January 2023

1. Governing Texts

Ghana is a Republic and sovereign country. It is a member of the African Union and the Commonwealth Countries. It is also a member of the Economic Community of West African States. It is a signatory to the African Continental Free Trade Agreement ('AfCFTA') and hosts the Secretariate of AfCFTA.

There are 16 Regions in Ghana, and the capital is Accra. Ghana has a policy which promotes the use of Information Communications Technology. The Ghana Information Communication Technology Policy ICT4AD Policy ('the Ghana ICT4AD Policy') which was launched in 2003 is presently undergoing significant review. Ghana is expected to launch its Digital Economy Policy which would replace the Ghana ICT4AD Policy.

Ghana recognises that as part of the inherent nature of technology issues relating to data subject rights, data controller responsibility, and regulatory oversight and efficiency require a legal framework which ensures that data subject privacy rights are not violated in the pursuit and implementation by data controllers of technology.

1.1. Key acts, regulations, directives, bills

The 1992 Constitution of the Republic of Ghana ('the Constitution') is the supreme law of Ghana and it is the instrument from which every piece of legislation derives its validity in Ghana. The primary legislation which protects data privacy is the Data Protection Act, 2012 ('the Data Protection Act'). The purpose of the Data Protection Act is to establish a Data Protection Commission ('DPC'), to protect individuals' privacy and personal data by regulating the processing of personal information, to outline the process to obtain, hold, use, or disclose personal information, defining the rights of data subjects, prohibited conducts of processing, third country processing of data relating to data subjects covered by the Act, third country data subject processing in Ghana, and related matters.

The Data Protection Act provides key definitions for different areas of individual data privacy. One of the key areas under the Data Protection Act relates to assessable processing. Under the Data Protection Act, the Ministry of Communications ('the Minister') is given power by an executive instrument to specify actions which constitute assessable processing if the Minister considers the assessable processing likely to:

• cause substantial damage or substantial distress to a data subject; or
• otherwise significantly prejudice the privacy rights of a data subject.

Another key feature of the Data Protection Act is the creation of a register of data controllers known as the Data Protection Register ('the Register'). The DPC is required to keep and maintain the Register. Data controllers are required to register with the DPC under Section 27 of the Data Protection Act. The DPC is required to consider whether the processing referred to in each application is assessable, or if the assessable processing complies with the provisions of this Data Protection Act.

A further key feature of the Data Protection Act is that it applies to state and public authorities and bodies. This ensures that state and public authorities and bodies comply with the binding privacy provisions of the Constitution, subject to the exception stated in the Constitution. In order to substantiate this key feature, the Data Protection Act provides that every government department be treated as a data controller. It also makes it mandatory for each government department to designate an officer to act as a data supervisor.

The Data Protection Act provides for the use of subsidiary legislation to further deepen the effective application of the principles and objects of the Data Protection Act.

The Data Protection Act outlines what constitutes lawful processing, exempt processing, the scope and duties of data controllers, data processors, the Data Commissioner, and data subjects. It balances the need to ensure privacy rights with the rights of the State to remain inviolable, maintain law and order, function effectively, and protect its citizens effectively.

1.2. Guidelines

It is important to note that the Data Protection Act is the primary legislation and its contents are binding and enforceable. The legal status of the Data Protection Act is above that of a policy document - it is law. In areas where legislation is not the most effective tool, the Data Protection Act gives room for policy to be created to fill in that gap or where such policies are needed pending the inclusion of such policy in future legislation.

As a result of the status of the Data Protection Act, matters which under policy may have been dealt with by implementing guidelines are under the Data Protection Act matters which are dealt with my giving the Minister power to make directives, prescriptions, legislative instruments, executive instruments, and designated codes of practice for, among other things, strengthening compliance and improving the effectiveness of the Data Protection Act and attainment of it's objectives. The Minister may also give directives to the Board of the DPC on matters of policy.

1.3. Case law

The nature of the primary legislation is to provide data subjects with the ability to enforce their rights against data controllers in a cheap and effective manner. The DPC is given the function to implement and monitor compliance with the provisions of the Act and to investigate any complaint under this Act and determine it in a manner the DPC considers fair.

This requires that resort to case law as the index to determine the robust nature to which data controllers are held accountable would not give the complete picture. Once the DPC is fully effective and data subjects obtain redress through use of the DPC, case law as the vehicle for monitoring the effectiveness of the Act would not be the best approach. The focus therefore ought to be by monitoring the levels of complaints made to the DPC, the rate of the determination of complaints, the notices and the sanctions handed out, the appeals made against the decisions and findings of the DPC, and the fate of such appeals.

In respect of enforcement notices, the Data Protection Act provides that: 'An enforcement notice shall contain a statement of the data protection principle which the Commission is satisfied has been contravened and the reasons for that conclusion. Subject to this section, an enforcement notice shall not require any of the provisions of the notice to be compiled with before the end of the period within which an appeal may be brought against the notice and, if the appeal is brought, the notice may not be complied with pending the determination or withdrawal of the appeal'.

Another area where case law may supplement the work of the DPC would be under Section 48(2) of the Data Protection Act. This provides that:

Where the Commission refuses an application for registration as a data controller, the Commission shall inform the applicant in writing within 14 days:

• a refusal of an application for registration is not a bar to reapplication; 
• the applicant may apply for judicial review to the High Court against the refusal; and 
• of its decision and the reasons for the refusal. 

Another area under the Act where case law may supplement the work of the DPC is found in Section 60 relating to exemptions and the issue of a certificate issued by the Minister. It provides as follows:

• a person who is directly affected by the issue of a certificate under this section may apply for judicial review at the High Court.

2. Scope of Application

2.1. Personal scope

The object of the DPC is to 'protect the privacy of the individual and personal data by regulating the processing of personal information, and provide the process to obtain, hold, use, or disclose personal information'.

