Data Protection Commission to prosecute defaulting institutions

BY: Emmanuel Bruce

The Data Protection Commission (DPC) has started discussions with the Attorney General’s Department for the establishment of a fast-track court to prosecute data controllers who fail to register with the commission.

Although the Data Protection Act, 2012 (Act 843) requires all data controllers in the country to register with the DPC, only about 5,000 out of the over 60,000 data controllers have registered with it.

The Executive Director of the commission, Ms Patricia Adusei-Poku, said this at a media briefing in Accra yesterday ahead of the celebration of the Global Data Protection Day on January 28, this year.


She said the failure of data controllers to register with the DPC was not only a clear violation of the law but also put the data of people who dealt with those institutions at risk

Ms Adusei-Poku said it also had a direct impact on all, since the controllers provided services on health, education, hospitality, among others.

“In our daily lives, we constantly interact with these non-compliant data controllers. We want to empower citizens to understand the impact of their actions on our lives and the likelihood of harm to us because they are not doing the right thing.

“It is a big task to leave to the commission alone to handle. It is our legal responsibility, but if you leave everything for us, it will take a long time to address it. It is, therefore, the responsibility of every citizen to challenge the status quo and the people you deal with on a day-to-day basis to see if they are doing the right thing or not,” Ms Adusei-Poku said.

She said while the DPC would continue to chase and prosecute non-compliant data controllers, it also counted on the support of the people to deal with the situation.

Registration software

The Executive Director further said the DPC had acquired a registration software for more effective and efficient delivery of its mandate.

She said following the launch of the new software in October last year, the commission expected all establishments affected by Act 843 to duly register and pay the required fees as a legal obligation.

“Several entities have failed to register with the commission since 2014. Though they should have been sanctioned under the law, the commission has refrained from doing so because we want to step up public education and also build the capacity of staff first.

“Due to the impact of the COVID-19 on businesses, the Ministry of Communications has granted a six-month window from October 2020 to March 31, 2021 to allow defaulting data controllers to register with the commission and pay just the current year’s amount due, waiving any applicable arrears,” Ms Adusei-Poku said.

She, therefore, urged all defaulting institutions to take advantage of the amnesty period to be in good standing with the commission.

Data protection day

On the Global Data Protection Day, she said it was celebrated on January 28, every year to create awareness of the importance of protecting privacy as a fundamental human right.

She said the DPC, being a member of the Global Assembly Privacy, would commemorate the day with nationwide week-long activities to sensitise the public to data protection and privacy.