Financial Crime World

Data Protection Act in Ghana: Key Provisions

The Data Protection Act (DPA) in Ghana aims to regulate the collection, processing, and transfer of personal data within the country. The following are key provisions related to data protection:

Establishment of the Data Protection Authority

The Cyber Security Authority will establish and operate the Data Protection Commission (DPC), responsible for regulating the collection, processing, and transfer of personal data.

Principles of Data Protection

The following principles must be applied when processing personal data:

  • Necessity: Personal data may only be processed if the purpose is necessary.
  • Relevance: The purpose must be relevant to the processing.
  • Non-excessiveness: The processing must not be excessive in relation to the purpose.

A person who processes data must apply principles including:

  • Accountability
  • Lawfulness
  • Specification of purpose
  • Quality of information
  • Openness
  • Data security safeguards
  • Data subject participation

Personal data cannot be processed without consent, unless it’s for a contract-related purpose, authorized or required by law, necessary to protect a legitimate interest, or necessary for a statutory duty.

If a data subject objects to processing, the person must stop processing their personal data.

Special (Sensitive) Personal Data

Processing of special personal data is prohibited except with consent, or when necessary for the exercise or performance of a right or obligation under law on an employer. Consent can be implied if impossible to obtain, or where it’s unreasonable to expect the data subject to provide consent.

Registration and Notification Requirements

A data controller must register with the DPC and pay a registration fee before processing personal data. The application for registration must include information such as:

  • The type of data being processed
  • Purpose of processing
  • Measures taken to secure the data

Cross-Border Transfers

There are no restrictions on cross-border transfers of personal data, as long as the recipient meets the same data protection standards required in Ghana.