Financial Crime World

Data Protection Act 2012 in Ghana: A Comprehensive Guide

=====================================================

Definition of Personal Data

The Data Protection Act 2012 in Ghana provides a clear definition of personal data, which is essential for understanding the scope of the Act.

What is Personal Data?

  • Information relating to an identified or identifiable natural person: This includes any information that can be used to identify a living individual.
  • Electronic or physical form: The Act applies to both electronic and physical forms of personal data.

Data Protection Principles

The Act outlines several principles that guide the processing of personal data in Ghana.

Key Principles

  • Processing without infringing privacy rights: A data controller must ensure that personal data is processed in a way that respects the privacy rights of the data subject.
  • Lawful and reasonable manner: Processing must be done in a lawful and reasonable manner, taking into account the interests of the data subject.

Collection of Personal Data

When collecting personal data, data controllers have several obligations to ensure transparency and fairness.

Requirements for Collection

  • Awareness of data collection: The data subject must be aware of:
    • The nature of the data being collected
    • The name and address of the person responsible for the collection
    • The purpose for which the data is required for collection
    • Whether or not the supply of the data by the data subject is discretionary or mandatory
    • The consequences of failure to provide the data
    • The authorized requirement for the collection of the information or the requirement by law for its collection
    • The recipient of the data
    • The nature or category of the data
    • The existence of the right of access to and the right to request correction or erasure

Transfer of Personal Data

Data controllers must ensure that personal data is not transferred outside Ghana without adequate safeguards for its protection.

Safeguards for Protection

  • Adequate measures: A data controller must implement measures to prevent unauthorized access, disclosure, alteration, or destruction of personal data.

Breach Notification

In the event of a breach that affects the rights and freedoms of individuals, a data controller must notify the Data Protection Commission within 72 hours.

Notification Requirements

  • Notification within 72 hours: A data controller must notify the Data Protection Commission within 72 hours in case of a breach that affects the rights and freedoms of individuals.

Accountability

Data controllers are accountable for ensuring compliance with the Act, and the Data Protection Commission may investigate any complaint or report of non-compliance.

Responsibilities

  • Ensuring compliance: A data controller is accountable for ensuring compliance with the Act.
  • Investigation by the Commission: The Data Protection Commission may investigate any complaint or report of non-compliance.

Training and Supervision

Large data controllers must have a certified data protection supervisor who has undergone training with the Commission, and will be required to produce various policies and plans related to data protection.

Requirements for Large Data Controllers

  • Certified data protection supervisor: A large data controller must have a certified data protection supervisor who has undergone training with the Commission.
  • Policies and plans: The data controller will be required to produce a data protection policy, data protection impact assessment, data retention policy, incident report plan, as well as a breach report which should include all breaches no matter the magnitude.

Electronic Marketing

The Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject.

Prohibition on Direct Marketing

  • Prior written consent: The Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject.

Online Privacy

The Data Protection Commission shall not grant an application for registration as a data controller where the appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller.

Safeguards for Protection

  • Appropriate safeguards: The Data Protection Commission shall not grant an application for registration as a data controller where the appropriate safeguards for the protection of the privacy of the data subject have not been provided by the data controller.