What Individuals and Organisations Must Know
Ghana’s Data Protection Act, 2012 (Act 843) provides individuals (customers/clients, employees/staff, patients, students, congregants, members, etc) more control over how government institutions, businesses, associations, schools, churches, and private enterprises process their personal data.
This article serves two purposes: to bring to the attention of
(1) the individual (data subject): the knowledge of the rights granted to him/her by Act 843, when and how to exercise these rights to their benefit.
(2) the organization: the individuals’ rights provisions under the Act 843, know how and when to respond to an individual exercising any of these rights.
Unfortunately, your right to data protection is not absolute. It must always be balanced against other values, fundamental rights, human rights, or public and private interests and there may be circumstances under which an organisation may have grounds to refuse to grant an individual’s request to exercise their data protection rights. There are certain limitations contained within the data protection rights set out under Act 843. For example, your right to access your data should not adversely affect the rights and freedoms of others. Certain data protection rights only apply in certain circumstances. The right to erasure (Right to be forgotten), for instance, only applies under certain conditions, such as the personal data is no longer being required for the purpose it was collected.
The Act allows for further restrictions on data protection rights in other Ghanaian national laws such as other Acts, Legislative Instruments, regulatory directives, etc. Nonetheless, these restrictions must comply with certain strict requirements, respect the essence of the fundamental rights and freedoms of individuals, and be necessary and proportionate to safeguard certain objectives of larger Ghanaian society or general public interest. Some of the restrictions contained in Act 843 relate to processing carried out for taxation purposes or matters on national security, public health or the exercise or defence of legal claims, and personal data relating to an opinion given in confidence.
Organizations are required by law to respond to your requests (for access to your information or rectification of your personal data) within twenty-one (21) days, even if they believe they have grounds to refuse it [Section 39(2)]. Where an organisation refuses or partly refuses your request, their response must set out clearly which limitation or restriction they are relying on to refuse to act on the request, their reasons for not taking action, and informing you of the possibility of lodging a complaint with the Data Protection Commission (DPC) or seeking a judicial remedy.
Every Ghanaian citizen or the data subject is entitled to have their personal information protected, used in a fair and appropriate legal way, and made available to them when they request a copy. If an individual identifies that their personal information is wrong, they are entitled to ask for the correction of such information. Act 843 protects people (data subjects) against unnecessary data collection, use of data in unanticipated ways, and biased algorithmic decision-making.
We are undoubtedly in the digital age and personal data is at the core of most digitisation initiatives and processing activities. Our personal data is intrinsically linked to our private life. Our online activities are dotted with digital traces that can reveal intimate details of our thoughts, beliefs, movements, associates, and activities. Such data must be processed fairly for specified purposes and based on the consent of the person concerned, or some other legitimate legal basis established. Everyone has the right of access to data that has been collected concerning him or her, and the right to have it rectified.
The rights granted by Act 843 include the following:
Right 1: The right to be informed [Section 23 and 27]
One of the principles of data protection legislation is transparency, with one of the data protection rights being the right to be informed. This means that organisations that collect/receive personal data must clearly and fully inform the individuals concerned, normally at the point when personal data is being collected, how their personal data will be used. This is called ‘Privacy Information’ and it is normally presented in a privacy notice. There are a few circumstances when organisations do not need to provide people with a privacy notice, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
Right 2: The right to give and withdraw consent [Section 20]
Consent is one of the legal bases for which your personal data can be processed. Consent must be a “freely given, specific, informed and unambiguous indication” via a statement or clear affirmative action, that you agree to the processing of your data. When you give consent, you give the organization (the data controller) the right to process your personal data. You can withdraw your consent after you have given it. However, your right to withdraw (revoke) your consent is only applicable when the processing of your data is based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Right 3: The right of access [Section 35]
The right of access, also referred to as subject access or a Subject Access Request (SAR) or Data Subject Access Request (DSAR), gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their personal data, and to understand if that use is lawful. Organizations should note that individuals (data subjects) can make SARs verbally or in writing, including via social media, contact forms, emails, and postal addresses connected with the organizations. An organization (a data controller) shall comply with SAR promptly and in any event within forty (40) days from the date of receipt of the request where other people’s data might be included. The organization is required to perform a reasonable search for the requested information and should provide the information in an accessible, concise, and intelligible format. The information should be disclosed securely. The organization can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Right 4: The right to rectification [Section 33(1)(a)]
If personal data is inaccurate, out of date, or incomplete, individuals have the right to correct, update, or completion of that data. Collectively, this is referred to as the right to rectification. Rectification may involve filling the gaps i.e., having incomplete personal data completed – although this will depend on the purposes for the processing. This may involve adding a supplementary statement to the incomplete data to highlight any inaccuracy or claim thereof. This right only applies to an individual’s own personal data; a person cannot seek the rectification of another person’s information unless the individual is a minor or the requestor is acting in a legal capacity or mandated by law.
