection Act provides for BPOs from foreign-based data controllers and imposes obligations on data processors to ensure compliance in the course of processing, in accordance with the relevant foreign jurisdiction. The Data Protection Act requires such data processors to ensure that for foreign-based data controller BPO inflows, processing is done in compliance with the data protection legislation of the foreign jurisdiction of that subject, where personal data originating from that jurisdiction is sent to this country for processing.

The Data Protection Act requires that in respect of data subjects whose rights are governed by the laws of Ghana, data controllers comply with the provisions of the Data Protection Act. A data controller must ensure that a data processor that processes personal data for the data controller establishes and complies with the security measures specified under the Data Protection Act.

This means that outsourcing of data processing is permitted but the data controllers are not relieved of their compliance obligations under the Data Protection Act. Any outsourcing of 'foreign based' data controller processing of matters subject to the Data Protection Act must ensure compliance and registration in accordance with the Data Protection Act. Where the data processor is not domiciled in Ghana, the data controller shall ensure that the data processor complies with the relevant laws of Ghana.

Furthermore, the Data protection Act sets out that the processing of personal data for a data controller by a data processor must be governed by a written contract (Section 30(3) of the Data Protection Act). Such contract must require the data processor to establish and maintain the confidentiality and security measures necessary to ensure the integrity of the personal data (Section 30(4) of the Data Protection Act).

It is important for data controllers to appreciate that under the Data Protection Act, it is imperative for every data processor activity to be sanctioned by the data controller given that the data controller takes full responsibility for the actions of the data processors. The data controllers must therefore ensure that the processors are made aware and have the right skills required to ensure that their processing activities are consistent with the Data Protection Act.

It is important in drafting contracts to ensure that where the business activities of the data controller would be the subject matter of multiple regulatory entities such contracts ensure compliance with the regulatory entities' requirements. This would enable multiple regulatory compliance monitoring to be more effective and avoid regulatory breaches, accompanying sanctions, and loss of user confidence in the data controller where regulatory compliance failures fall below data subject tolerance levels.

8. Data Subject Rights

The data subject is guaranteed the right to privacy under the Constitution. The Data Protection Act covers this privacy right of the individual insofar as it relates to the processing of data subjects' information. An obligation is imposed on anyone who processes data subject information to ensure respect for such privacy rights.

As regulators continue to enact subsidiary legislations, the data subjects would become more aware of their rights and that would result in an increase in data breach complaints.

Additionally, data controllers should ensure that data subject processing activities are consistent with the additional and relevant regulators. In particular, the use of AI in design, analysis, and solution provision, must comply with the regulatory requirements of specialized regulatory areas.

Under the IT Agency Act's subsidiary legislation which is expected to be completed shortly, the legal framework for inter-regulatory cooperation is expected to make navigating through this challenge a smooth process. This approach would create an ecosystem impetus for growth in innovation without compromising data subject rights.  

Balancing of privacy rights

The Data Protection Act concerns data subjects' rights to information and controls over how their data is being processed. The commercial interests of data controllers are also taken into account by requiring that costs associated with providing that information to data subjects be borne by the latter. This also ensures that the administrative cost to data processors to respond to such requests does not adversely and disproportionately impact on their balance sheet/operational costs/business.

The legislation requires proof of identity by requesting data subjects in order to eliminate erroneous claims that waste the data controller's time and resources. The scope of such requests may cover whether the data controller holds personal data about that data subject, a description of the personal data held by the party, including data about the identity of a third party or a category of a third party who has or has had access to the information, and the right to correct data held on the data subject by the data controller. The request must be made within a reasonable time, after the payment of the prescribed fee, if any, in a reasonable manner and format, and in a form that is generally understandable.

8.1. Right to be informed

Article 23 of the Data Protection Act provides that a data controller who collects data shall take the necessary steps to ensure that the data subject is aware of the purpose for the collection of the data.

In addition, decisions made solely by automated processing require the data controller to notify the data subject. The data subject must be notified as soon as reasonably practical and entitled to require the data controller to reconsider the decision within 21 days after receipt of the notification from the data controller. The data controller is given 21 days after receipt of the notice to inform the individual in writing of the steps that the data controller intends to take to comply with the notice.

8.2. Right to access

Article 32 of the Data Protection Act provides that a data subject who provides proof of identity may request a data controller to:

  • confirm at reasonable cost to the data subject whether or not the data controller holds personal data about that data subject;
  • give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information; and
  • correct data held on the data subject by the data controller.

Underlining the privacy rights on which the Data Protection Principles are founded is the right of access of the data subject. The principles on which data subject privacy rights rest all acknowledge the right of the data subject to access to ensure that all these principles, as listed above, are adhered to in all data subject matter processing. The right to make inquiries and to demand disclosures and to make complaints to the DPC in respect of violations and the right to know the content of data held by data controllers are all features consistent with the right of access of data subjects. The Data Protection Act balances this right with the need for data controller businesses not to be crippled by demands for access to information and the rate at which such demands would constitute a reasonable request or business disruption.

