Global Data Privacy Guide |
|
Ghana |
|
|
(Africa)
Firm
Bentsi-Enchill, Letsa & Ankomah
Contributors
Susan-Barbara Boye |
|
| What is the key legislation? | The 1992 Constitution of the Republic of Ghana guarantees the privacy of an individual’s correspondence and communication under Article 18 (2). The Data Protection Act, 2012 (Act 843) ("DPA") is the key legislation that governs the processing of personal data in Ghana. The DPA was enacted to give meaning to Article 18 (2) in order to protect the privacy and data of an individual, especially in a digital society. |
| What data is protected? | The DPA protects data that enables a person to be identified from the information in the possession of, or likely to come into the possession of the data controller. The DPA also protects information about a person’s race, ethnic origin, political opinion, religious belief, physical and mental health, criminal record, and sexual orientation. |
| Who is subject to privacy obligations? | Under the DPA, data controllers and data processors are subject to privacy obligations. A data controller is a natural or legal person who determines the purposes and manner in which personal data is processed, either alone or in collaboration with others. A data processor is anyone who processes data on behalf of a data controller and is not an employee of the data controller. |
| What are the principles applicable to personal data processing? | The principles of accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards and data subject participation apply to the processing of personal data. |
| How is the processing of personal data regulated? | Under the DPA, personal data must be processed without infringing on the data subject’s privacy rights and in a lawful and reasonable manner. Consent and justification for processing data Processing of personal data must be based on the consent of the data subject unless the processing is justified by another legal basis. Under the DPA, other legal bases include necessary for a contract to which the data subject is a party, authorized by law or statutory duty, and for the legitimate interest of the data subject or the data controller. Processing of special personal data The DPA specifically provides for processing data relating to a child and special personal data. Special personal data may only be processed with the consent of the data subject or where processing is necessary. The DPA sets out the grounds for which data processing is considered necessary. Exemptions The DPA stipulates the circumstances under which the processing of personal data is exempt from (i) the provisions of the DPA, (ii) the data protection principles, and (iii) the provisions on non-disclosure. |
| How are storage, security and retention of personal data regulated? | Security A data controller must secure the integrity of personal data by adopting appropriate, reasonable, technical and organizational measures to prevent loss of, damage to, unauthorized destruction, unlawful access to or unauthorized processing of personal data. Additionally, a data controller must take reasonable measures to identify reasonably foreseeable external and internal risks to personal data, provide safeguards against risks identified, regularly verify that the safeguards are effectively implemented, and ensure that the safeguards are continually updated in response to new risks or deficiencies. A data controller must ensure that a data processor who processes personal data for the data controller establishes and complies with security measures in the DPA. Retention Personal data must not be retained for a period longer than is necessary for achieving the purpose of its collection, unless the retention of the data is required by law, by virtue of a contract between the contracting parties, or with the consent of the data subject. This requirement does not apply to personal data records kept for historical, statistical or research purposes. When the retention period expires, the data controller must destroy or delete the record of personal data or de-identify the record. The destruction or deletion of personal data must be done in a way that prevents its reconstruction in an intelligible form. Storage The DPA does not have any storage-related provisions other than those relating to security and retention. Although not specifically mentioned, the definition of processing under the DPA infers the storage of the data as processing includes collection, organization, consultation and retrieval. |
| What are the data subjects' rights? | The data subject rights under the DPA are:
|
| Are there restrictions on cross-border data transfers? | There are no restrictions on cross-border data transfers. Processing of personal data originating entirely or partially from Ghana must be done in accordance with the provisions of the DPA. A data controller must obtain the prior consent of the data subject for the processing of the personal data which includes the transfer of data. A data controller or processor must ensure that data relating to foreign data subjects is processed in accordance with the data protection legislation of the foreign jurisdiction of that subject. |
| Are there any notification requirements for data breaches? | Under the DPA, a data controller or a third party processing the data must notify the Commission and the data subject if there is a reasonable basis to believe that the data being processed has been accessed or acquired by an unauthorized person. The notification must be done as soon as reasonably practicable after discovering the breach. The notification to the data subject may be delayed if the Data Protection Commission and security agencies notify the data controller to delay the notification because of a criminal investigation. The notification to a data subject may be communicated by registered mail to the data subject’s last known residential or postal address or email address, on the data controller’s or the third-party processor’s website, or by publication in the media. A notification must provide sufficient information to allow the data subject to take protective measures against the consequences of the data breach. The notification must include if known to the data controller, the identity of the unauthorized person who may have accessed or acquired the personal data. |
