This year marks the 10th anniversary of the inception of Ghana’s Data Protection Act, 2012 (Act 843). The Act was assented to on 10th May 2012 and became enforceable on 16th October 2012. It sets out the rules and principles governing the collection, use, disclosure, and care for personally identifiable information by data controllers and data processors. It also establishes the Data Protection Commission (DPC) with the core mandate of ensuring compliance with the Act to protect data subjects.
The Act applies to any organization established in Ghana and processes data in Ghana, any organization that is not established in Ghana but uses equipment or data processors in Ghana, and any organization that processes information originating in part or in whole from Ghana.
There are key activities that data controllers (organizations) can undertake to help their compliance journey. Some of these activities include registering with the DPC, renewing the registration every two years, officially appointing and training a data protection supervisor, conducting data protection gap analysis, establishing and implementing data protection policies, and providing data protection training for employees.
Since the inception of the Act, there are areas that we have done well (The Good), there are others that we could have done better (The Bad), and there are others that we have performed abysmally (The Ugly). This article discusses some of these issues and proffers recommendations.
In line with Section 1 of the Act, the government of Ghana officially launched the DPC on 18th November 2014. This was a major milestone for data protection in Ghana.
The DPC (commission) has sanctioned specific training for data protection supervisors (DPS) and does not recognize any other data protection training (Either locally or internationally). This is very laudable in that it allows the DPS to receive training appropriate to the context of Ghana and Act 843.
Ghana has ratified the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention). The document covers requirements on electronic transactions, data privacy, and cybersecurity. Out of the 10 African countries that have ratified the convention, Ghana was the 5th to ratify in May 2019. This is a simple demonstration of our commitment to data protection.
The commission has been able to improve the registration process for data controllers. The initial registration process was manual and cumbersome. The commission has acquired a web-based application that helps in easy and timely registration. The application also helps assess data controllers’ compliance status and provides a roadmap for compliance.
The commission granted amnesty to data controllers who had not registered with it in the past years. The 6 months amnesty (1st October 2020 to 31st March 2021) allowed data controllers to register and pay only the current year’s fee, without the arrears. This is very laudable as it encouraged data controllers who had earlier not registered with the commission to do so.
The commission has also collaborated with the Ghana Internal Audit Agency to train Internal Auditors to be able to audit data controllers against the requirements of Act 843. Since the audit is a means of validating data controllers’ compliance to Act 843, this collaboration will help improve data protection in state institutions.
Based on personal experience and that of others, the commission sometimes does not respond to phone calls, and with email communication, the response is sometimes unduly delayed or not received at all. Since these media help in making inquiries, making complaints, and reporting data breaches to the commission, a communication gap will not help in containing data breaches and addressing concerns of stakeholders, especially data subjects. In this era of digitization, the commission should not always expect individuals to visit its office for inquiries, report incidents, or lodge complaints.
There is only one organization that has been accredited by the commission to conduct the certified data protection practitioner training for DPS. Such a monopoly does not encourage competition and continuity of the training. Because of this, the service provider may not be motivated to provide the best of service. Also, the training will be adversely impacted if the service provider lacks training resources or goes out of business. The commission, however, disclosed in its media briefing on 26th January 2022, of its intention to accredit additional organizations to provide the training.
The commission does not require an independent audit of data controllers’ compliance with the Act. It only requires data controllers to complete the “Data Protection Act Gap Analysis/Compliance Assessment Report”, which is a self-assessment document completed by data controllers during their certificate renewal every two years. Without an independent audit, it may be difficult to find out the true state of data controllers’ compliance with Act 843.
The commission is under-resourced to perform its functions in line with section 3 of the Act. With this lack of resources, the regulator may not be able to perform its function effectively to safeguard data subjects. This issue is corroborated by the Minister of Communications and Digitalisation in October 2021, at the inauguration of the board of trustees for the commission. She mentioned staff retention as a major issue of the commission. She said several roles in the commission were yet to be regularized, which has led to the resignation of some staff.
Although the commission continues to create awareness for data subjects and data controllers, this is inadequate. Awareness seems more visible only during the annual celebration of the Data Protection Day. Without the needed level of awareness, key stakeholders like data subjects and data controllers/processors will not know their rights and responsibilities in safeguarding personal data.
There is some lack of transparency in the operations of the commission. In line with section 54 of Act 843, I made an official request to the commission this year, requesting for the total number of data controllers who have registered with the commission, and those in good standing. Despite the several follow-ups, my request has not been granted nor any reason given for declining it. I, unfortunately, do not have enough space in this article to narrate the drama that ensued from my request. It is unfortunate for the commission to shield such vital and unclassified information from data subjects.
The failure of some data controllers in registering with the commission is a major setback for data protection in Ghana. Many private and government institutions have failed to register with the commission. In my estimation, out of the about 524,000 registered companies in the new company database, less than 10% of them have registered with the commission. Although the registration does not show an organization’s compliance with the Act, it is one of the key steps in attaining compliance.
There is a weak enforcement regime by the commission. Although it has the authority to impose sanctions/fines on those who contravene Act 843, that authority is not seen to be exercised. There have been some incidents of public interest that should have warranted sanctions/fines to serve as a deterrent to others. However, the culprits were treated with kid gloves.
The Way Forward
To ensure compliance with Act 843, and improve the protection of personal data in Ghana, the following recommendations can be considered:
- The commission should get enough officers to respond to phone calls and emails to aid in timely response to inquiries, incidents, and complaints from stakeholders.
- Other organizations should be given the opportunity to be accredited to conduct the certified data protection practitioner training.
- The commission should require data controllers to undergo annual independent audits of their compliance with Act 843 and make the reports available to the commission.
- Individuals, the state, private and international organizations should support the commission with the needed resources to perform its functions.
- The commission should devise more effective and innovative ways of creating public awareness on data protection/privacy.
- As transparency is a key tenet of good corporate governance, the commission ought to be very transparent to its stakeholders.
- To protect data subjects and avoid penalties, organizations should register with the commission.
- The commission should ensure that entities who contravene the Act are sanctioned accordingly to serve as a deterrent to others.
I am optimistic that, in the next decade will see tremendous innovation and improvement in data protection in Ghana.
Author: SHERRIF ISSAH
Data Protection Activist and Information Security Professional | Member, IIPGH
For comments, contact author firstname.lastname@example.org | +233243835912