If you have ever wondered whether there is any limit to the fundamental human rights which have been sacredly bestowed on you by the Constitution, then the answer is yes. The question remains as to the extent of the limit on persons’ right to protection of privacy as enshrined by the Supreme law of the State. It is true that one of the main tenets of the Rule of Law is to ensure that the fundamental human rights of individuals are upheld.
Article 18(2) of the Constitution provides as follows:
“No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.”
In Ghana, a lot of effort has been made, and indeed still being made to ensure that as much as practicable the fundamental human rights of people are being revered. One area that has garnered a lot of attention in the area of the protection of the privacy of citizens is the issue of data protection.
Data protection is regulated by a number of laws, with the primary legislation being the Data Protection Act, 2012, Act 843. Though a discussion for another day, some other enactments are very important and may be applicable in certain situations. These include the Electronic Communications Act, 2008 (Act 775), the Electronic Communications Regulations, 2011 (LI 1991), the Credit Reporting Act, 2007 (Act 726), the Public Health Act, 2012 (Act 851), the Children’s Act, 1998 (Act 560).
What is data?
Section 96 of Act 843 defines data as information which is processed by means of equipment operating automatically in response to instructions given for that purpose, is recorded with the intention that it should be processed by means of such equipment, is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or does not fall within paragraph (a), (b) or (c) but forms part of an accessible record.
Data processing and use
In processing data, the person in charge shall take into account the privacy of the individual by applying the principles of accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards, and data subject participation.
While adhering to the above, it is imperative also for the person processing personal data to ensure that he does so lawfully, reasonably and without any infringements on the privacy rights of the owner of the data, who may be referred to as the data subject. Indeed, there would be no need to process personal data unless the purpose for which it is to be processed, is essential, pertinent and not excessive.
Any person, whether natural or legal who deals with the processing of personal data is required to do so only with the prior consent of the data subject, unless the purpose for which the personal data is processed is necessary for the purpose of a contract to which the data subject is a party, or the processing is authorized or required by law, or the processing of the personal data is done to protect a legitimate interest of the data subject, is necessary for the performance of a statutory duty, is to pursue the legitimate interest of the data controller or a third party to whom the data is supplied. Related to the fact that prior consent is required is the fact that the law empowers the data subject to object to the processing of his or her personal data and where such an objection is exercised, the person who processes the data shall stop the processing with immediate effect.
Registration of entities or persons who intend to use data
In order to ensure that the people or entity making use of the data do so within the ambits of the law, the law has put in place the Data Protection Commission which is responsible for regulating data protection in Ghana.
Hence, any entity which requires the use of data of any data subject must prior to making use of such data register with the Data Protection Commission as a Data Controller.
Before collecting personal data of any data subject, the data controller must ensure that the data subject is aware of the nature of the data being collected, the name and address of the person responsible for the collection, the purpose for which the data is required for collection, whether or not the supply of the data by the data subject is discretionary or mandatory, the consequences of failure to provide the data, the authorised requirement for the collection of the information or the requirement by law for its collection, the recipients of the data, the nature or category of the data and the existence of the right of access to and the right to request rectification of the data collected before the collection.
The data controller may dispense with the need for awareness by the data subject of the collection of personal data in certain situations where necessary. For instance, in order to avoid the compromise of the law enforcement power of a public body responsible for the prevention, detection, investigation, prosecution or punishment of an offence, there may be no need to inform the data subject whose personal data is being collected.
Another instance where the need to inform a person whose personal data is being collected for a purpose may be dispensed with, is where the data collected would be used for the enforcement of law which concerns revenue collection or imposes a pecuniary penalty.
Where data would be used for historical, statistical, research, protection of national security and to avoid prejudice of a lawful purpose, the data controller may dispense with the need to give information about the data collection to the data subject.
Data Controller’s Responsibility to ensure security of data collected and the steps to be taken in the event of breach of security of data collected
A data controller is enjoined by law to take all the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organizational measures so as to prevent the loss of, damage to, or unauthorized destruction, as well as unlawful access to or unauthorized processing of personal data.
In order to ensure the security referred to supra, there is the need for the data controller to take reasonable measures to identify foreseeable internal and external risks to personal data under that person’s possession or control while establishing and maintaining appropriate safeguards against the identified risks.
The data controller, in addition to the above would have to regularly verify that the safeguards are effectively implemented and continually updated in response to new risks or deficiencies.
Another way of ensuring the security of personal data collected and in the control or possession of a data controller is for the data controller to observe generally accepted information security practices and procedure and specific industry or professional rules and regulations.