The Data Protection Act also specifies the rights of law enforcement agencies responsible for the prevention, detection, investigation, prosecution, or punishment of offences in processing personal data. Provision is made for the law enforcement agencies responsible for:

• the enforcement of laws which imposes a pecuniary penalty;
• the protection of national security in processing personal data; or
• concerning revenue collection, preparation, or conduct of proceedings before a court or tribunal that have been commenced or are reasonably contemplated.

2.2. Territorial scope

The Data Protection Act applies to a data controller in respect of data where:

• the data controller is established in this country and the data is processed in this country;
• the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data; or
• processing is in respect of information which originates partly or wholly from this country.

The effect of this approach is to ensure, among other things, that there is a certainty at all times as to who the data controllers are in respect of any form of data subject processing. It also ensures that where business process outsourcing ('BPO') operations are conducted wholly by a data processor in Ghana, the authorising data controller is identifiable at all times. It also ensures that in situations of the fluidity of data processing activities, which have the potential for multiple jurisdictional compliance claims, there is clarity of applicable jurisdictional regimes.

Law of nations do not have extraterritorial effect. This essentially means that no country can compel any country to apply its laws by the simpliciter passage of its laws. The scope of a country's laws, however, may impact residents and non-residents in different jurisdictions depending on the scope and the contents of such law. Data protection laws are one area where the impact is on residents and data controllers both within and outside a country's territory. This is not a breach of the sovereignty of other nations, it is a recognition that sovereignty has impact within and beyond traditional borders in the area of technology. This is very prevalent in matters relating to data subject information processing. Data protection laws and directives seek to ensure that data subjects are not rendered helpless at the hands of data controllers. The data subject's primary right of privacy forms part of the focus of such data protection laws.

The Data Protection Act recognises this principle by making its mandatory for any person processing the data of individuals in third countries to ensure that processing is done in a manner consistent with such third country processing laws. This is critical for the promotion and growth of the BPO sector. Similarly, it ensures that where there is a BPO outflow to third countries, such third country data controllers are required to comply with the provisions of the DPA relation to such Ghana DPA related data subjects. These are areas where further and specialised subsidiary legislation would provide the operational legal framework for deepening and operationalising the Data Protection Act further.

2.3. Material scope

Processing of personal data under Section 18 of the Data Protection Act must be done in a manner which ensures that the personal data is processed:

• without infringing the privacy rights of the data subject;
• in a lawful manner; and
• in a reasonable manner.

Special categories for which data processing is prohibited except within the limited scope prescribed are found in Section 37 of the Data Protection Act. They include data which relates to:

• a child who is under parental control in accordance with the law; or
• the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behaviour of an individual.

The areas for limited scope are prescribed in situation where:

• processing is necessary; or
• the data subject consents to the processing.

The processing of special personal data is necessary where it is for the exercise or performance of a right or an obligation conferred or imposed by law on an employer. The processing of special personal data must be presumed to be necessary where it is required:

• for the purpose of or in connection with a legal proceeding;
• to obtain legal advice;
• for the establishment, exercise, or defence of legal rights;
• in the course of the administration of justice; or
• for medical purposes and the processing is:
  • undertaken by a health professional; and
  • pursuant to a duty of confidentiality between patient and health professional.

Purely transitory data; that is data which is transiting through networks and routing through telecommunication networks and infrastructure and not the subject matter of any intervention or activity of data controllers and data processors, is not covered under the Data Protection Act. It must be noted that transitory data, to the extent that it moves through a network, would form part of the security measures for which data controllers under the Data Protection Act would be required to take responsibility. Transitory data is treated as data which, subject to the qualification provided under the Constitution, ought to be given privacy protected status under the Constitution.

Interception of such transitory data would be the subject matter of a different legal regime in situations where such data is related to national security or the prevention of crime. Monitoring by law enforcement agents under a different legal regime would apply where the exemptions provided under the Data Protection Act do not apply.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main regulator under the Data Protection Act is the DPC, which has a statutorily prescribed board composition as outlined in Section 4 of the Data Protection Act.

3.2. Main powers, duties and responsibilities

The objectives of the DPC are as follows (Section 2 of the Data Protection Act):

• protect the privacy of the individual and personal data by regulating the processing of personal information; and
• provide the process to obtain, hold, use, or disclose personal information.

The DPC is required to implement and monitor compliance with the Data Protection Act, make the administrative arrangements it considers appropriate for the discharge of its duties, investigate any complaint under the Data Protection Act and determine it in the manner the DPC considers fair, and to keep and maintain the Register.

4. Key Definitions

Data controller: A person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed (Article 96 of the Data Protection Act). 

Data processor: The Data Protection Act defines a data processor in relation to personal data to mean 'any person other than an employee of the data controller who processes the data on behalf of the data controller' (Article 96 of the Data Protection Act). From the meaning of data processor under the Data Protection Act, a clear distinction is made between an employee of the data controller whose activities constitute the activities of the data controller and that of a data processor. In addition, the definition of the data processor subordinates the data processor to the data controller in the hierarchy of command in matters relating to personal data processing.

Personal data: Personal data is defined under the Data Protection Act to mean data about an individual who can be identified from the data or other information in the possession of or likely to come into the possession of the controller.

Sensitive data: Sensitive data is defined as information that relates to (Article 37 of the Data Protection Act):

• personal data relating to children;
• the race, colour, or ethnic or tribal origin of the data subject;
• the political opinion of the data subject;
• the religious beliefs or other beliefs of a similar nature, of the data subject;
• the physical, medical, mental health, or mental condition, or DNA of the data subject;
• the sexual orientation of the data subject;
• the commission or alleged commission of an offence by the individual; and
• proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings.

Health data: The Data Protection Act definition of 'medical purposes' includes the purposes of preventive medicine, medical diagnosis, medical research, provision of care and treatment, and the management of healthcare services by a medical or dental practitioner or a legally recognised traditional healer (Article 96 of the Data Protection Act).

Biometric data: Under the Interpretation Act, 2009, Act 792, technical words are to be interpreted using their technical definition accorded to them. This approach means that the definition of biometric data in different legislation in Ghana would be the defining scope of this technical word. Where biometric is used in any legislation which is to be construed by an international industry term of art, then the meaning of such term of art would be given the same meaning for purposes of biometric data of a data subject under the Act.