| Who is the privacy regulator? | The Data Protection Commission is the body established under the DPA to implement and ensure compliance with the provisions of the DPA. |
| What are the consequences of a privacy breach? | The DPA provides penalties for specific data protection breaches and a general penalty for offenses for which specific penalties are not stated. The general penalty for an offense under the DPA is a fine of not more than GHS 60,000 or a term of imprisonment of not more than ten years, or both. Non-compliance with notices from the DPC Under the DPA, a person who fails to comply with an enforcement or information notice commits an offense and is liable to a fine of not more than GHS 1,800 or a term of imprisonment of not more than one (1) year, or both. The DPA explains the situations in which an enforcement or information notice may be issued. Compensation A person who suffers damage or distress as a result of a data controller's breach of the provisions of the DPA is entitled to compensation from the data controller. |
| How is electronic marketing regulated? | Electronic marketing requires prior consent and the ability to opt-out. The DPA prohibits a data controller from providing, using or procuring information related to a data subject for direct marketing without the prior written consent of the data subject. A data subject has the right to require a data controller not to process personal data of that data subject for the purposes of direct marketing. Direct marketing is communication by whatever means of any advertising or marketing material that is directed to particular individuals. Under the Electronic Transactions Act, 2008 ("Act 772"), a person may not send unsolicited electronic communications to a consumer without first obtaining the consumer’s prior consent. In addition, the sender must provide the consumer with (a) the option to cancel the consumer's subscription to the sender's mailing list, and (b) the identifying particulars of the source from which the sender obtained the consumer's personal information at the consumer's request. |
| Are there any recent developments or expected reforms? | The Data Protection Commission is developing a legislative instrument to be used in conjunction with the DPA. |
Global Data Privacy Guide
Ghana
(Africa) Firm Bentsi-Enchill, Letsa & AnkomahContributors Susan-Barbara Boye Nana Ama Asare
Updated 18 Aug 2023The 1992 Constitution of the Republic of Ghana guarantees the privacy of an individual’s correspondence and communication under Article 18 (2). The Data Protection Act, 2012 (Act 843) ("DPA") is the key legislation that governs the processing of personal data in Ghana. The DPA was enacted to give meaning to Article 18 (2) in order to protect the privacy and data of an individual, especially in a digital society.
The DPA protects data that enables a person to be identified from the information in the possession of, or likely to come into the possession of the data controller. The DPA also protects information about a person’s race, ethnic origin, political opinion, religious belief, physical and mental health, criminal record, and sexual orientation.
Under the DPA, data controllers and data processors are subject to privacy obligations. A data controller is a natural or legal person who determines the purposes and manner in which personal data is processed, either alone or in collaboration with others. A data processor is anyone who processes data on behalf of a data controller and is not an employee of the data controller.
The principles of accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards and data subject participation apply to the processing of personal data.
Under the DPA, personal data must be processed without infringing on the data subject’s privacy rights and in a lawful and reasonable manner.
Consent and justification for processing data
Processing of personal data must be based on the consent of the data subject unless the processing is justified by another legal basis. Under the DPA, other legal bases include necessary for a contract to which the data subject is a party, authorized by law or statutory duty, and for the legitimate interest of the data subject or the data controller.
Processing of special personal data
The DPA specifically provides for processing data relating to a child and special personal data. Special personal data may only be processed with the consent of the data subject or where processing is necessary. The DPA sets out the grounds for which data processing is considered necessary.
Exemptions
The DPA stipulates the circumstances under which the processing of personal data is exempt from (i) the provisions of the DPA, (ii) the data protection principles, and (iii) the provisions on non-disclosure.
Security
A data controller must secure the integrity of personal data by adopting appropriate, reasonable, technical and organizational measures to prevent loss of, damage to, unauthorized destruction, unlawful access to or unauthorized processing of personal data. Additionally, a data controller must take reasonable measures to identify reasonably foreseeable external and internal risks to personal data, provide safeguards against risks identified, regularly verify that the safeguards are effectively implemented, and ensure that the safeguards are continually updated in response to new risks or deficiencies.
A data controller must ensure that a data processor who processes personal data for the data controller establishes and complies with security measures in the DPA.