When all necessary steps have been taken by the data controller in ensuring security of the data collected, but there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller is required to notify the Data Protection Commission as well as the data subject of the unauthorised access or acquisition.
Every person, pursuant to the right to privacy, has the right to prevent processing of his or her personal data. Section 39 of Act 843 provides as follows:
The rights of persons whose personal data are collected and processed for certain purposes
- “An individual shall at any time by notice in writing to a data controller require the data controller to cease or not begin processing for a specified purpose or in a specified manner, personal data which causes or is likely to cause or in specified manner, personal data which causes or is likely to cause unwarranted damage or distress to the individual.
- A data controller shall within twenty-one days after receipt of a notice inform the individual in writing
- That the data controller has complied or intends to comply with the notice of the data subject, or
- Of the reasons for non-compliance.
- Where the Commission is satisfied that the complainant is justified, the Commission may order the data controller to comply
It would be realised from the provisions above that on one hand the Act affords the data subject the right to refuse the processing of his or her data. On the other hand, the same Acts places a limit on the said right. This is because the Data Protection Commission would only order the data controller to comply with a data subject’s request not to process his or her data where the commission is satisfied that the complainant, being the data subject is justified in his request.
Another right bestowed on a data subject is the right to prevent processing of personal data for direct marketing[i]. Indeed, the Act forbids any data controller from processing personal data for direct marketing without the prior written consent of the data subject. By section 40 of Act 843, the data subject is entitled at any time by notice in writing to a data controller to require the data controller not to process personal data of that data subject for the purposes of direct marketing. If the controller fails to comply, the data subject would then have the right to make a complaint to the Data Protection Commission, and upon being satisfied, may order that the data controller comply with the notice.
Furthermore, by section 41 of Act 843, an individual is entitled at any time by notice in writing to a data controller to require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects that individual is not based solely on the processing by automatic means of personal data in respect of which that individual is the data subject.
Again, a data subject is entitled at any time by notice in writing to require a data controller to rectify, block, erase or destroy exempt manual data which is inaccurate or incomplete, or to cease to hold exempt manual data in a manner which is incompatible with the legitimate purposes pursued by the data controller. The notice by the data subject is required to indicate the reasons for the belief that the data is inaccurate or incomplete or held in a manner which is incompatible with the legitimate purpose pursued by the data controller.
If the data controller upon receipt of such notice refuses to comply with the data subject’s request, the data subject may make a complaint to the Commission which shall appropriately direct the data controller to comply with the notice if it is satisfied enough about the complaint.
In addition to all the rights of a data subject stated above, an individual who suffers damage or distress through the non-compliance of the Data Protection Law by any data controller would be entitled to some compensation from the data controller.
Limits to the right of protection of privacy of an individual; the exemption of certain data controllers from the requirement of the law.
The processing of personal data is exempt from the provisions of the Data Protection Act in some circumstances. In fact, the Data Protection Act names identifies categories which are exempt from the provisions of Act 843. These include the processing of personal data for reasons of national security, crime and taxation, health, education and social work, regulatory activities, journalism, literature and art, research, history and statistics, disclosure required or made in connection with a legal proceeding, domestic purposes as well as confidential references given by data controller. Other categories include the armed forces, judicial appointments and honours, public service or ministerial appointments, examination marks, examination scripts and professional privilege.
In respect of national security for instance, section 60 of Act 843 provides that subject to article 18(2) of the Constitution which has been cited supra, a certificate signed by the Minister is prima facie evidence of exemption from the provisions of the Act. Purposes which would qualify as that of national security would include public order, public safety, public morality, national security or public interest.
Recently, there had been a lot of concerns raised about government’s initiative to have access to personal data of citizens in ensuring rapid contract tracing of persons who may or may have come into contact with infected Covid-19 Patients. Such purpose may well fit into the exemption of processing of personal data from the provisions of the Act for the purposes of public safety.
It will be noticed that although the right of persons to the protection of their privacy is one that is enshrined in the constitution, the constitution allows for such rights to be limited for the national good. Therefore, although the law makes serious strides in ensuring the protection of individuals’ privacy rights through the protection of data, the same law allows for such rights to be stifled where the circumstances so require and it would be in the interest of the public good.
The writer is a Lawyer and be reached via email: [email protected]
[i]Section 40(4) of the Data Protection Act defines direct marketing to include the communication by whatever means of any advertising or marketing material which is directed to particular individuals.