Pseudonymisation: Under the Data Protection Act, personal data which is processed only for research purposes is exempt from its provisions if:

• the data is processed in compliance with the relevant conditions; and
• the results of the research or resulting statistics are not made available in a form which identifies the data subject or any of them.

The technical process of pseudonymisation where it achieves compliance with the provisions of the Data Protection Act therefore would be permissible as consistent with research purposes.

5. Legal Bases

5.1. Consent

The Data Protection Act requires that a person must not process personal data without the prior consent of the data subject unless the purpose for which the personal data is processed is (Section 20(2) of the Data Protection Act):

• necessary for the purpose of a contract to which the data subject is a party;
• authorised or required by law;
• to protect a legitimate interest of the data subject;
• necessary for the proper performance of a statutory duty; or
• necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

A data subject may object to the processing of personal data, unless otherwise provided by law (Section 20(2) of the Data Protection Act). Where the data subject has objected to the processing of personal data, the person processing the personal data will stop the processing (Section 20(3) of the Data Protection Act).

Section 21(1) of the Data Protection Act states that personal data should be collected directly from the data subject. However, data may be collected indirectly where (Section 21(2) of the Data Protection Act):

• the data is contained in a public record;
• the data subject has deliberately made the data public; or
• the data subject has consented to the collection of the information from another source.

The Data Protection Act notes that a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including that the data subject has consented to the retention of the record, except where the personal data has been retained for historical, statistical, or research purposes (Section 24 of the Data Protection Act).

In addition, where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data must be for that specific purpose.

The further processing of data is considered to be compatible with the purpose of collection where, among other things, the data subject consents to the further processing of the information (Section 25 of the Data Protection Act).

The Minister may through consultation with the DPC make supplementary regulations to specify further conditions for consent to be given (Section 94 of the Data Protection Act).

5.2. Contract with the data subject

Please see section on consent above.

In addition, the Data Protection Act establishes that where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data shall be for that specific purpose. A person who processes data shall take into account, among other things, the contractual rights and obligations between the data subject and the person who processes the data (Section 25 of the Data Protection Act).

Moreover, a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including retention of the record is required by virtue of a contract between the parties to the contract (Section 24 of the Data Protection Act).

5.3. Legal obligations

Please see section on consent above.

In addition, the Data Protection Act establishes that a data controller who records personal data must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed, except under certain exceptions including that the retention of the record is required or authorised by law or that the retention of the record is reasonably necessary for a lawful purpose related to a function or activity (Section 24 of the Data Protection Act).

5.4. Interests of the data subject

The Data Protection Act notes that unless otherwise provided for by the Act, a person must not process personal data which relates to (Section 37(1) of the Data Protection Act):

• a child who is under parental control in accordance with the law; or
• the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behaviour of an individual.

A data controller may process special personal data in accordance with this the Data Protection Act where the Data Protection Act (Section 37(2) of the Data Protection Act):

• processing is necessary; or
• the data subject consents to the processing.

5.5. Public interest

The Data Protection Act sets out that processing of personal data is exempt from the provisions of this Act for the purposes of (Section 60(1) of the Data Protection Act):

• public order,
• public safety,
• public morality,
• national security, or
• public interest.

The Data Protection Act further requires that a person must not process personal data unless (Section 64 of the Data Protection Act):

• the processing is undertaken by a person for the publication of a literary or artistic material;
• the data controller reasonably believes that the publication would be in the public interest; and
• the data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.

Processing and the public good

The processing of personal data for the protection of members of the public in statutorily prescribed circumstances is permitted under the Data Protection Act, for example, against loss or malpractice in the provision of banking, insurance, investment, other financial services, or management of a body corporate.

Similarly, the processing is lawful where it aims to protect the public against dishonesty or malpractice in the provision of professional services or against the misconduct or mismanagement in the administration of a non-profit making entity amongst other situations. The Data Protection Act addresses in detail the processing of personal data for research purposes and issues relating to retention periods of such data.

5.6. Legitimate interests of the data controller

Please see section on consent above.

5.7. Legal bases in other instances

Indirect collection of personal data

To ensure that the data subject has some control over how their data are assessed in cases where there is no direct consent on their part, Section 21 of the Data Protection Act prescribes that personal data may be collected other than directly from the data subject in the following circumstances:

• the data is contained in a public record;
• the data subject has deliberately made the data public;
• the data subject has consented to the collection of the information from another source;
• the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject;
• the collection of the data from another source is necessary:
  • for the prevention, detection, investigation, prosecution, or punishment of an offence or breach of law;
  • for the enforcement of a law which imposes a pecuniary penalty;
  • for the enforcement of a law which concerns revenue collection;
  • for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated;
  • for the protection of national security; or
  • for the protection of the interests of a responsible or third party to whom the information is supplied; or
• compliance would prejudice a lawful purpose for the collection; or
• compliance is not reasonably practicable.

Processing of data for historical statistical and research

The circumstances under which the processing of personal data can be carried out for historical, statistical, or research purposes are set out under the Data Protection Act.

The further processing of data used for historical, statistical, or research purposes and the preconditions which must be put in place for such processing are provided under the Data Protection Act.

Processing in relation to religious or philosophical beliefs

Exceptions relating to the processing of personal data which relates to the religious or philosophical beliefs of a data subject are provided for under the Data Protection Act. This falls under the category of a spiritual or religious organisation or a branch of the organisation, and the processing must be in respect of persons who are members of the organisation.

For institutions founded on religious or philosophical principles, processing must be carried out with respect to the members, employees, or other persons belonging to the institution, consistent with the objects of the institution, and necessary to achieve the aims and principles of the institution.

Direct marketing

Use of data for direct marketing is regulated by the Data Protection Act, which provides that a data controller must not provide, use, obtain, procure, or provide information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject. Furthermore, a data subject is entitled at any time by notice in writing to a data controller to require the data controller not to process personal data of that data subject for the purposes of direct marketing.

