In October, 2019, the Daily Graphic newspaper reported that a storekeeper was arrested in Madina Market, Accra by the Data Protection Commission for unlawfully selling large amounts of documents that contained personal information to food sellers.
These documents contained information ranging from bank account information to salary records and telephone numbers. The Data Protection Commission indicated their preparedness to continue exercises like this. Many business owners are unaware of their responsibilities under the Data Protection Act, 2012 (Act 843) (“DPA”), but these duties carry serious consequences. This article provides an overview of the responsibilities of entities/persons that handle data (referred to in the DPA as data controllers) and rights of those that provide data to them (referred to in the DPA as data subjects).
Article 18 of the 1992 Constitution of Ghana guarantees every person’s right to privacy and freedom from the interference of this right. The DPA was passed in 2012 to provide guidance on how personal information should be protected and processed. The DPA established the Data Protection Commission to implement and monitor compliance with the DPA.
What is Personal Data?
Personal data under the DPA is defined as information about an individual which can be used to identify that individual. The DPA further categorises the following as “special personal data”:
- Race or ethnic origin;
- Political viewpoints;
- Religious beliefs or other beliefs of a similar nature;
- Physical, medical, mental health or DNA information;
- Sexual orientation; and
- The commission or alleged commission of an offence or related proceedings.
Processing of special personal data is subject to strict guidelines that must be reviewed before their processing.
What is a Data Controller?
Where a person/entity determines the purpose and manner in which that personal data is processed, the DPA terms this person/entity as a data controller. Data controllers are required to register with the Data Protection Commission. Fees for registration vary according to the size and type of entity registering. Where a person or company fails to register as a data controller, they shall be liable for up to two years imprisonment or up to GHS3000 in fines or both.
Where an individual/entity processes data on behalf of a data controller, and is not an employee of the data controller, that person/entity is referred to as a data processor. The DPA also creates confidentiality and authorisation requirements for data processors, and requires that data controllers enter written contracts with data processors, where they engage them.
The DPA covers data processed in Ghana, whether by a data controller established in Ghana or not. Where a data controller is not established in the country, but still uses equipment or uses a data processor carrying on business in Ghana to process that data, the DPA shall apply. Processing of data that partially or wholly originates from Ghana is also covered by the DPA. A data controller not incorporated in Ghana is required to register as an external company.
Responsibilities of a Data Controller
Where a data controller collects data, it must be for a specific, explicitly defined and lawful purpose, related to the functions of this data controller, which the data subject must be made aware of. An indidividual/entity must collect the data directly from the data subject unless:
- The data is in public record;
- The data subject has made it public, or consented to the data being collected from a different source;
- The data collection from another source is necessary for the enforcement of certain laws, the prevention, detection, investigation or prosecution of offences or the protection of a third party; or
- Compliance would not be reasonably practicable or would prejudice a lawful collection purpose.
Data controllers must ensure they keep data secure to prevent loss, destruction or unlawful access.
The purchase or sale of data is specifically prohibited, making the data controller liable to a fine of up to GHS30,000 or term of imprisonment of up to five years or both.
A data controller must receive prior consent from the data subject for processing unless:
- Data processing is required to carry out a contract that the data subject is party to;
- It is authorized or required by law;
- It is to protect the legitimate interest of the data subject, or to pursue the legitimate interest of the data controller or third party to whom the data is supplied; or
- It is necessary for the proper performance of a statutory duty.
Rights of a Data Subject
A data subject is an individual who is the focus of a piece of personal data. The DPA also gives data subjects the right to request from data controllers for the description of data being collected on them, and have it corrected or deleted (where they no longer have the authority to hold that data). The data subject must however provide proof of identification and pay a fee, where the company deems it necessary for some of these requests. A data subject may also at any time, object to the processing of their personal data or instruct a data controller to stop the processing or use of data for direct-marketing purposes or where its use could cause damage or distress to the subject. Where damage or distress is suffered by the data subject, they may be entitled to compensation from the data controller.
Exemptions under the DPA
The processing of personal data for the following purposes are given either partial or full exemption from DPA:
- The publication of literary or artistic material;
- Research purposes;
- Academic or professional examinations and marks;
- Professional privilege or legal professional privilege;
- For domestic or personal use;
- National security and crime prevention;
- Processing of religious or philosophical beliefs by spiritual or religious organisations;
- Collection of taxes; or
- Judicial appointments and national honours.
Some exemptions however carry requirements that must be met before they can come into effect, and should be studied carefully before their use.
The DPA empowers data subjects with control of how their data is used by data processors and controllers. As privacy and other data issues grow in importance around the world and in Ghana, knowledge of and compliance with the DPA by companies will be grow in importance.
The writer is a Senior Associate with the Corporate and Commercial Group at M&O Law Consult, a law firm based in Accra. She can be reached at firstname.lastname@example.org.