Data Protection for Individuals

OVERVIEW OF DATA PROTECTION ACT, 2012 (ACT 843)

The Data Protection Act, 2012 (Act 843) sets out the rules and principles governing the collection, use, disclosure and care for your personal data or information by a data controller or processor. It recognises a person’s right (data subject rights) to protect their personal data or information by mandating a data controller or processor to process (collect, use, disclose, erase, etc) such personal data or information in accordance with the individual’s rights. The Act also established the Data Protection Commission as an independent statutory body to ensure and enforce compliance.

WHY DATA PROTECTION?

In Ghana, the recognition of the right to privacy with respect to the processing of personal data or information led to the passage of the Act 843 to further guarantee the right to privacy enshrined under Article 18(2) of the 1992 Constitution.

Large amounts personal data generated in the country are kept across servers, networks and various filing systems in different locations (electronically & manually), locally and abroad. These have the potential of being shared by different legal and natural persons, across borders and in a manner that the data subject could not have envisaged at the time the initial information is given. These information systems used in the collection and storage of such personal information can therefore pose considerable challenges to one’s right to privacy. As this trend continues to grow rapidly with progressively sophisticated technology with considerable abilities to hold large amounts of information, it is necessary to address privacy concerns with data protection laws.

HOW DOES ACT 843 WORK?

The Act provides standard principles that must be complied with by all who process personal information across the country and beyond. The law applies to all forms of personal data or information stored on both electronic and non-electronic platforms.

The Act is premised on the fundamental rule that all who process personal data must take into consideration the right of that individual to the privacy of his or her communications. This recognition by a data controller or processer should lead to the application of the following Eight (8) Basic Principles whiles processing such information.

- Accountability,
- Lawfulness Of Processing,
- Specification Of Purpose,
- Compatibility Of Further Processing With Purpose Of
  Collection,
- Quality Of Information,
- Openness,
- Data Security Safeguards, and,
- Data Subject Participation.

For further explanations on the principles, click HERE

WHEN DOES THE DATA PROTECTION ACT COME INTO EFFECT?

The Act was assented to in May 2012 and came into force in accordance with Section 99, Act 843 on 16th October 2012. Registration of the Data Controllers and Data Processors will start from 1st January 2015. Prior to registration, the Commission urges all data controllers and processors to start self-regulatory processes to ensure their compliance by reviewing their data protection polices in line with the Act.

The Data Protection Act, 2012 (Act 843) is premised on the fundamental rule that all who process personal data must take into consideration the right of that individual to the privacy of his or her communications.

This recognition by a data controller or processer should lead to the application of the 8 basic principles for processing personal information. The Act sets out the 8 data principles under Section 17 as follows:

Accountability
Lawfulness Of Processing
Specification Of Purpose
Compatibility Of Further Processing With Purpose Of Collection
Quality Of Information
Openness
Data Security Safeguards
Data Subject Participation.

ACCOUNTABILITY

Processing of Personal Data (Section 18)

(1)   A person who processes personal data shall ensure that the personal data is processed;
       (a)   without infringing the privacy rights of the data subject;
       (b)   in a lawful manner; and
       (c)    in a reasonable manner.

(2)   A data controller or processor shall in respect of foreign data subjects ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

LAWFULNESS OF PROCESSING

Minimality (Section19)

Personal data may only be processed if the purpose for which it is to be processed, is necessary, relevant and not excessive.

Consent, justification and objection (20)

(1)    A person shall not process personal data without the prior consent of the data subject unless the purpose for which the personal data is processed is;

       (a)    necessary for the purpose of a contract to which the data subject is a party;
       (b)    authorised or required by law;
       (c)    to protect a legitimate interest of the data subject;
       (d)    necessary for the proper performance of a statutory duty; or
       (e)    necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.

(2)    Unless otherwise provided by law, a data subject may object to the processing of personal data.

(3)    Where a data subject objects to the processing of personal data, the person who processes the personal data shall stop the processing of the personal data.

Collection of personal data (Section 21)

(1)    A person shall collect personal data directly from the data subject.