In this regard, 'direct marketing' includes the communication by whatever means of any advertising or marketing material which is directed to particular individuals.

Employee data

With respect to the employer/employee relationship, the processing of data subject matters is regulated by the Data Protection Act. The employer is required in all matters relating to such processing adhere to and take into account the privacy of the employee as a data subject by applying the principles of the Data Protection Act as listed above.

Where the processing related to processing of special personal data, this can only be done where such processing is necessary. The objective standard for which an employer must satisfy is the ability to demonstrate that such processing is necessary for the exercise or performance of a right or an obligation, conferred or imposed by law on an employer.

Automatic processing in the employment context

Under the law, where a decision which significantly affects an individual is based solely on that processing the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis. The individual is then entitled, by notice in writing, to require the data controller to reconsider the decision within 21 days after receipt of the notification from the data controller. The data controller must within 21 days after receipt of the notice, inform the individual in writing of the steps that the data controller intends to take to comply with the notice.

The areas of exemption for automated processing, which the employer has to demonstrate when challenged by the data subject or the DPC in relation to an investigation based on a complaint, include where the decision is made:

• in the course of considering whether to enter into a contract with the data subject;
• with a view to entering into the contract;
• in the course of the performance of the contract;
• for a purpose authorised or required by or under an enactment; or
• in other circumstances prescribed by the Minister.

6. Principles

The principles of data subject privacy which every data controller is obligated to take into account in processing data are:

• accountability;
• lawfulness of processing;
• specification of purpose;
• compatibility of further processing with purpose of collection;
• quality of information;
• openness;
• data security safeguards; and
• data subject participation.

7. Controller and Processor Obligations

Responsibilities

Section 17 of the Data Protection Act provides for the principles, as listed above, that every data controller and data processor is required to take into account.

Every person who processes personal data is required to ensure that such processing is done without infringing the privacy rights of the data subject, in a lawful and reasonable manner.

The Data Protection Act provides the data subject with a legislative standard by which the data controller's activities, which become the subject matter of dispute, may, among other things, be measured.

The Data Protection Act requires that personal data may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. These yardsticks must be used in measuring all claims by the data controller in the determining the soliciting and processing of data subjects' information.

The obligation for the data subject to consent to the processing of personal data is a condition which must be fulfilled by the data controller unless the data controller can demonstrate that such processing is (Section 20 of the Data Protection Act):

• necessary for the purpose of a contract to which the data subject is a party;
• authorised or required by law;
• to protect a legitimate interest of the data subject;
• necessary for the proper performance of a statutory duty; or
• necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

Matters to be used in the determination of the actions of a data controller are set out under the Data Protection Act. Data controllers are, therefore, given clear indications and pointers to actions which would be inconsistent with the Data Protection Act, leave their conduct open to challenge, and attract potentially applicable sanctions.

The Data Protection Act provides details of matters to be considered by data controllers in further processing of data. The Data Protection Act requires that the data subject must consent to the further processing of the information, or that the data should be publicly available or have been made public by the person concerned or further processing necessary:

• for the prevention, detection, investigation, prosecution, or punishment for an offence or breach of law;
• for the enforcement of a law which imposes a pecuniary penalty;
• for the enforcement of legislation that concerns the protection of revenue collection;
• for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated; or
• for the protection of national security.

The Data Protection Act provides for further processing of data which is necessary to prevent or mitigate a serious and imminent threat to public health or safety, or the life or health of the data subject or another individual.

7.1. Data processing notification

Registration by data controllers is a requirement under Section 27 of the Data Protection Act and concerns a registration, rather than a notification, process. It provides that a data controller who intends to process personal data must register with the DPC. An application for registration as a data controller has to be made in writing and must contain (Section 47(1) of the Act):

• the business name and address of the applicant;
• the name and address of the company's representative where the company is an external company;
• a description of the personal data to be processed and the category of persons whose personal data are to be collected;
• an indication as to whether the applicant holds or is likely to hold special personal data;
• a description of the purpose for which the personal data is being or is to be processed;
• a description of a recipient to whom the applicant intends to disclose the personal data;
• the name or description of the country to which the applicant may transfer the data;
• the class of persons or where practicable the names of persons whose personal data is held by the applicant;
• a general description of measures to be taken to secure the data; and
• any other information that the DPC may require.

If the data controller intends to keep personal data for two or more purposes it has to make separate applications for each purpose. The data controller must notify the DPC of changes in the registered particulars within 14 days (Article 55 of the Act).

A certificate of registration is issued which is valid for two years, and which must be renewed whilst any person or entity's activities remains that of a data controller under the Data Protection Act.

An application for registration may be submitted on the DPC's Registration Portal.

In accordance with Article 49 of the Act, large data controllers, and data processors will have to pay a registration fee of GHS 1,500 (approx. €220), medium controllers and processors GHS 750 (approx. €110) and small controllers and processors GHS 100 (approx. €15) (Page 13 of the Guidelines).

Data processors

The Guidelines state, 'Though not mandatory, data processors are also encouraged to register with the DPC to instil confidence when processing personal data on behalf of their customers (data controllers) who are mandated by law to register with DPC' (the Guidelines, page 3).

Assessable processing

Certain types of processing may constitute assessable processing (Article 57(1) of the Act). The DPC must assess if the processing is likely to cause substantial damage or substantial distress to a data subject, or otherwise significantly prejudice the privacy rights of a data subject (Article 57(2) of the Act).

The DPC must respond to the data controller within 28 days of receiving the registration application (Article 57(3) of the Act). The DPC may extend this initial period by a period that does not exceed 14 days or another period that the DPC may specify (Article 57(4) of the Act). The assessable processing cannot be carried out unless the data controller receives a notice from the DPC, or the period of 28 days from the day the DPC received the application for assessment has elapsed, during which the DPC is obliged to inform the data controller whether the processing is likely to comply with the provisions of the Act (Article 57(5) of the Act).

