Ghana’s Cybersecurity Act, 2020 (Act 1038) was passed by the Parliament of Ghana on 6th November 2020 and assented by President Akufo-Addo into law on 29th December 2020. It is a 68-page document made up of 100 sections and 3 schedules. The sections are grouped into 18 different subject headings.
This act has become necessary because of the rapid digitalization of the Ghanaian economy, coupled with the high rate of cyber-crimes and other cybersecurity incidents in the country. The act will promote the development of cybersecurity and regulate cybersecurity activities in Ghana. It focuses on the protection of Ghana’s Critical Information Infrastructure. This article provides key highlights and issues of interest from the act and does not seek to interpret the act.
Key highlights from Act 1038
The act applies to all cybersecurity activities in Ghana. It establishes the Cyber Security Authority (Authority) as a body corporate. The National Cyber Security Centre, therefore, transitions into the Cyber Security Authority.
Governance of the Authority
The act establishes an 11-member board that governs the Authority. It also establishes a Joint Cybersecurity Committee made up of 18 members across different ministries, departments, and agencies. The Authority is headed by a Director-General, who is appointed by the President.
Critical Information Infrastructure (CII)
A computer system or network may be designated or withdrawn as a CII by “the Minister”. The Authority is required to register all CIIs and inspect or audit them periodically. The act also spells out the duties of owners of CII and prescribes stringent punishments for attempting to or gaining unauthorized access to CII.
Cybersecurity incident reporting
The act establishes national and sectoral computer emergency response teams (CERT). Institutions are required to report cybersecurity incidents to the relevant sectoral or national CERT within 24 hours after detecting the incident.
Licensing, accreditation, and certification
Per this act, cybersecurity service providers can only operate upon obtaining a licence from the Authority. The Authority may suspend or revoke the licence of a cybersecurity service provider based on the defined conditions in the act. The Authority is also responsible for accrediting cybersecurity professionals and practitioners, as well as certifying cybersecurity products and technology solutions.
Cybersecurity standards, enforcement, and education
The Authority is required to develop, establish and adopt cybersecurity standards for education, skills development, hardware/software engineering, governance, risk management, research and development, and practitioners. It is also required to enforce these standards and monitor compliance; promote public awareness and education on cybersecurity matters.
The act protects children against exposure of indecent image, sexual abuse, cyberstalking, and sexual extortion. It also protects sexual partners on issues of non-consensual sharing of sexual images/videos and threats to distribute sexual images/videos.
Investigative Officers may apply ex-parte to the high court for a production order to collect subscriber information or for an interception warrant to collect or record traffic/content data. The court may grant these applications based on the defined conditions in the act. The Authority may request a service provider to install an interception system to enforce interception warrants issued by a court.
The act establishes an industry forum for discussing cybersecurity matters of interest. The forum may prepare a voluntary industry code in line with the requirements of the act.
The Authority may issue directives to owners of CII and service providers and may request them to furnish it with information that will help in improving the cybersecurity of Ghana. It may also, by court order, authorise a service provider to block, filter, or remove illegal content and phone numbers associated with malicious cyber activities. Public and private institutions are required to co-operate with the Authority in safeguarding Ghana’s cyberspace.
Penalties for non-compliance
Any person or organization that fails to comply with the various provisions of the act commits an offence and can be convicted to fines between 250 to 50,000 penalty units (GHS 3,000 to GHS 600,000), or to a term of imprisonment between 6 months to 25 years, or both.
It is very important and incumbent on cybersecurity professionals, cybersecurity service providers, legal practitioners, owners of CII, compliance professionals, and the general public to fully familiarize themselves with the act. Ignorantia legis neminem excusat (Ignorance of the law is not an excuse).
I implore the Authority to fully discharge its functions under this act in order to safeguard Ghana’s CII in particular and its cyberspace as a whole. I also implore the state to provide the Authority with all the needed resources, logistics, and support to perform its functions effectively and efficiently.
It will be extremely ungrateful on my part to end this article without acknowledging the good works of key stakeholders who contributed tirelessly to the enactment of this act. On behalf of my “fellow Ghanaians”, we are grateful to the Ministry of Communications, National Cyber Security Centre, Consultants, Parliament of Ghana, Attorney General’s department, and the President of Ghana for this landmark achievement.
Sherrif Issah ( IT GRC Consultant | PCI-QSA | Trainer @ Digital Jewels Ltd., and Editorial Board Member, Institute of ICT Professionals Ghana)
For comments, contact author firstname.lastname@example.org | Mobile: +233243835912