Data Protection Act, 2012 (Act 843) ('Act').
Data Protection Act, 2012 (Act 843) ('Act').
Definition personal data
Personal data is defined as:
- data about an individual who can be identified either:
- from the data, or
- from the data and other information in the possession of, or likely to come into the possession of the data controller.
Definition sensitive personal data
The Act does not make provision for 'sensitive personal data'. However 'special personal data', is defined as personal data which relates to:
- a child who is under parental control in accordance with the law, or
- the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behavior of an individual.
Data Protection Commission ('Commission')
Room No. 51
Ministry of Communications
P.O. Box CT 7195
Tel: +233 302 631 455
A data controller who intends to process personal data is required to register with the Data Protection Commission. A data controller who is not incorporated in Ghana must register as an external company.
There is an obligation under the Act for data controllers to appoint data protection officers.
A person shall collect data directly from the data subject unless:
- the data is contained in a public record
- the data subject has deliberately made the data public
- the data subject has consented to the collection of the information from another source
- the collection of the data from another source is unlikely to prejudice a legitimate interest of the data subject
- the collection of the data from another source is necessary for a number of expressly designated purposes (for example the detection or punishment of an offence or breach of law)
- compliance would prejudice a lawful purpose for the collection
- compliance is not reasonably practicable.
A data controller must also ensure that the data subject is aware of:
- the nature of the data being collected
- the name and address of the person responsible for the collection
- the purpose for which the data is required for collection
- whether or not the supply of the data by the data subject is discretionary or mandatory
- the consequences of failure to provide the data
- the authorized requirement for the collection of the information or the requirement by law for its collection
- the recipient of the data
- the nature or category of the data
- the existence of the right of access to and the right to request rectification of the data collected before the collection.
Where collection is carried out by a third party on behalf of the data controller, the third party must ensure that the data subject has the information listed above.
There are no specific provisions in the Act on the transfer of personal data. However, the sale, purchase, knowing or reckless disclosure of personal data or information is prohibited.
A person who knowingly or recklessly discloses personal data is liable on summary conviction to a fine of not more than 250 penalty units or to a term of imprisonment of not more than 2 years or to both. A person who sells or offers for sale personal data is liable on summary conviction to a fine of not more than 2500 penalty units or to a term of imprisonment of not more than five years or to both a fine and a term of imprisonment.
A penalty unit is equivalent to GHS12 (approximately USD $4.00).
A data controller is required to take steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organisational measures to prevent:
- loss of, damage to, or unauthorised destruction
- unlawful access to or unauthorised processing of personal data.
Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall notify the Commission and the data subject of the unauthorised access or acquisition as soon as reasonably practicable after the discovery of the unauthorised access or acquisition of the data. The data controller shall take steps to ensure the restoration of the integrity of the information system.
The data controller shall delay the notification to the data subject where the security agencies or the Data Protection Commission inform the data controller that the notification will impede a criminal investigation.
Where the Commission is satisfied that a data controller has contravened or is contravening any of the data protection principles, the Commission shall serve the data controller with an enforcement notice to require the data controller to do any of the following:
- to take or refrain from taking the steps specified within the time stated in the notice
- to refrain from processing any personal data or personal data of a description specified in the notice
- to refrain from processing personal data or personal data of a description specified in the notice for the purposes specified or in the manner specified after the time specified.
A person who fails to comply with an enforcement notice commits an offence and is liable on summary conviction to a fine of not more than one hundred and fifty penalty units or to a term of imprisonment of not more than one year or to both. A penalty unit is equivalent to GHS12 (approximately USD $4.00).
Further, an individual who suffers damage or distress through the contravention of the data protection obligations by a data controller is entitled to compensation from the data controller for the damage or distress notice.
The Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject. However, there are no specific provisions that relate to electronic marketing specifically.
There are no specific provisions in relation to on-line privacy. However, a data controller is generally required to take necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organizational measures.