Exemptions

In regard to exemptions, the processing of personal data is exempt from the provisions of the Act (including the registration requirement) for the purposes of (Articles 60-74 of the Act):

• national security;
• crime and taxation;
• health, education, social work;
• regulatory activity;
• journalism, literature, art;
• research, history, statistics;
• disclosure required by law or made in connection with a legal proceeding;
• domestic purposes;
• confidential references given by the data controller;
• armed forces;
• judicial appointments and honours;
• public service or ministerial appointment;
• examination marks;
• examination scripts; or
• professional privilege.

7.2. Data transfers

The principles relating to data processing listed above are also applicable to data transfers.

The data transfer can arise from two different fronts. Where it is a BPO business from third countries and the processing is done in Ghana, the data controller is obligated to ensure that they comply with the data protection laws relating to such third country data subject which the BPO business is processing in Ghana. This means that the Data Protection Act of Ghana cannot be used by a BPO business to transfer into Ghana data for processing where such BPO business violates the data subject's third country data protection laws.

The other BPO operation relates to where personal data protected by Ghana's Data Protection Act is outsourced to third country BPO operations to process. The Data Protection Act requires the third country BPO business to strictly comply with its provisions. This means they can be held responsible and accountable to the DPC for any infractions which relate to the data subject in Ghana in respect of which the Data Protection Act provides protection.

7.3. Data processing records

The principles relating to data retention also carry with them the obligation to maintain data processing records and ensure that data is not kept beyond the retention period.

7.4. Data protection impact assessment

Data Protection Impact Assessments ('DPIA') is a practice that every data controller should commit to. This is because the Data Protection Act places the DPC in a regulatory position vis-à-vis all data controllers, meaning that data controllers ought to ensure that compliance monitoring is done at all times to ensure that there are no breaches of the Data Protection Act. Where there are security breaches, the disclosure regime required under the Data Protection Act means that DPIAs are a core practice which every data controller ought to engage in. Security breaches and violation trigger DPIA at all times.

The DPA requires that a data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organisational measures to prevent:

• loss of, damage to, or unauthorised destruction; and
• unlawful access to or unauthorised processing of personal data.

The Act requires that to give effect to this, the data controller must take reasonable measures to

• identify reasonably foreseeable internal and external risks to personal data under that person's possession or control;
• establish and maintain appropriate safeguards against the identified risks;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies.

A data controller is required to observe

• generally accepted information security practices and procedure; and
• specific industry or professional rules and regulations.

These all form the basis of DPIA as a continuous culture and not as a knee jerk response. Data Security is treated as an imposed obligation to monitor and take all reasonable steps to prevent and to notify data subject of any breaches and compromises to their data.

7.5. Data protection officer appointment

The Data Protection Act refers to data protection officers as data protection supervisors ('DPS'). It is not compulsory for data controllers to engage the services of a DPS. Under the Data Protection Act, a DPS is responsible for the monitoring of the data controller's compliance with the provisions of this Data Protection Act.

DPS requirements and responsibilities

The DPS is responsible for the monitoring of the data controller's compliance with the provisions of the Data Protection Act. The DPS would also be required to comply with any authorisation which imposes a duty on a DPS in relation to the DPC and confers a function on the DPC in relation to a DPS.

The DPS is not required to be a third-party institution. Such supervisor may be an employee of the data controller. The DPC is given the power to provide qualifying criteria for appointment as a data protection supervisor. In such situations, any person who does not meet such qualifying criteria cannot be appointed as a data protection supervisor.

Section 58 of the Data Protection Act makes clear that the appointment of a DPS is not legally mandated. Given the scope of the Data Protection Act and the definition of 'data controllers', it ought to be noted that DPS mandatory appointment can only be pursuant to an amendment to primary legislation. Encouragement to appoint a DPS must be based on analysis of the nature and extent of data processing and its implication for data subjects' risk, violations, and sharing of data between company groupings, affiliation, and direct marketing. It would be useful if the DPC would provide indicative advisory guidelines over time for applicants to consider in their decisions to engage a DPS.

A DPS must be certified and qualified (Section 58(1) of the Act). The DPC will provide the criteria for qualification and, unless the person satisfies these criteria, they cannot be appointed as a DPS (Section 58(6) and (7) of the Act). The DPC has not yet issued such criteria.

7.6. Data breach notification

A data controller is required to observe generally accepted information security practices and procedure and specific industry or professional rules and regulations.

Each of these principles necessary require that any security breach is made known in a timely manner to the data subject, the data controller takes steps to prevent further breaches, and the data controller remains accountable to the data subject and provides information necessary to enable the data subject take such remedial measures as to further protect their privacy rights. The principle that the data subject has a right as part of their privacy rights to participate in matters which relate to their data being processed also imposes a disclosure obligation on the data controller.

The notice regimes under the Data Protection Act provide an additional timetable for compliance and investigation where complaints are also made by the data subjects and where filing of returns at renewals require the data controller to make disclosures, some of which relate to security standards and breaches.

The Data Protection Act provides for the mandatory data subject and DPC notification in prescribed circumstances (Section 31 of the Data Protection Act). These include instances where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person. The notification is required to provide sufficient information to allow the data subject to take protective measures against the consequences of unauthorised access or acquisition of the data.

The notification period is defined as soon as reasonably practicable after the discovery of the unauthorised access or acquisition of the data. The data controller is under a statutory obligation to take steps to ensure the restoration of the integrity of the information system. The notification to a data subject must be communicated by:

• registered mail to the last known residential or postal address of the data subject;
• electronic mail to the last known electronic mail address of the data subject;
• placement in a prominent position on the website of the responsible party;
• publication in the media; or
• any other manner that the DPC may direct.

Sectoral obligations

The Data Protection Act permits other supplemental sector-specific legislation to further add to the data subject's rights but not to detract from the Data Protection Act. The Credit Reporting Act, 2007 ('CRA') is one such piece of legislation.