Right 5: The right to erasure (Right to be forgotten) [Section 33(1)(b)]
In certain circumstances, people can ask for their personal data to be deleted or erased from the records held by organisations. However, this is a qualified right; it is not absolute and may only apply in certain circumstances.
Data subjects have the right to the erasure of personal data on any of the following grounds:
- The data are no longer necessary concerning the purposes for which they were collected or otherwise processed.
- The data subject withdraws the consent on which the processing is based and where there is no other legal ground for the processing.
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing.
- The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a statutory duty.
Right 6: The right to prevent processing for direct marketing [Section 40]
Individuals have an absolute right to prevent an organisation from using their personal data for direct marketing – in broad terms, this means promoting an organisation aims and objectives and trying to sell things. Once such an objection is raised, the use of personal data for direct marketing purposes must stop. Direct marketing includes the communication by whatever means of any advertising or marketing material that is directed to particular individuals. An organization shall not provide, use, obtain, procure, or provide information related to a data subject for direct marketing without the prior written consent of the data subject.
Right 7: The right to object [Section 20(2), (3), 39, 40, 41]
Act 843 gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent an organization from processing their personal data. An objection may be about all the personal data the organization holds about the individual or only to certain information. It may also only relate to a particular purpose the data is being processed for. When the organization agrees to an objection, it must stop using the personal data for that purpose unless it can give strong and legitimate reasons to continue to make use of the data, despite the objections raised.
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, you are permitted to store the personal data, but not use it. An individual can request restrictions verbally or in writing. This means that an individual can limit the way that an organisation uses their personal data. This is an alternative to requesting the erasure of their data. If the right to restrict processing is available and applied, then the organization can continue to retain/store personal data, however, no other use of the data can be made until the restriction is lifted.
The data subject shall have the right to object to or prevent the processing of personal data under the following conditions:
- for a specified purpose or manner [Section 39]
- direct marketing [Section 40]
- by automated decision-making (including profiling) [Section 41]
- processing for scientific or historical purposes.
Because this is a qualified right, there are exceptions that the organization can fall on to continue to process the data if the organization can demonstrate compelling legitimate grounds for the processing, that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.
Right 8: Rights to automated decision making and profiling
Individuals have the right to object to automatic decision-making and profiling. You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you. Automated processing is permitted only with your express consent, when necessary for the performance of a contract, or when authorised by law. Where one of these exceptions applies, suitable measures must be in place to safeguard your rights, freedoms, and legitimate interests. This may include the right to obtain human intervention on the controller’s part, the right to present your point of view, and the right to challenge the decision.
An organization can only carry out solely automated decision-making with legal or similarly significant effects if the decision is:
- necessary for entering or performing a contract between an organisation and the individual
- authorised by law (for example, for fraud or tax evasion) or
- based on the individual’s explicit consent.
Where automated processing relates to the special categories of personal data, the processing is only lawful where the individual has given his/her express consent to the processing, or where it is necessary for reasons of substantial public interest.
Right 9: Right to complain [Section 41]
An individual (data subject) has the right to complain about an issue or issues that relate to the processing of their personal data. The complaint could be lodged directly with the data controller, data processor, or with the Data Protection Commission (DPC) – which is the supervisory authority in Ghana – where necessary. The complaint must be in writing. However, the practice is that the individual first lodge the complaint with the organization (the data controller). If the issue is not addressed to the satisfaction of the individual, then it can be escalated to the Data Protection Commission for redress. When a complaint has been lodged, the data controller must respond to the data subject, if it is going to comply with the request or not, and why, notify the data subject of actions taken or being taken to comply, and provide evidence of any decision taken.
Right 10: Right to compensation [Section 43(1)]
Where an individual suffers damage or distress through the contravention by a data controller of the requirements of Act 843, that individual is entitled to compensation from the data controller for the damage or distress. The damages suffered could be material or non-material.
How long will it take?
When an individual’s request to exercise their rights is made, the data controller must:
- Provide information on action taken “without undue delay”.
- In any event, within twenty-one (21) working days of receipt of the request.
- The twenty-one (21) working days period may be extended to forty (40) working days, where necessary, considering the complexity and number of requests.
- In this case, the data controller shall inform the data subject of any extension within the twenty-one (21) working days of receiving the request and explain the reasons for the delay.
- If the data controller does not act on the request of the data subject, the data subject must be informed without delay and, at the latest, within the twenty-one (21) working days of receipt of the request, of:
- the reasons for not taking action.
- the possibility of lodging a complaint with the Data Protection Commission and seeking a judicial remedy (through the courts).
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)
For comments, contact author firstname.lastname@example.org or Mobile: +233-243913077