Introduction 

The digital age has ushered in an era of unprecedented data processing, where algorithms and artificial intelligence increasingly dictate decisions that impact our lives. From credit scores to job applications, automated decision-making (ADM) is rapidly transforming how we interact with services and institutions. However, this convenience comes with inherent risks, demanding robust legal frameworks to safeguard individual rights. As a practitioner and data protection consultant, I aim to demystify ADM and illuminate the rights of data subjects, particularly within the context of Ghana’s Data Protection Act, 2012 (Act 843) and the General Data Protection Regulation (GDPR). 

Defining Automated Decision-Making (ADM) 

ADM, in its essence, refers to decisions made solely by automated means, without human intervention. This involves the use of algorithms and software to process personal data and reach conclusions that directly affect individuals. These decisions can range from simple classifications to complex risk assessments, impacting areas such as employment, finance, healthcare, and even legal proceedings. 

The key characteristic of ADM is the absence of meaningful human involvement in the decision-making process. While humans may design and program the algorithms, the final decision is reached autonomously by the system. This raises concerns about transparency, fairness, and the potential for algorithmic bias. 

Ghana’s Data Protection Act 843: A Framework for Protection 

Ghana’s Data Protection Act, 2012 (Act 843), provides a foundational legal framework for data protection in the country. While it doesn’t explicitly address ADM with the same granularity as the GDPR, it lays down principles that are applicable to automated processing. 

Act 843 emphasizes the principles of lawfulness, fairness, and transparency in data processing. It requires data controllers to process personal data lawfully and fairly, ensuring that data subjects are informed about the purposes of processing. The Act also mandates that personal data be accurate and kept up to date. 

Although Act 843 doesn’t explicitly mention “automated decision-making”, section 18 of the Act, which deals with sensitive personal data, indirectly covers some aspects of ADM relating to sensitive data. The Act also empowers the Data Protection Commission (DPC) to issue guidelines and regulations, which can be used to address the specific challenges posed by ADM. 

GDPR: A Comprehensive Approach to ADM 

The GDPR, on the other hand, provides a more comprehensive framework for regulating ADM. Article 22 of the GDPR specifically addresses automated individual decision-making, including profiling. It establishes the right of data subjects not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. 

Rights of Data Subjects in ADM and How to Exercise Them 

Under the GDPR and, by extension, within the spirit of Ghana’s Act 843, data subjects possess several crucial rights regarding ADM: 

1. Right to Information: Data subjects have the right to be informed about the existence of automated decision-making, the logic involved, and the significance and envisaged consequences of such processing. This can be exercised by submitting a formal request to the data controller, asking for detailed information about the ADM processes used. 

2. Right to Object: Data subjects have the right to object to automated decision-making, particularly when it is based on legitimate interests or public tasks. To exercise this right, they must provide specific reasons relating to their particular situation. They can submit a formal objection to the data controller, clearly stating their reasons for objecting. 

3. Right to Human Intervention: If an ADM decision produces legal effects or significantly affects a data subject, they have the right to obtain human intervention. This means they can request that a qualified individual review the decision and provide an explanation. This can be exercised by requesting a manual review from the data controller. 

4. Right to Explanation: Data subjects have the right to receive a clear and understandable explanation of the logic involved in the automated decision-making process. This helps them understand how the algorithm arrived at its decision. This right is tied to the right of information, and the method of exercise is similar. 

5. Right to Rectification: If the automated decision is based on inaccurate data, data subjects have the right to request rectification. They can submit a request to the data controller to correct the inaccurate data. 

6. Right to Restriction of Processing: In certain circumstances, data subjects can request the restriction of processing, including automated processing. This can be exercised by submitting a formal request to the data controller, clearly stating the reasons for the restriction. 

7. Right to File a Complaint: If data subjects are dissatisfied with the data controller’s response or believe their rights have been violated, they can file a complaint with the relevant data protection authority, such as the DPC in Ghana. 

Expectations from Data Controllers and Data Processors 

Data controllers and processors have a significant responsibility to ensure compliance with data protection laws regarding ADM. These responsibilities include: 

1. Transparency and Fairness: Data controllers must be transparent about the use of ADM and ensure that the processes are fair and unbiased. They must provide clear and concise information to data subjects about the logic involved in the algorithms. 

2. Data Accuracy and Minimisation: Data controllers must ensure that the data used in ADM is accurate, relevant, and limited to what is necessary. They must implement measures to prevent the use of biased or discriminatory data. 

3. Data Security: Data controllers must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, or disclosure. 

4. Data Protection Impact Assessments (DPIAs): Where ADM is likely to result in a high risk to the rights and freedoms of data subjects, data controllers must conduct a DPIA. This involves assessing the risks and implementing measures to mitigate them. 

5. Human Oversight: Data controllers must provide for meaningful human oversight of ADM processes, particularly when decisions have significant impacts on individuals. 

6. Regular Audits and Monitoring: Data controllers must regularly audit and monitor their ADM systems to ensure compliance with data protection laws and identify potential risks. 

7. Processor Obligations: Data processors also play a crucial role in ADM. They must process personal data only on documented instructions from the data controller and implement appropriate security measures. 

Conclusion 

Automated decision-making presents both opportunities and challenges. While it offers efficiency and convenience, it also raises concerns about transparency, fairness, and potential bias. By understanding their rights and exercising them diligently, data subjects can navigate the algorithmic maze and protect their personal data. Data controllers and processors, in turn, must uphold their responsibilities and ensure that ADM is implemented in a manner that respects individual rights and complies with data protection laws. As technology continues to evolve, ongoing dialogue and regulatory adaptation are essential to ensure that ADM serves society in a responsible and ethical manner. 

Author: Emmanuel K. Gadasu 
CEH | CDPS | CIPM | CIPP/E | BSc IT | MSc IT and Law | LLB | Member, IIPGH | Data Protection and Cybersecurity Consultant | Practitioner and Trainer 

For comments, contact: Call/WhatsApp/Telegram +233 24391 3077 

Email: ekgadasu@gmail.com. 
LinkedIn: https://www.linkedin.com/in/ekgadasu  
Facebook: https://web.facebook.com/ekgadasu/