7.7. Data retention

The Data Protection Act recognises that there is no one-size-fits-all approach to retention periods. There is also recognition that the period for which data subject records may be held are capable of being benchmarked against specific issues. One statutory prescribed retention principle is that a data controller must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless:

• the retention of the record is required or authorised by law;
• the retention of the record is reasonably necessary for a lawful purpose related to a function or activity;
• retention of the record is required by virtue of a contract between the parties to the contract; or
• the data subject consents to the retention of the record.

The retention period for which personal data may be held may be the subject matter of specialised legislation relating to different aspects of activities. The actions of the data controller may trigger a data subject to submit a request for information, and in such circumstances, the data controller would be required to provide the requested information in line with the provisions of the Data Protection Act.

The data retention regime for personal data retained for historical, statistical, or research purposes provides for different treatment under the Data Protection Act. The data controller is required to ensure that records that contain personal data are adequately protected against access or use for unauthorised purposes.

The Data Protection Act treats issues relating to retention periods as matters subject to multiple-perspective computation. It may arise by virtue of a specific period being prescribed by law or under a contract, or from the requirement that records are kept ensuring that they remain available for the resolution of potential areas of dispute between the parties. Under the Data Protection Act, where a person uses a record of the personal data of a data subject to make a decision about the data subject, that person is required to:

• retain the record for a period required or prescribed by law or a code of conduct; or
• where there is no law or code of conduct that provides for the retention period, retain the record for a period which will afford the data subject an opportunity to request access to the record.

It imposes an obligation on the data controller to destroy or delete a record of personal data or de-identify the record at the expiry of the retention period.

The Data Protection Act provides for the standard to be complied with by data controllers in the destruction or deletion of a record of personal data, which aims to ensure that intelligible reconstruction is prevented.

Similarly, the retention period is approached by ensuring that retention obligations under the CRA are recognised by the Data Protection Act. The Data Protection Act provides that an individual must not request information which is held beyond the retention period specified in Section 30 of the CRA unless the credit bureau has provided the information to third parties beyond the retention period.

7.8. Children's data

Under the provisions of the Children's Act, 1998, a child is a person who is below the age of 18 years. Under the Data Protection Act, the processing of data relating to a child who is under parental control in accordance with the law is prohibited unless otherwise provided by the Data Protection Act.

The Data Protection Act provides exemptions for processing where it relates to medical purposes and also where processing is necessary. The latter would include the right of schools to process such data for purposes of ensuring compliance with age for the admission of babies, infants, and pupils in educational institutions and related matter. The principles relating to data processing are to be upheld at all times.

7.9. Special categories of personal data

The circumstances under which special personal data can be processed are set out under the Data Protection Act and include where processing is necessary, or where the data subject consents to such processing.

Unless otherwise provided by the Data Protection Act, a person must not process personal data which relates to:

• a child who is under parental control in accordance with the law; or
• the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behaviour of an individual.

Furthermore, a data controller may process special personal data in accordance with the Data Protection Act where:

• processing is necessary; or
• the data subject consents to the processing.

Special personal data must not be processed unless the processing is carried out for the protection of the legitimate activities of a body or association which:

• is established for non-profit purposes;
• exists for political, philosophical, religious, or trade union purposes;
• relates to individuals who are members of the body or association or have regular contact with the body or association in connection with its purposes; and
• does not involve disclosure of the personal data to a third party without the consent of the data subject.

The Data Protection Act defines 'necessary' to cover situations where it is for the exercise or performance of a right or an obligation conferred or imposed by law on an employer. Special personal data cannot be processed where (Section 37(4) of the Data Protection Act):

• it is impossible for consent to be given by or on behalf of the data subject;
• the data controller cannot reasonably be expected to obtain the consent of the data subject; and
• consent by or on behalf of the data subject has been unreasonably withheld, may be processed if it can be established that the processing is necessary for the protection of the vital interests of the data subject.

The scope of activities under which special personal data may be processed which would constitute legitimate activities of a body or association and the circumstances under which the processing of special personal data is presumed necessary are set out under Section 37 of the Data Protection Act and include the following:

• for purposes relating to legal proceedings;
• obtaining legal advice;
• in the exercise or defence of legal rights;
• administration of justice; and
• for medical purposes where this is undertaken by a health professional, and pursuant to a duty of confidentiality between patient and health professional.

Under the Data Protection Act, the Minister may in consultation with the Commission by legislative instrument prescribe further conditions which may be taken by a data controller for the maintenance of appropriate safeguards for the rights and freedoms of a data subject related to processing of special personal data.

Under the Data Protection Act the processing of personal data is exempt from the provisions of the Act for the purposes of:

• public order;
• public safety;
• public morality;
• national security; or
• public interest.

Provisions are made in the law for challenge and for judicial review of processing which is certified as exempt processing under the Data Protection Act.

7.10. Controller and processor contracts

The Data Protection Act provides for BPOs from foreign-based data controllers and imposes obligations on data processors to ensure compliance in the course of processing, in accordance with the relevant foreign jurisdiction. The Data Protection Act requires such data processors to ensure that for foreign-based data controller BPO inflows, processing is done in compliance with the data protection legislation of the foreign jurisdiction of that subject, where personal data originating from that jurisdiction is sent to this country for processing.

The Data Protection Act requires that in respect of data subjects whose rights are governed by the laws of Ghana, data controllers comply with the provisions of the Data Protection Act. A data controller must ensure that a data processor that processes personal data for the data controller establishes and complies with the security measures specified under the Data Protection Act.

This means that outsourcing of data processing is permitted but the data controllers are not relieved of their compliance obligations under the Data Protection Act. Any outsourcing of 'foreign-based' data controller processing of matters subject to the Data Protection Act must ensure compliance and registration within the requirements of the Data Protection Act. Where the data processor is not domiciled in Ghana, the data controller shall ensure that the data processor complies with the relevant laws of Ghana.

Furthermore, the Data protection Act sets out that the processing of personal data for a data controller by a data processor must be governed by a written contract (Section 30(3) of the Data Protection Act). Such contract must require the data processor to establish and maintain the confidentiality and security measures necessary to ensure the integrity of the personal data (Section 30(4) of the Data Protection Act).