8.3. Right to rectification

Right of correction or deletion

The data subject has rights under statutorily prescribed conditions to request a data controller to correct or delete personal data about the data subject or to destroy or delete a record of personal data about the data subject (Section 33 of the Data Protection Act). The Data Protection Act provides a procedure to be followed where the data controller contests the request, and the parties are unable to reach an agreement. Where the data controller complies with the data subject's demands, the Data Protection Act imposes a disclosure demand on the data controller to all third parties to whom the incorrect information has been provided. A notification regime from the data controller to the data subject is imposed under these circumstances.

8.4. Right to erasure

Rights to require deletion, blockage, or compel processing disclosures

The data subject has rights related to the request for data rectification, blockage, erasure, and destruction with respect to statutory prescribed conditions and situations.

The data subject has statutorily prescribed data prohibition disclosures by data controllers and the exceptions to such disclosures are expressly described in the Data Protection Act. These include disclosures of personal data related to the physical, mental health, or mental condition of individuals held by educational institutions that relate to pupils or other personal data of a similar description (Section 62 of the Data Protection Act).

8.5. Right to object/opt-out

Right of objection to processing

The data subject is given the right to object to the processing of personal data. Processes and procedures are laid under the Data Protection Act to deal with such objections and in the event of disputes between the data subject and the data controller, an adjudication mechanism has been put in place to address this.

Data controllers and data processors are required to make disclosures to the data subject where there are reasonable grounds to believe that such data has been accessed or acquired by an authorized person.

Right to stop processing

A data subject has a right in the event that they believe that any prohibited processing is being carried out to have it stopped. This is done by giving the data subject a statutory right to issue a notice in writing to a data controller, requiring such data controller to provide particulars of data processed under this exemption. Where the return answer provides indications of violations of the data subject's rights, the statutes provide mechanisms for redress and a sanction regime for processing contrary to the provisions of the Data Protection Act.

8.6. Right to data portability

It is important to note that the Data Protection Act and its principles are technology-neutral. This means that changes in technology do not necessarily require amendments to the Data Protection Act in order to require compliance.

Data portability is technology-specific, arising from hardware and software-related opportunities and their application to data. Where such technology application relates to data subject matters, they are captioned as data porting issues.

Whilst data portability is a matter addressed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the absence of mention of data portability in Ghanaian legislation does not relieve any data controller from adherence to the principles of privacy of data subject information which ought to be complied with under all applications of existing and new technology.

Data portability acknowledges a deeper right of data subject participation in clear and unambiguous terms. It underlines the principle which holds the data controller accountable to the data subject and clearly sets out the principle that, where technology makes such information capable of being transmitted with the consent of the data subject without prejudicing the right of the data controller required to so transmit the data, this must be done. It reinforces the privacy rights as one of the data subjects' rights and not that of the data controller.

The data subject's right to participation is one acknowledged as a statutory right of the data subject and therefore the absence of the term data portability in the Data Protection Act does not prevent the data subject from asserting the same. It creates the need for the more proactive use of guidelines to be provided by the DPC as technology evolves and new uses and potential applications to data subject matter arise.

8.7. Right not to be subject to automated decision-making

Automated processing and decisions

Where a dispute arises between the data subject and the data controller in such matters, the DPC may order the data controller to comply, following an investigation of the data subject's complaint.

8.8. Other rights

Additional rights

The right exists to have the DPC's decisions reviewed where they are inconsistent with the provision of the Data Protection Act or other relevant and applicable laws.

The Data Protection Act acknowledges that additional legislation may give the data subject rights beyond and in addition to those prescribed by the Data Protection Act. The Data Protection Act makes it clear that such legislation can only add to, but not erode, existing data subject rights under the Data Protection Act. The Right to Information Act, 2019 was enacted on March 26, 2019, and, among other things, mandates that a timely response be given to any citizen who asks for information.

The CRA is another piece of legislation that impacts data subject rights. The Data Protection Act harmonizes data controller obligations and data subject rights under the CRA. This is due to the fact that the Data Protection Act would be the law according to which a 'data controller' within the meaning of the CRA is required to register as a data controller. Such a data controller would be required to comply with the provisions of the Data Protection Act.

Protection from unwarranted damage and distress

The Data Protection Act also prohibits the processing of information that would cause unwarranted damage or distress to an individual as a privacy violation issue. The data subject has a right to request such data controller to cease or not begin processing such personal data.

Protection from direct marketing

The use of data subject information for direct marketing is prohibited under the Data Protection Act unless prior written consent is obtained from the data subject. Where this is obtained, the data subject has the right at a future date by notice in writing to require the data controller not to process the personal data of the data subject for direct marketing purposes. Direct marketing is defined under the Data Protection Act to include, 'the communication by whatever means of any advertising or marketing material which is directed to particular individuals' (Article 40(4) of the Data Protection Act).

