January 28 every year is celebrated as International Data Privacy Day – an international effort to create an awareness of the importance of privacy and personal data protection. With the increase in data breaches and cybercrime internationally, data protection and cyber security are more important now than ever before. Countries across the globe, including Ghana, through the laws, regulatory frameworks among many others, regulate how organizations process the personal data of their citizens both home and abroad. In Ghana, the Data Protection Commission is the government institution mandated by law to regulate organizations to comply with the Data Protection Act 2012 (Act 843).
Using digital technologies and digitalised data is increasing rapidly in policy areas, as well as transforming society, transforming how citizens, governments, civil society, and companies engage with one another. The subsequent attendant challenges are enormous, with automation, biometrics, ID systems, and other technologies being adopted swiftly. It is essential to assess the necessity and risks but, sometimes, these technologies are adopted with insufficient assessment. In particular, the adoption of new technologies may impose considerable challenges to data protection and privacy. For instance, ID systems and biometric databases may allow for certain links to be made between databases, including enabling interoperability with other government systems or information sharing across international borders, exacerbating the risks in terms of personal data protection. Therefore, although technically possible, the linking of different databases is not automatically justified, but must be balanced against an assessment of the inherent risks to data protection and privacy.
The right to privacy is an internationally recognised human right, enshrined in several international human rights treaties, widely ratified by many countries and jurisdictions across the globe. One of such treaties is the United Nations’ Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights), and contained in many conventions at the regional level, as well as national constitutions and bills of rights.
Privacy and data protection are different rights, although intrinsically linked. The right to privacy is broader and includes the right to protecting personal data, yet covers many elements beyond personal information. The right to data protection safeguards “the fundamental right to privacy by regulating the processing of personal data: providing the individual with rights over their data and setting up systems of accountability and clear obligations for those who control or undertake the processing of the data” according to the Privacy International. Therefore, data protection is essential to the exercise of the right to privacy.
Data protection and privacy work through key ‘principles’ that give individuals rights over their data. Some international data protection and privacy principles have formed the foundation or the basis for the enactment of laws, bills, and regulations by various countries across the globe. Below are some of them:
- United Nations Personal Data Protection and Privacy Principles
- Council of Europe (CoE) Convention for the Protection of Individuals about Automatic Processing of Personal Data; Convention 108 and later updated to Convention 108+.
- Organisation for Economic Cooperation and Development (OECD) Guidelines
on the Protection of Privacy and Transborder Data Flows of Personal Data referred to as the OECD Privacy Framework.
- General Data Protection Regulation (EU) of the European Parliament
and the Council of Europe (GDPR).
- United Nations Guidelines for the Regulation of Computerized Personal Data Files, UN Resolution 45/95.
These instruments have influenced the development of national data protection laws worldwide,
translating some data protection and privacy principles into domestic legislation that regulates the processing of personal information.
Core Data Protection and Privacy Principles
The various data protection regulations across the world set out principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data. The principles are at the centre of the various enacted regulations; they are the guiding principles of the regulation and compliant processing.
The core data protection and privacy principles which are stipulated in most of the regulations across the globe are:
- Data minimisation or collection limitation
- Purpose limitation or purpose specification and use limitation
- Lawfulness, fairness, and transparency or openness
- Accuracy or data quality
- Storage limitation
- Integrity and confidentiality or security safeguards
- Individual participation
These principles are interrelated and overlap. Each one contains several points of guidance, and it is essential to treat them together as a whole. While they can receive different names, the basic principles are similar across the different data protection and privacy frameworks.
The data protection principles establish the conditions under which processing personal information is legitimate, limiting the ability of both public authorities and private actors to collect, publish, disclose, and use individual personal information without the data subject’s consent. These principles also establish the rights that data subjects hold, such as the ability to determine who holds information about them and how that information is used. They entail several obligations imposed on those processing personal data–the data controller and processor–in both public and private sectors, forcing them to handle this data according to local data protection laws. Hence, and as stated by Privacy International, “A strong data protection framework can empower individuals, restrain harmful data practices, and limit data exploitation”.
Who is responsible for data? What happens when things go wrong?
There are two entities that have control over personal data and/or process personal data: data controllers and data processors. The data controller is the natural person or the legal entity (e.g., government institutions, private companies, that alone or jointly with others, to determine the means of, and purposes for, processing personal data. That means that the data controller has decision-making power regarding data processing and is responsible for safeguarding and handling personal information on computers or structured manual files. The data processor is the individual or legal entity that processes data on behalf of data controllers (which is often limited to technical solutions–the ‘methods and means of processing).
According to good international data protection practice, and as seen in most laws, conventions, and guidelines, there should be several legal responsibilities and obligations imposed on data controllers and processors. Institutions that process personal data, in their capacity as either data controllers or processors, must be able to demonstrate how they are complying with data protection requirements, including data protection principles, fulfilling their obligations, and upholding the rights of individuals whose data they process. This is the accountability principle, under which controllers and processors must take all appropriate measures to comply with the obligations under the data protection regime. These obligations entail the acknowledgement of the data rights of any individual, such as the right to always access their data, have their data rectified if it is inaccurate and express objections if data processing leads to disproportionate or unfair results.
The author consulted the following materials which readers could refer to for further reading:
- Data Protection for Social Protection: Key Issues for Low- And Middle-Income Countries (GIZ Data Protection for Social Protection)
- General Data Protection Regulation
- Privacy Guide for Businesses–Office of the Privacy Commissioner of Canada
- The Bigger Picture: Privacy and Work in the New Normal (Data Protection World Forum)
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH, and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author email@example.com or Mobile: +233-243913077