8. Data Subject Rights

The data subject is guaranteed the right to privacy under the Constitution. The Data Protection Act covers this privacy right of the individual insofar as it relates to the processing of data subjects' material. An obligation is imposed on anyone who processes data subject information to ensure respect for such privacy rights.

Right to require privacy balance

The Data Protection Act concerns data subject rights to information and to control over how their data is being processed. The commercial interests of data controllers are also taken into account by requiring that costs associated with providing that information to data subjects be borne by the latter. This also ensures that the administrative cost to data processors to respond to such requests does not adversely and disproportionately impact on their balance sheet/operational costs/business.

The legislation requires proof of identity by such requesting data subjects in order to eliminate erroneous claims which waste the data controller's time and resources. The scope of such requests may cover whether the data controller holds personal data about that data subject, a description of the personal data held by the party, including data about the identity of a third party or a category of a third party who has or has had access to the information, and the right to correct data held on the data subject by the data controller. The request must be made within a reasonable time, after the payment of the prescribed fee, if any, in a reasonable manner and format, and in a form that is generally understandable.

8.1. Right to be informed

Article 23 of the Data Protection Act provides that a data controller who collects data shall take the necessary steps to ensure that the data subject is aware of the purpose for the collection of the data.

In addition, decisions made solely by automated processing require the data controller to notify the data subject. The data subject must be notified as soon as reasonably practical and entitled to require the data controller to reconsider the decision within 21 days after receipt of the notification from the data controller. The data controller is given 21 days after receipt of the notice to inform the individual in writing of the steps that the data controller intends to take to comply with the notice.

8.2. Right to access

Article 32 of the Data Protection Act provides that a data subject who provides proof of identity may request a data controller to:

• confirm at reasonable cost to the data subject whether or not the data controller holds personal data about that data subject; 
• give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information; and
• correct data held on the data subject by the data controller. 

Underlining the privacy rights on which the Data Protection Principles are founded is the right of access of the data subject. The principles on which data subject privacy rights rest all acknowledge the right of the data subject to access to ensure that all these principles, as listed above, are adhered to in all data subject matter processing. The right to make inquiries and to demand disclosures and to make complaint to the DPC in respect of violations and right to know the content of data held by data controllers are all features consistent with the right of access of data subjects. The Data Protection Act balances this right with the need for data controller business not to be crippled by demands for access to information and the rate at which such demands would constitute reasonable request or business disruption.

8.3. Right to rectification

Right of correction or deletion

The data subject has rights under statutorily prescribed conditions to request a data controller to correct or delete personal data about the data subject or to destroy or delete a record of personal data about the data subject (Section 33 of the Data Protection Act). The Data Protection Act provides a procedure to be followed where the data controller contests the request and the parties are unable to reach an agreement. Where the data controller complies with the data subject's demands, the Data Protection Act imposes a disclosure demand on the data controller to all third parties to whom the incorrect information has been provided. A notification regime from the data controller to the data subject is imposed under these circumstances.

8.4. Right to erasure

Rights to require deletion, blockage, or compel processing disclosures

The data subject has rights related to the request for data rectification, blockage, erasure, and destruction in respect to statutory prescribed conditions and situations.

The data subject has statutorily prescribed data prohibition disclosures by data controllers and the exceptions to such disclosures expressly described in the Data Protection Act. These include disclosures of personal data related to the physical, mental health, or mental condition of individuals held by educational institutions which relate to pupils or other personal data of a similar description (Section 62 of the Data Protection Act).

8.5. Right to object/opt-out

Right of objection to processing

The data subject is given the right to object to the processing of personal data. Processes and procedures are laid under the Data Protection Act to deal with such objections and in the event of disputes between the data subject and the data controller, an adjudication mechanism has been put in place to address this.

Data controllers and data processors are required to make disclosures to the data subject where there are reasonable grounds to believe that such data has been accessed or acquired by an authorised person.

Right to stop processing

A data subject has a right in the event that such a subject believes that any prohibited processing is being carried out to have it stopped. This is done by giving the data subject a statutory right to issue a notice in writing to a data controller, requiring such data controller to provide particulars of data processed under this exemption. Where the return answer provides indications of violations of the data subject's rights, the statutes provide mechanisms for redress and a sanction regime for processing contrary to the provisions of the Data Protection Act.

8.6. Right to data portability

It is important to note that the Data Protection Act and its principles are technology neutral. This means that changes in technology do not necessarily require amendments to the Data Protection Act in order to require compliance.

Data portability is technology specific, arising from hardware and software related opportunities and their application to data. Where such technology application relates to data subject matters, they are captioned as data porting issues.

Whilst data portability is a matter addressed by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), the absence of mention of data portability in Ghanaian legislation does not relieve any data controller from adherence to the principles of privacy of data subject information which ought to be complied with under all applications of existing and new technology. 

Data portability acknowledges a deeper right of data subject participation in clear and unambiguous terms. It underlines the principle which holds the data controller accountable to the data subject and clearly sets out the principle that, where technology makes such information capable of being transmitted with the consent of the data subject without prejudicing the right of the data controller required to so transmit the data, this must be done. It reinforces the privacy rights as one of the data subjects' rights and not that of the data controller.

The data subject's right to participation is one acknowledged as a statutory right of the data subject and therefore the absence of the term data portability in the Data Protection Act does not prevent the data subject from asserting the same. It creates the need for the more proactive use of guidelines to be provided by the DPC as technology evolves and new uses and potential application to data subject matter arises.

8.7. Right not to be subject to automated decision-making

Automated processing and decisions

Where a dispute arises between the data subject and the data controller in such matters, the DPC may order the data controller to comply, following an investigation of the data subject's complaint.

8.8. Other rights

Additional rights

The right exists to have the DPC's decisions reviewed where they are inconsistent with the provision of the Data Protection Act or other relevant and applicable laws.