Retention
Personal data must not be retained for a period longer than is necessary for achieving the purpose of its collection, unless the retention of the data is required by law, by virtue of a contract between the contracting parties, or with the consent of the data subject. This requirement does not apply to personal data records kept for historical, statistical or research purposes. When the retention period expires, the data controller must destroy or delete the record of personal data or de-identify the record. The destruction or deletion of personal data must be done in a way that prevents its reconstruction in an intelligible form.
Storage
The DPA does not have any storage-related provisions other than those relating to security and retention. Although not specifically mentioned, the definition of processing under the DPA infers the storage of the data as processing includes collection, organization, consultation and retrieval.
The data subject rights under the DPA are:
- the right to be informed about data collection and its intended purpose;
- the right to be notified of an unauthorized access or acquisition of personal data, subject to a request by the Data Protection Commission or security agencies to delay the notification;
- the right to know whether a data controller has the personal data of the data subject, the description of the data held and whether a third party has had access to the data;
- the right to request that a data controller correct or delete personal data of the data subject under the data controller’s control that is inaccurate, irrelevant, excessive, incomplete or unlawfully obtained;
- the right to request that a data controller delete or destroy personal data of the data subject held by the data controller which the data controller no longer has the authority to retain;
- the right to object to the processing of the data subject’s personal data;
- the right not to be subjected to a decision based solely on automated processing;
- the right to require a data controller to cease or not to start processing for a specified purpose or in a specified manner personal data which causes or is likely to cause unwarranted damage or distress to the data subject;
- the right to require a data controller not to process personal data for direct marketing purposes; and
- the right to receive compensation for damage or distress caused by a data controller’s contravention of the DPA’s requirements.
There are no restrictions on cross-border data transfers. Processing of personal data originating entirely or partially from Ghana must be done in accordance with the provisions of the DPA. A data controller must obtain the prior consent of the data subject for the processing of the personal data which includes the transfer of data. A data controller or processor must ensure that data relating to foreign data subjects is processed in accordance with the data protection legislation of the foreign jurisdiction of that subject.
Under the DPA, a data controller or a third party processing the data must notify the Commission and the data subject if there is a reasonable basis to believe that the data being processed has been accessed or acquired by an unauthorized person. The notification must be done as soon as reasonably practicable after discovering the breach. The notification to the data subject may be delayed if the Data Protection Commission and security agencies notify the data controller to delay the notification because of a criminal investigation.
The notification to a data subject may be communicated by registered mail to the data subject’s last known residential or postal address or email address, on the data controller’s or the third-party processor’s website, or by publication in the media. A notification must provide sufficient information to allow the data subject to take protective measures against the consequences of the data breach. The notification must include if known to the data controller, the identity of the unauthorized person who may have accessed or acquired the personal data.
The Data Protection Commission is the body established under the DPA to implement and ensure compliance with the provisions of the DPA.
The DPA provides penalties for specific data protection breaches and a general penalty for offenses for which specific penalties are not stated. The general penalty for an offense under the DPA is a fine of not more than GHS 60,000 or a term of imprisonment of not more than ten years, or both.
Non-compliance with notices from the DPC
Under the DPA, a person who fails to comply with an enforcement or information notice commits an offense and is liable to a fine of not more than GHS 1,800 or a term of imprisonment of not more than one (1) year, or both. The DPA explains the situations in which an enforcement or information notice may be issued.
Compensation
A person who suffers damage or distress as a result of a data controller's breach of the provisions of the DPA is entitled to compensation from the data controller.
Electronic marketing requires prior consent and the ability to opt-out.
The DPA prohibits a data controller from providing, using or procuring information related to a data subject for direct marketing without the prior written consent of the data subject. A data subject has the right to require a data controller not to process personal data of that data subject for the purposes of direct marketing. Direct marketing is communication by whatever means of any advertising or marketing material that is directed to particular individuals.
Under the Electronic Transactions Act, 2008 ("Act 772"), a person may not send unsolicited electronic communications to a consumer without first obtaining the consumer’s prior consent. In addition, the sender must provide the consumer with (a) the option to cancel the consumer's subscription to the sender's mailing list, and (b) the identifying particulars of the source from which the sender obtained the consumer's personal information at the consumer's request.
The Data Protection Commission is developing a legislative instrument to be used in conjunction with the DPA.