Ghana’s Data Protection Act, New Privacy Legislation

Ghana’s Data Protection Act, 2012, or the Data Protection Act for short is a privacy law that was passed in Ghana in 2012. In addition to establishing the rules and responsibilities of data controllers and processors operating within Ghana, the Data Protection Act also established the Data Protection Commission, or DPC for short. The DPC was established “to protect individuals’ privacy and personal data by regulating the processing of personal information, to outline the process to obtain, hold, use, or disclose personal information, defining the rights of data subjects, prohibited conducts of processing, third-country processing of data relating to data subjects covered by the Act, third-country data subject processing in Ghana, and related matters.

What is the scope and application of the Data Protection Act?

In terms of the personal scope of the law, the Data Protection Act applies to all individuals and agencies within Ghana. Additionally, the Data Protection Act also mandates that personal data is processed in a manner that is lawful, reasonable, and does not infringe on the data privacy rights of data subjects. Conversely, the territorial scope of the law applies to data controllers and processors in instances where:

• The data controller is established within Ghana and the applicable personal data is processed within Ghana.
• The data controller or processor is not established within Ghana but uses equipment or a data processor that operates within Ghana.
• The data processing is with respect to personal data which originates either partly or wholly from Ghana.

What are the data principles that data controllers and processors must adhere to under the Data Protection Act?

Under Ghana’s Data Protection Act, data controllers and processors operating within the country must adhere to the following data protection principles when collecting, processing, or disclosing the personal data of Ghanaian citizens:

• The lawfulness of the processing.
• The specification of purpose.
• Accountability.
• Openness.
• The compatibility of further processing with the purpose of collection.
• The quality of personal data.
• Data security safeguards.
• Data subject participation.

Moreover, the obligation of data subjects to consent to the processing of their personal data is a condition that must also be fulfilled by data controllers, unless said data controllers can effectively demonstrate that such processing is:

• Is proven to be necessary for the purpose of a contract to which a data subject is a party.
• Is proven to be necessary for the proper performance of a statutory duty.
• Is proven to be necessary to pursue the legitimate interests of a data controller, or another third party to whom personal data will also be supplied.
• To protect the legitimate interests of a data subject.
• Is authorized or required by other Ghanaian laws.

What are the rights of data subjects under the Data Protection Act?

In comparison to many other data privacy laws around the world, the Data Protection Act affords numerous rights to data subjects within Ghana as it pertains to their personal privacy. These rights include:

• The right to be informed– Under the law, data subjects must be informed “as soon as reasonably practical” in regards to the processing of their personal data.
• The right to access– Data subjects maintain the right to make inquiries, demand the disclosure of their personal data, and make complaints to the DPC in regards to the violation of their right to access.
• The right to rectification– Data subjects maintain the right to request that a data controller correct or delete personal data pertaining to them.
• The right to erasure– Data subjects maintain the right to request that a data controller rectify, block, erase, or destroy personal data pertaining to them.
• The right to object/opt-out– Data subjects maintain the right to object to both the collection and the processing of their personal data.
• The right to data portability– Data subjects maintain the right to obtain a copy of the personal data, in instances “here technology makes such information capable of being transmitted with the consent of the data subject without prejudicing the right of the data controller required to so transmit the data”.
• The right not to be subject to automated decision making– Data subjects maintain the right to not have their data processed based on automated decision making.
• The right to be protected from unwarranted damage and distress– Under the law, the processing of personal data that would cause unwarranted damage or distress to an individual is prohibited.
• The right to be protected from direct marketing– Under the law, the use of a data subject’s personal data for direct marketing purposes is prohibited, unless a data subject consents to such direct marketing purposes.
• Expansions of assessable processing– Foreign data subjects also maintain the right to have their personal data processed in accordance with the law. This is done by requiring that data processors ensure that all personal data is processed in accordance with the data protection legislation of the applicable legal jurisdiction for which personal data has originated.

In terms of penalties in relation to non-compliance, the Data Protection Commission, or DPC for short has the authority to enforce the Data Protection Act. However, the passing of the Data Protection Act also established an amnesty period for all individuals, agencies, and organizations. As such, enforcement decisions that have been made as it pertains to the Data Protection Law have not been publicized as of the writing of this article. However, data controllers and processors who fail to comply with the law are subject to a monetary fine of up to 150 penalty units, a term of imprisonment of up to one year, or both.

Ghana’s Data Protection differs from other well-known international privacy policies such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR. However, the provisions of the Data Protection Act clearly outline the obligations that data controllers and processors must abide by when processing the personal data of data subjects, as well as set forth the punishments for failing to do so. As such, the data privacy rights of Ghanaian citizens have been guaranteed by law, whether they are physically within Ghana or in another country.