The Data Protection Act acknowledges that additional legislation may give the data subject rights beyond and in addition to those prescribed by the Data Protection Act. The Data Protection Act makes it clear that such legislation can only add to, but not erode, existing data subject rights under the Data Protection Act. The Right to Information Act, 2019 was enacted on 26 March 2019 and, among other things, mandates that timely response be given to any citizen who asks for information.

The CRA is another piece of legislation which impacts data subject rights. The Data Protection Act harmonises data controller obligations and data subject rights under the CRA. This is due to the fact that the Data Protection Act would be the law according to which a 'data controller' within the meaning of the CRA is required to register as a data controller. Such a data controller would be required to comply with the provisions of the Data Protection Act.

Protection from unwarranted damage and distress

The Data Protection Act also prohibits the processing of information which would cause unwarranted damage or distress to an individual as a privacy violation issue. The data subject has a right to request such data controller to cease or not begin processing such personal data.

Protection from direct marketing

The use of data subject information for the direct marketing is prohibited under the Data Protection Act unless prior written consent has been obtained from the data subject. Where this is obtained, the data subject has the right at a future date by notice in writing to require the data controller not to process personal data of the data subject for direct marketing purposes. Direct marketing is defined under the Data Protection Act to include, 'the communication by whatever means of any advertising or marketing material which is directed to particular individuals' (Article 40(4) of the Data Protection Act).

Expansions of assessable processing

The Data Protection Act provides for the expansion of matters which may be described as assessable processing by the Minister through an Executive Instrument (Article 57(1) of the Data Protection Act). Such instruments must specify actions which constitute assessable processing and must be matters whereby processing is likely to cause substantial damage or substantial distress to a data subject, or otherwise significantly prejudice the privacy rights of a data subject.

The Data Protection Act is similarly drafted in a manner which ensures that foreign data subject rights are not violated by such data processors. This is done by requiring that the data processors ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

This drafting design ensures that given that the registration regime is that of data controllers, data processors cannot engage in rogue processing. It also ensures that the data processor cannot raise the defence of a legislative void in the control of its activities.

The effect of the legislation is to make it practically difficult for any data controller to feign ignorance about any activity of the data processor inconsistent with the Data Protection Act or data controller obligations.

Additional data subject rights regimes

The Data Protection Act recognises that additional data subject rights may arise under particular technical legislation. For example, in the case of credit reporting, the CRA deals with credit bureaus and credit reporting and provides for related matters. Whilst all data controllers would require compliance with the Data Protection Act, persons and data subjects under the CRA have some unique peculiarities which add to data subject rights.

This is captured in the Data Protection Act, which provides that where the data controller is a credit bureau within the meaning of the CRA a request for information by a data subject must, in addition to the requirements specified under the CRA, be subject to its own provisions as stipulated by Article 36 of the Data Protection Act.

As outlined in Article 36(2)(a) and (b) of the Data Protection Act, a data subject who makes a request for information from a data controller may limit the request to personal data relevant to the data subject's financial standing and history for the period which precedes 12 months after the date of the request, and must be considered to have limited the request of the data subject unless the request shows a contrary intention.

9. Penalties

The Data Protection Act provides an uncomplicated and transparent manner to provide prima facie evidence before the court where data subject processing disputes become the subject matter of litigation. A process of judicial review is also provided under the Data Protection Act for challenges where the defence of exempt processing is claimed.

Damage, distress, and sanctions

The Data Protection Act provides for sanctions where an individual suffers damage or distress through the contravention by a data controller of the requirements of the Data Protection Act. Such an individual is entitled to compensation from the data controller for damage or distress.

Assessable processing and sanctions

A data controller who contravenes the prohibition of assessable processing in matters provided under the Data Protection Act commits an offence and is liable on summary conviction to a fine of not more than 250 penalty units or/and to a term of imprisonment of not more than two years.

Notices and sanctions

The DPC has power in respect of a contravention of the data protection principles to serve the data controller with an enforcement notice. This notice may require the data controller:

• to take or refrain from taking the steps specified within the time stated in the notice;
• to refrain from processing any personal data or personal data of a description specified in the notice; or
• to refrain from processing personal data or personal data of a description specified in the notice for the purposes specified or in the manner specified after the time specified; an enforcement notice may also require the data controller to rectify, block, erase, or destroy other data held by the data controller.

Following complaints received from the data subject, the DPC has the authority to issue an information notice to the data controller specifying the contravention and to give the data controller notice to cease processing personal data.

There are sanctions and penalties for non-compliance with information or enforcement notices issued by the DPC. Data controllers defaulting in this way commit an offence and are liable on summary conviction to a fine of not more than 150 penalty units or to a term of imprisonment of not more than one year or to both.

Trading of personal data and sanctions

The trading of personal data is prohibited under the Data Protection Act. It is an offence to engage in such activity and the perpetrator is liable on summary conviction to a fine of not more than 250 penalty units or/and to a term of imprisonment of not more than two years.

Selling of personal data and sanctions

A person who sells or offers to sell personal data of another person commits an offence and is liable on summary conviction to a fine of not more than 2,500 penalty units or/and to a term of imprisonment of not more than five years. The sale or offer to sell personal data includes an advertisement which indicates that personal data is or may be for sale. The Data Protection Act ensures that constitutional protection is safeguarded and protected.

Offences and sanctions under the Data Protection Act

The Data Protection Act provides for penalty provisions to be made in respect of offences created under the Regulations.

9.1 Enforcement decisions

The website of the DPC does not as yet provide details of such enforcement notices which have been issued or decisions given. It does not as yet provide details of complaints received and the data controllers against whom such complaints have been given and are pending, concluded, or resolved.

The DPC provided a period of amnesty as part of the process of deepening education and awareness of the Data Protection Act. This was deemed necessary and is needful for stakeholder ownership and participation and for data subject rights education and awareness deepening.

As subsidiary legislation under the primary Data Protection Act is developed, more details of the complaint process, publication of complaints, and matters relating to publication of enforcement notices and decision would be addressed. Such added legal framework would deepen the legal framework ecosystem. The existing legal framework does provide the primary legal framework for which subsidiary legislation would improve the legal framework ecosystem.