(2)    Despite subsection (1), personal data may be collected indirectly where:

       (a)    the data is contained in a public record;
       (b)    the data subject has deliberately made the data public;
       (c)    the data subject has consented to the collection of the information from another source;
       (d)    the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject;
       (e)    the collection of the data from another source is necessary:
              (i)    for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law;
              (ii)    for the enforcement of a law which imposes a pecuniary penalty;
              (iii)    for the enforcement of a law which concerns revenue collection;
              (iv)    for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated;
              (v)    for the protection of national security; or
              (vi)    for the protection of the interests of a responsible or third party to whom the information is supplied;
      (f)    compliance would prejudice a lawful purpose for the collection; or
      (g)    compliance is not reasonably practicable.

Retention of records (Section 24)

(1)    Subject to subsections (2) and (3), a data controller who records personal data shall not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless
       (a)    the retention of the record is required or authorised by law,
       (b)    the retention of the record is reasonably necessary for a lawful purpose related to a function or activity,
       (c)    retention of the record is required by virtue of a contract between the parties to the contract, or
       (d)    the data subject consents to the retention of the record.

(2)    Subsection (1) does not apply to records of personal data retained for
       (a)    historical,
       (b)    statistical, or
       (c)    research purposes.

(3)    A person who retains records for historical, statistical or research purposes shall ensure that the records that contain the personal data are adequately protected against access or use for unauthorised purposes.

(4)    A person who uses a record of the personal data of a data subject to make a decision about the data subject shall
       (a)    retain the record for a period required or prescribed by law or a code of conduct, or
       (b)    where there is no law or code of conduct that provides for the retention period, retain the record for a period which will afford the data subject an opportunity to request access to the record.
(5)    A data controller shall destroy or delete a record of personal data or de-identify the record at the expiry of the retention period.

(6) The destruction or deletion of a record of personal data shall be done in a manner that prevents its reconstruction in an intelligible form.

Data processed by data processor or an authorised person (Section 29)

(1)    A data processor or a person who processes personal data on behalf of a data controller shall
       (a)    process the data only with the prior knowledge or authorisation of the data controller, and
      (b)    treat the personal data which comes to the knowledge of the data processor or the other person as confidential.

(2)    A data processor or a person who processes personal data on behalf of a data controller shall not disclose the data unless
      (a)    required by law, or
      (b)    in the course of the discharge of a duty.

SPECIFICATION OF PURPOSE

Collection of data for specific purpose (Section 22)

A data controller who collects personal data shall collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person.

Data subject to be made aware of purpose of collection (Section 23)

A data controller who collects data shall take the necessary steps to ensure that the data subject is aware of the purpose for the collection of the data.

COMPATIBILITY OF FURTHER PROCESSING WITH PURPOSE OF COLLECTION

Further processing to be compatible with purpose of collection (Section 25)

(1)    Where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data shall be for that specific purpose.

(2)    A person who processes data shall take into account;
       (a)    the relationship between the purpose of the intended further processing and the purpose for which the data was collected,
       (b)    the nature of the data concerned,
       (c)    the manner in which the data has been collected,
       (d)    the consequences that the further processing is likely to have for the data subject, and
       (e)    the contractual rights and obligations between the data subject and the person who processes the data.

(3)    The further processing of data is considered to be compatible with the purpose of collection where
       (a)    the data subject consents to the further processing of the information,
       (b)    the data is publicly available or has been made public by the person concerned,
       (c)    further processing is necessary;
              (i)    for the prevention, detection, investigation, prosecution or punishment for an offence or breach of law,
             (ii)    for the enforcement of a law which imposes a pecuniary penalty,
             (iii)    for the enforcement of legislation that concerns protection of revenue collection,
             (iv)    for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated, or
             (v)    for the protection of national security;

       (d)    the further processing of the data is necessary to prevent or mitigate a serious and imminent threat to;
              (i)    public health or safety, or
             (ii)    the life or health of the data subject or another individual;
       (e)    the data is used for historical, statistical or research purposes and the person responsible for the processing ensures that
              (i)    the further processing is carried out solely for the purpose for which the data was collected, and
             (ii)    the data is not published in a form likely to reveal the identity of the data subject; or
       (f)    the further processing of the data is in accordance with this Act.

QUALITY OF INFORMATION (Section 26)

A data controller who processes personal data shall ensure that the data is complete, accurate, up to date and not misleading having regard to the purpose for the collection or processing of the personal data.

OPENNESS

Registration of data controller (Section 27)

(1)   A data controller who intends to process personal data shall register with the Commission.

