. . . Equipping Oneself with the Legal Aspects of data Handling
The Data Protection Act, 2012 (Act 843) is a Ghanaian law that sets out the rules and principles governing the collection, use, disclosure, erasure and care for personal data. It protects the rights of data subjects by mandating data controllers and processors to process personal data in accordance with their rights.
The Data Protection Commission (DPC) is an independent statutory body, established under Act 843 with the core mandate of implementing the provisions of the Act. The mission of DPC is to protect the privacy of data subjects.
Data Subjects are individuals, whose personal data (information) are collected, stored or processed. Almost everyone in Ghana is a Data Subject by virtue of being an employee, a student, saving with a bank, owning a phone number, visiting health facilities or dealing with state institutions.
One of the goals of the DPC is to increase data subject’s awareness of data protection rights and empower them to assert those rights. Consequently, the commission has established the framework for enhancing data protection. This pertains to individuals, professionals and companies alike. In particular, professionals who play significant roles in collecting, storing, giving access to, and sharing data have a huge responsibility. It is said that ignorance of the law is no excuse. It is high time professionals and users get abreast with recent developments in the legal dimension of data handling. A visit to the DPC’s website shows that it has made provisions to achieve its mandate; but do the people it affects care to know about those provisions?
When I read the press release from the Controller and Accountant-General’s Department (CAGD) titled; “Unsolicited text messages to government employees”, I became worried and confused. A legal action should have rather been taken by the affected employees against CAGD. How could companies manage to get phone numbers of government employees without the involvement of staff(s) of CAGD?
Could it be that some telecommunication companies also sell our data to entities, who send us unsolicited text messages on daily basis?
If data subjects are aware of their right under the law, they can take appropriate actions against those who breach their rights. Also, the subjects can thread their professional paths cautiously, especially, given that the next evolution bothers on data.
In order to know the extent to which people in Ghana are aware of Act 843, I conducted a research to investigate this subject.
I interviewed a group of 450 bank employees in 18 different sessions between May and June, 2018. The sample was drawn from two banks in Ghana; with 429 and 21 participants from “Bank A” and “Bank B” respectively. Out of the 450 interviewees, about 90% of them were people with at least, tertiary education and belong to the upper and middle class of our society.
The participants were asked the following questions in this order:
- Which one of you here read or heard of the Data Protection Act, 2012?
- With those of you who have read or heard about it, what do you know about it?
With reference to question 1, 5% (23) of the participants responded in the affirmative. This indicates that, 95% (427) of them were ignorant of the existence of the Act.
The 23 participants who answered question 1 in the affirmative were further asked the second question. Out of these participants, only 8 could mention that, the act is a Ghanaian law that protects data subjects.
In essence, only 2% of the 450 participants knew what the Act was about.
The Feedback and Conclusion
It is evident from the research that, 95% of the participants did not know of the existence of such a law in Ghana, whilst 65% of those who knew of the existence of the law did not know what the law was about. It should also be noted that, 90% of the participants were educated people in the upper and middle class of our society. If people in such a social class are even ignorant of such a law, then what can we say about those in the lower class of our society? There is therefore an urgent call for action; both users and professionals should become very interested in knowing the legal aspects of the ICT industry.
While the DPC conscientiously do all it can to achieve its goal of increasing the data subject’s awareness of data protection rights and empowering them to assert those rights, it is also necessary for the subjects to take advantage of the provisions made. The commission should also go a step further in devising cost effective means such as using the social media to achieve this goal.
The Government of Ghana needs to continue to provide adequate resources to the commission to carry out its functions to safeguard data subjects. Other stakeholders like donor agencies, NGOs and private institutions in this ecosystem can also contribute their quota to help the commission.
Author: Sherrif Issah – (Consultant @ Digital Jewels Ltd and Member: Institute of ICT Professionals, Ghana)
For comments, contact author firstname.lastname@example.org Mobile: +233243835912