Advertisement

What you need to know about data protection in Ghana

Data protection is the process of safeguarding personal information, in accordance with a set of principles laid down by law.

In principle, it involves two parties: an information owner (usually individuals) and an information holder (individual or organisations that collect and process personal information, e.g. government agencies, hospitals, technology companies, law firms, hotels, banks, etc).

Data protection seeks to balance an individual’s expectation of the privacy of their information with that of the information holder's legitimate use of such information.

Data protection is also known as information privacy, data privacy or digital privacy depending on which part of the world you find yourself in.

Data protection requirements and technologies have been evolving for over 100 years. From the first automated business data processing dating back to the United States (US) Census of 1890; the end of World War II; the Universal Declaration of Human Rights in 1948; the establishment of the basic principles of data protection by the Organisation for Economic Co-operation and Development (“OECD”) in 1980 and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (popularly known as ‘Convention 108’) by the Council of Europe in Strasbourg, France in 1981; to date, technology has played a key role in the emergence of data protection laws.

Legal framework

As the world of business data processing evolved, so did the methods and practices of data protection. The laws were developed mainly as a result of technological advances that increased the collection, holding and dissemination of personal information.

In Ghana, the Data Protection Act, 2012 (Act 843) was passed by Parliament as part of laws developed under the Information and Communications Technology (ICT) for Accelerated Development (ICT4AD) Policy to create an enabling legal environment for the development and use of ICT in the country.

The explanatory Memorandum to the Bill which was laid in Parliament noted that the growth, use and development of ICT in the country had led to the generation of large amounts of personal data across various servers, systems/networks in a manner that individuals could not have contemplated at the time of giving out their personal data.

These technological changes had effectively taken control of personal information out of the hands of individuals, making it virtually impossible to guarantee their right to the privacy of their communications.

The memorandum providing the basis for development of Act 843 stated that:

‘Recognising that every Ghanaian has the right to privacy with respect to the processing of personal data, the Bill will activate or give meaning to Article 18(2) of the 1992 Constitution. In essence, the absence of legislation on this matter is an infringement to the right to privacy.’

Various models

Ghana’s approach to data protection leans towards the European model that looks at an omnibus provision which governs both public and private sectors and recognises data protection as a human right.

This human rights approach to data protection guarantees the control over personal data by the individual whose information it is. In other words, you should have a say on how your information is used when you give it to anyone.

The European model can be distinguished from the US model which does not have a single codified law but different laws and executive orders dealing with the concept. Also in the US, data protection is approached from the market perspective that seeks to give more control of personal data to businesses than individuals.

In both models, however, similar principles have been developed, widely recognised and harmonised to protect the privacy of individuals. Currently, almost all countries and regional bodies on the African continent that have developed data protection instruments have frameworks similar to the European than the US approach.

The fundamental basis for Ghana’s data protection law is Article 18 (2) of the 1992 Constitution which guarantees the following:

‘No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.’

The Data Protection Act set up the Data Protection Commission (DPC) and provided for the process by which personal data can be obtained and used in order to guarantee Article 18(2) <\a> otherwise known as the right to privacy.

The Act established eight main principles to be followed when one is collecting, holding, using or processing personal data.

The Act regulates organisations and individuals that collect, handle or process personal data by providing key principles for safeguarding this fundamental right to privacy. It also confers rights on individuals and places obligations on those processing personal data.

The law seeks to balance the need and legitimate use of personal data by organisations and individuals with the right of the owner of such personal data to protect and ensure fair and appropriate use of such information.

To be continued.

The writer is the ICT Law & Data Protection Specialist @ Nsiah Akuetteh & Co., Ghana. She was the first Executive Director of Data Protection Commission of Ghana.

Connect With Us : 0242202447 | 0551484843 | 0266361755 | 059 199 7513 |