DataGuidance spoke with the Executive Director of Ghana’s Data Protection Commission (‘DPC’), Teki Akuetteh Falconer, on 4 August 2016, who confirmed that the DPC has recently begun its first enforcement actions pursuant to its powers under the Data Protection Act 2012 (Act 843) (‘the Act’), in relation to data controllers’ registration of their processing activities.
Falconer told DataGuidance, “The registration of data controllers has progressed slowly and we attribute this to a general environment of apathy towards laws in our society and a lack of awareness on the value data protection can bring. We have commenced the prosecution of data controllers for failing to register and, in the near future, we will be issuing more enforcement notices as a result of investigations that are currently on going.”
The DPC began the process of registration of data controllers in April 2015 and has to date registered over 500 controllers, which is a legal requirement under Section 27 of the Act. Falconer clarified, in previous discussions with DataGuidance, that the following types of data controllers are under an obligation to register: data controllers established and processing personal data in Ghana, data controllers not established in Ghana, but using equipment or a data processor in Ghana and anyone processing information that originates partly or wholly from Ghana.
In the near future, we will be issuing more enforcement notices as a result of investigations that are currently on going
According to the DPC’s Registration Guidelines for Data Controllers, data processors are also encouraged to register with the DPC, although this is not a legal requirement, and registration is valid for a period of two years. Failure of data controllers who are processing personal data to register with the DPC is a criminal offence under Section 56 of the Act, which can result in both a fine and imprisonment for up to two years.
Falconer also confirmed that over the next 12 months the DPC’s focus will be on ensuring compliance amongst data controllers. In order to achieve this Falconer noted, “We will issue a general compliance guide that provides a step-by-step approach to implementing the Act, monitor compliance through the auditing of data controllers as well as develop guidelines for key sectors such as security, health, education, finance and communications.”
A transcript of the extended interview with Teki Akuetteh Falconer will be published in the September issue of Data Protection Law and Policy and made available on DataGuidance.
Thomas Brookes | Privacy Analyst