Expansions of assessable processing

The Data Protection Act provides for the expansion of matters that may be described as assessable processing by the Minister of Communication through an executive instrument (Article 57(1) of the Data Protection Act). Such instruments must specify actions that constitute assessable processing and must be matters whereby processing is likely to cause substantial damage or substantial distress to a data subject, or otherwise significantly prejudice the privacy rights of a data subject.

The Data Protection Act is similarly drafted in a manner that ensures that foreign data subject rights are not violated by such data processors. This is done by requiring that the data processors ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

This drafting design ensures that given that the registration regime is that of data controllers, data processors cannot engage in rogue processing. It also ensures that the data processor cannot raise the defense of a legislative void in the control of its activities.

The effect of the legislation is to make it practically difficult for any data controller to feign ignorance about any activity of the data processor inconsistent with the Data Protection Act or data controller obligations.

Additional data subject rights regimes

The Data Protection Act recognizes that additional data subject rights may arise under particular technical legislation. For example, in the case of credit reporting, the CRA deals with credit bureaus and credit reporting and provides for related matters. Whilst all data controllers would require compliance with the Data Protection Act, persons and data subjects under the CRA have some unique peculiarities that add to data subject rights.

This is captured in the Data Protection Act, which provides that where the data controller is a credit bureau within the meaning of the CRA a request for information by a data subject must, in addition to the requirements specified under the CRA, be subject to its own provisions as stipulated by Article 36 of the Data Protection Act.

As outlined in Article 36(2)(a) and (b) of the Data Protection Act, a data subject who makes a request for information from a data controller may limit the request to personal data relevant to the data subject's financial standing and history for the period which precedes 12 months after the date of the request, and must be considered to have limited the request of the data subject unless the request shows a contrary intention.

9. Penalties

The Data Protection Act provides an uncomplicated and transparent manner to provide prima facie evidence before the court where data subject processing disputes become the subject matter of litigation. A process of judicial review is also provided under the Data Protection Act for challenges where the defense of exempt processing is claimed.

Damage, distress, and sanctions

The Data Protection Act provides for sanctions where an individual suffers damage or distress through the contravention by a data controller of the requirements of the Data Protection Act. Such an individual is entitled to compensation from the data controller for damage or distress.

Assessable processing and sanctions

A data controller who contravenes the prohibition of assessable processing in matters provided under the Data Protection Act commits an offense and is liable on summary conviction to a fine of not more than 250 penalty units or/and to a term of imprisonment of not more than two years.

Notices and sanctions

The DPC has the power in respect of a contravention of the data protection principles to serve the data controller with an enforcement notice. This notice may require the data controller:

  • to take or refrain from taking the steps specified within the time stated in the notice;
  • to refrain from processing any personal data or personal data of a description specified in the notice; or
  • to refrain from processing personal data or personal data of a description specified in the notice for the purposes specified or in the manner specified after the time specified; and
  • enforcement notice may also require the data controller to rectify, block, erase, or destroy other data held by the data controller.

Following complaints received from the data subject, the DPC has the authority to issue an information notice to the data controller specifying the contravention and to give the data controller notice to cease processing personal data.

There are sanctions and penalties for non-compliance with information or enforcement notices issued by the DPC. Data controllers defaulting in this way commit an offense and are liable on summary conviction to a fine of not more than 150 penalty units or to a term of imprisonment of not more than one year or to both.

Trading of personal data and sanctions

The trading of personal data is prohibited under the Data Protection Act. It is an offence to engage in such activity and the perpetrator is liable on summary conviction to a fine of not more than 250 penalty units or/and to a term of imprisonment of not more than two years.

Selling of personal data and sanctions

A person who sells or offers to sell the personal data of another person commits an offense and is liable on summary conviction to a fine of not more than 2,500 penalty units or/and to a term of imprisonment of not more than five years. The sale or offer to sell personal data includes an advertisement that indicates that personal data is or may be for sale. The Data Protection Act ensures that constitutional protection is safeguarded and protected.

Offenses and sanctions under the Data Protection Act

The Data Protection Act provides for penalty provisions to be made in respect of offenses created under the Regulations.

9.1 Enforcement decisions

The website of the DPC does not as yet provide details of such enforcement notices that have been issued or decisions given. It does not as yet provide details of complaints received and the data controllers against whom such complaints have been given and are pending, concluded, or resolved.

The DPC provided a period of amnesty as part of the process of deepening education and awareness of the Data Protection Act. This was deemed necessary and is needful for stakeholder ownership and participation and for data subject rights education and awareness deepening.

As subsidiary legislation under the primary Data Protection Act is developed, more details of the complaint process, publication of complaints, and matters relating to publication of enforcement notices and decisions will be addressed. Such an added legal framework would deepen the legal framework ecosystem. The existing legal framework does provide the primary legal framework for which subsidiary legislation would improve the legal framework ecosystem.

Privacy Law PrinciplesPrivacy Law Reform

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback