Data Protection Act, 2012


The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

History

The Act was first introduced in the Ghana Parliament in 2010, but was subsequently withdrawn by the then Minister of Communications, Haruna Iddrisu, to be revised. Parliament passed the bill in 2012, which then received Presidential assent on May 10, 2012. The notice of the Act was gazetted on 18 May 2012, and in accordance with Section 99, the Act came into effect on 16 October 2012.

Structure

The Act is made up of 99 sections that are arranged under various headings, as follows:
HeadingSections
Data Protection Commission1-10
Administration11-13
Finances of the Commission14-16
Application of principles of data protection17-34
Rights of data subjects and others35-36
Processing of special personal data37-45
Data protection register46-59
Exemptions60-74
Enforcement75-81
Records obtained under data subject's right of access82-83
Information provided to Commission84-85
Miscellaneous and general provisions86-99

Key terms

Key terms in the Act are defined in the interpretation section, section 96. Unless the context otherwise requires, section 96 provides the following definitions to the notable terms:
“data controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed
“data processor” in relation to personal data means any person other than an employee of the data controller who processes the data on behalf of the data controller
“data subject” means an individual who is the subject of personal data
“foreign data subject” means data subject information regulated by laws of a foreign jurisdiction sent into Ghana from a foreign jurisdiction wholly for processing
“personal data” means data about an individual who can be identified, from the data, or from the data or other information in the possession of, or likely to come into the possession of the data controller
“processing” means an operation or activity or set of operations by automatic or other means that concerns data or personal data and the
collection, organisation, adaptation or alteration of the information or data,
retrieval, consultation or use of the information or data,
disclosure of the information or data by transmission, dissemination or other means available, or
alignment, combination, blocking, erasure or destruction of the information or data
“recipient” means a person to whom data is disclosed, including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment
“special purposes” means any one or more of the following:
the purpose of journalism,
where the purpose is in the public interest,
artistic purposes, and
literary purposes

Application of the Act

The Act is applicable, where
  1. the data controller is established in Ghana and the data is processed in Ghana,
  2. the data processor is not established in Ghana, but uses equipment, or uses the services of a data processor carrying on business in Ghana, to process data, or
  3. the information being processed originates either partly or wholly from Ghana.
Data which originates externally and merely transits through Ghana is however, not protected by the Act.
The Act applies to the Ghanaian Government, and for that purpose, each government department is treated as a data controller.

Data protection principles

The Act provides for 8 principles that data processors have to take into account in processing data, in order to protect the privacy of individuals. These principles are similar to the OECD Guidelines and the Data Protection Directive of the European Union.
The data protection principles are enumerated at Section 17 as follows:
  1. accountability
  2. lawfulness of processing
  3. specification of purpose
  4. compatibility of further processing with purpose of collection
  5. quality of information
  6. openness
  7. data security safeguards, and
  8. data subject participation.

    Accountability

The accountability principle of data protection is seen generally as a fundamental principle of compliance. It requires that a data controller should be accountable for compliance with measures which give effect to data protection principles.
The Act requires a person who processes personal data to ensure that the data is processed without infringing the rights of the data subject, and should be processed in a lawful and reasonable manner. Where the data to be processed involves a foreign data subject, the data controller or processor must ensure that the personal data is processed according to the data protection laws of the originating jurisdiction.

Lawfulness of processing

Data processing is lawful where the conditions that justify the processing are present.
The Act has a minimality provision, which requires that personal data can only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive.
The prior consent of a data subject is also required before personal data is processed. This requirement is, however, subject to exceptions. For instance, where the purpose for which the personal data is processed is necessary for the purpose of a contract to which the data subject is a party; authorised or required by law, to protect a legitimate interest of the data subject; necessary for the proper performance of a statutory duty or necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied. Consent is also required for the processing of special personal data ). A data subject also object to the processing of personal data, and the data processor is required to stop processing the data upon such objection.
In terms of retention of records, the Act prohibits the retention of personal data for a period longer than is necessary to achieve the purpose of the collection, unless, the retention is required by law, is reasonably necessary for a lawful purpose related to a function or activity, is required for contractual purposes, or the data subject has consented to the retention.. The retention requirement is, however, not applicable to personal data that is kept for historical, statistical, or research purposes,, except that such records must be adequately protected against access or used for unauthorized purposes.
Where a person uses a record of personal data to make a decision about the data subject, the data must only be retained for a period required by law or a code of conduct, and where no such law or code of conduct exists, for a period which will afford the data subject an opportunity to request access to the record. Upon the expiration of the retention period, the personal data must, however, be deleted or destroyed, in a manner that prevents its reconstruction in an intelligible form, or the record of the personal data must be de-identified.,, ).
A data subject may also request that a record of personal data about that data subject held by a data controller be destroyed or deleted where the data controller no longer has the authorisation to retain that data. )

Specification of purpose

The Act requires that a data controller who collects personal data do so for a specific purpose that is explicitly defined and lawful, and is related to the functions or activity of the person. The data controller who collects data is also required to take necessary steps to ensure that the data subject is aware of the purpose for which the data is collected.

Compatibility of further processing

The Act requires that where a data controller holds personal data collected in connection with a specific purpose, any further processing of that data must be compatible with the purpose for which the personal data was initially obtained.
The circumstances under which processing meets the compatibility requirement include where the data subjects consents to the further processing of the information, the data is in the public domain, further processing is necessary for purposes of fighting crime, for legislation that concerns protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person.

Quality of information

Under section 26 of the Act, a data controller who processes personal data must ensure that the data is complete, accurate, up to date and not misleading, having regard to the purpose for which that data is collected or processed.

Openness

The openness principle ensures that individuals know about, and can participate in enforcing their rights under a data protection regime.
Section 27 makes it mandatory for a data controller who intends to process personal data to register with the Data Protection Commission. The Data Controller who intends to collect data must also ensure that the data subject is aware the nature of data being collected, the persons responsible for the collection, the purpose of the collection as well as whether or not the supply of data is mandatory or discretionary, among other things.
Where the data is collected from a third party, the Act requires the data subject to be informed before the data is collected, or as soon as practicable afterwards.
The Act provides circumstances under which the notification requirement is exempt, and they include where it is necessary to avoid compromising law enforcement, protect national security, or where it relates to the preparation or conduct of legal proceedings. Section 27)
Also, although it is not mandatory, a data controller can appoint a data protection supervisor, who would be responsible for monitoring compliance with the Act., ) The data protection supervisor may be an employee and must meet the qualification criteria set out by the Data Protection Commission.

Data security safeguards

Under the Act, a data controller has a duty to prevent the loss of, damage to, or unauthorized destruction of personal data, as well as the unlawful access to or unauthorized processing of personal data. The data controller must therefore adopt appropriate, reasonable, technical, and organizational means to take necessary steps to ensure the security of personal data in its possession or control.
The data controller is also required to take reasonable measures to identify and forestall any reasonably foreseeable risks, and ensure that any safeguards put in place are effectively implemented and updated continually.
The data controller must also observe both generally accepted and industry specific best practices in securing data, as well as ensure that data processors comply with security measures. Where the data processor is not domiciled in Ghana, the data controller must ensure that the data processor complies with the relevant laws of its country.
The Act also requires the data controller to, as soon as reasonably practicable, notify the Data Protection Commission and the data subject of any security breaches to its system, and take steps to ensure that the integrity of the system is restored.)

Data subject participation

A data subject can, subject to proving the data subject's identity, request a data controller to confirm if the data controller holds that data subject's personal data, describe the nature of the personal data held, and the identity of any third party who has or has previously had access to that data. The request must however be made in a reasonable manner, within a reasonable time, after paying any prescribed fees and in a form that is generally understandable.
A data subject can also request a data controller to correct or delete personal data about the data subject that is held by the data controller and which is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading. Upon receipt of the request, the data controller must either comply with the request or provide the data subject with credible evidence in support of the data..

Special personal data

Under section 96, "special personal data" means personal data which consists of information that relates to
the race, colour, ethnic or tribal origin of the data subject ;
the political opinion of the data subject;
the religious beliefs or other beliefs of a similar nature, of the data subject;
the physical, medical, mental health or mental condition or DNA of the data subject;
the sexual orientation of the data subject;
the commission or alleged commission of an offence by the individual; or
proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings;
The Act prohibits the processing of data which relates to children under parental control, or to the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behaviour of an individual Section 37.
Special personal data may, however, be processed where it is necessary or the data subject has given consent to the processing. Processing of personal data is necessary where it is to exercise a right, or fulfil an obligation conferred or imposed by law on an employer. Special personal data relating to data subjects may also be processed where it is necessary for the protection of the vital interest of the data subject, where it is impossible for the data subject to give consent, or the data controller cannot reasonably be expected to obtain consent, or consent by the data subject has been unreasonably withheld.
Processing special personal data is presumed to be necessary where it is required for the purpose of legal proceedings, legal advice and for medical purposes, where it is undertaken by a health professional and subject to a duty of confidentiality between the patient and health professional.
The prohibition on processing special personal data relating to religious or philosophical beliefs does not apply where the processing is carried out by a religious organisation of which the data subject is a member or by an institution founded upon the religious or philosophical principles with respect to persons associated with that institution and is necessary to achieve the aims of the institution.

Rights of data subjects

Under the Act, a data subject has the right to have his personal data corrected, to access his personal data ; to prevent the processing of personal data that causes or is likely to cause unwarranted damage or distress to him ; to prevent processing of personal data for purposes of direct marketing ; to require a data controller not to take a decision that would significantly affect him solely on the processing by automatic means ; to exempt manual data, to be compensated for the data controller's failure to comply with the provisions of the Act, upon proof of damages ; and to have inaccurate data rectified

The Data Protection Commission

The Act establishes a Data Protection Commission with two main objects,
  1. Protect the privacy of the individual and personal data by regulating the processing of personal information, and
  2. Provide the process to obtain, hold, use or disclose personal information.
The functions of the DPC are to:
  1. Implement and monitor compliance with the provisions of the Act,
  2. Make administrative arrangements its considers appropriate for the discharge of its duties
  3. Investigate and fairly determine any complaints made under the Act, and
  4. Keep and maintain the Data Protection Register
The DPC is governed by an 11-member board that is appointed by the President of Ghana, and the Act provides for certain specific institutional representation. Board members are allowed to hold office for a period not exceeding three years and cannot be appointed to more than two terms. Allowances for Board members are approved by the Minister responsible for Communications in consultation with the Minister responsible for Finance. The board was officially sworn in on 1 November 2012, is currently chaired by Prof. Justice Samuel Kofi Date-Bah, a retired justice of the Supreme Court of Ghana. The DPC was officially launched on 18 November 2014.
The Act also mandates the President to appoint an Executive Director who shall be responsible for the day-to-day administration of the DPC, as well as the implementation of the decisions of the Board.. Mrs. Teki Akuetteh Falconer is the current Executive-Director.
Under the Act, the sources of the DPC's funds include money approved by parliament, donations and grants, money that accrues to the DPC in the performance of its functions and any money that the Minister responsible for Finance approves.
The DPC is also granted power to serve enforcement notices on data controllers requiring them to refrain from contravening the data protection principles. The enforcement notice may be cancelled or varied either by the DPC, on its own motion, or upon application by a recipient of the notice.

The Data Protection Register

The Act provides for the establishment of a Data Protection Register which is to be maintained by the DPC and to which data controllers must compulsorily register.
Applications for registration as a data controller is to be made in writing and the Act provides for certain particulars, such as the business name and address of applicant, a description of personal data to be collected and a description of purpose for the processing of personal data. Knowingly supplying false information amounts to an offence punishable by a fine or imprisonment. Also, a separate entry in the register must be made for each separate purpose for which the data controller wishes to process the data.
The DPC has the right to refuse to grant an application where the particulars provided for inclusion in an entry in the register are insufficient, the data controller has not been able to provide the appropriate safeguards for the protection of the privacy of the data subject, and in the opinion of the DPC the applicant does not merit the grant of the registration. Upon refusing a registration application, the DPC is required to inform the applicant of the reasons for the refusal, and in such an event, the applicant may apply to the High Court for judicial review of the decision.
Registration as a data controller is subject to renewal every two years. The DPC also has the power to cancel a registration for good cause. It is an offence to process personal data without registering.
The Act also provides for access by the public to the register, upon the payment of the prescribed fee.

General exemptions

The Act provides several exemptions for different purposes as follows:
The processing of personal data is exempt from the provisions of the Act where it relates to national security and in relation to crime and taxation ; the disclosure of personal data relating to health, education and social work; ; is prohibited, unless it is required by law.
The provisions of the Act are also not applicable for the protection of members of the public against specified loss or malpractice provisions
The processing of personal data is prohibited unless the processing is undertaken for the purpose of a literary or artistic material and the data controller reasonably believes the publication would be in the public interest and that compliance with the provision is incompatible with the special purposes.
The provisions on non-disclosure do not apply, where the disclosure is required by any law or by a court.
Act does not apply where data is processed only for the purpose of managing an individual's domestic affairs.
The data protection principles do not apply to personal data if it consists of references given in confidence, for the purposes of education, appointment to an office or the provision of a service by the data subject.
The subject information provisions of the Act do not apply to personal data, where it is likely to prejudice the combat effectiveness of the Armed Forces ; where it is processed to assess the suitability of a person for judicial appointment or to confer a national honour or if it consists of information in respect of a claim to professional privilege or confidentiality.
Personal data is exempt from the provisions of the Act where it relates to examinations marks processed by the data controller and is in relation with the individual's results, or consists of information recorded by a candidate for academic purposes

Miscellaneous provisions

The Act prohibits the purchase of personal data, the knowing or reckless disclosure of personal data, and the contravention of this provision amounts to an offence.
The Act also makes the sale, the offering to sell, and the advertising of the sale of personal data an offence.
The Minister responsible for communications may, in consultation with the DPC make regulations for the effective implementation of the Act.