(2)   A data controller who intends to collect personal data shall ensure that the data subject is aware of
       (a)   the nature of the data being collected;
       (b)   the name and address of the person responsible for the collection;
       (c)   the purpose for which the data is required for collection;
       (d)   whether or not the supply of the data by the data subject is discretionary or mandatory;
       (e)   the consequences of failure to provide the data;
       (f)   the authorised requirement for the collection of the information or the requirement by law for its collection;
       (g)   the recipients of the data;
       (h)   the nature or category of the data; and
              (i)   the existence of the right of access to and the right to request rectification of the data collected before the collection.

(3)   Where the data is collected from a third party, the data subject shall be given the information specified in subsection (2) before the collection of the data or as soon as practicable after the collection of the data.

(4)   Subsection (2), shall not apply in the following situations where it is necessary:
       (a)   to avoid the compromise of the law enforcement power of a public body responsible for the prevention, detection, investigation, prosecution or punishment of an offence;
       (b)   for the enforcement of a law which imposes a pecuniary penalty;
       (c)   for the enforcement of legislation which concerns revenue collection;
       (d)   for the preparation or conduct of proceedings before a court or tribunal that have been commenced or are reasonably contemplated;
   (e)   for the protection of national security;
       (f)   to avoid the prejudice of a lawful purpose;
   (g)   to ensure that the data cannot be used in a form in which the data subject is identified; or
       (h)   because the data is to be used for historical, statistical or research purposes.

DATA SECURITY SAFEGUARDS

Security measures (Section 28)

(1)   A data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical and organisational measures to prevent
       (a)   loss of, damage to, or unauthorised destruction; and
       (b)   unlawful access to or unauthorised processing of personal data.

(2)   To give effect to subsection (1), the data controller shall take reasonable measures to
       (a)   identify reasonably foreseeable internal and external risks to personal data under that person’s possession or control;
       (b)   establish and maintain appropriate safeguards against the identified risks;
       (c)   regularly verify that the safeguards are effectively implemented; and
       (d)   ensure that the safeguards are continually updated in response to new risks or deficiencies.

(3)   A data controller shall observe
       (a)   generally accepted information security practices and procedure, and
       (b)   specific industry or professional rules and regulations.

Data processor to comply with security measures (Section 30)

(1)   A data controller shall ensure that a data processor who processes personal data for the data controller, establishes and complies with the security measures specified under this Act.

(2)   The processing of personal data for a data controller by a data processor shall be governed by a written contract.

(3)   A contract between a data controller and a data processor shall require the data processor to establish and maintain the confidentiality and security measures necessary to ensure the integrity of the personal data.

(4)   Where a data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the relevant laws of this country.

Notification of security compromises (Section 31)

(1)   Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall notify the
       (a)   Commission, and
       (b)   the data subject of the unauthorised access or acquisition.

(2) The notification shall be made as soon as reasonably practicable after the discovery of the unauthorised access or acquisition of the data.

(3) The data controller shall take steps to ensure the restoration of the integrity of the information system.

(4) The data controller shall delay notification to the data subject where the security agencies or the Commission inform the data controller that notification will impede a criminal investigation.

(5)   The notification to a data subject shall be communicated by
       (a)   registered mail to the last known residential or postal address of the data subject;
       (b)   electronic mail to the last known electronic mail address of the data subject;
       (c)   placement in a prominent position on the website of the responsible party;
       (d)   publication in the media; or
       (e)   any other manner that the Commission may direct.

(6)   A notification shall provide sufficient information to allow the data subject to take protective measures against the consequences of unauthorised access or acquisition of the data.

(7)   The information shall include, if known to the data controller, the identity of the unauthorised person who may have accessed or acquired the personal data.

(8)   Where the Commission has grounds to believe that publicity would protect a data subject who is affected by the unauthorised access or acquisition of data, the Commission may direct the data controller to publicise in the specified manner, the fact of the compromise to the integrity or confidentiality of the personal data.

DATA SUBJECT PARTICIPATION

Access to personal information (Section 32)

(1)   A data subject who provides proof of identity may request a data controller to
       (a)   confirm at reasonable cost to the data subject whether or not the data controller holds personal data about that data subject,
       (b)   give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information, and
       (c)   correct data held on the data subject by the data controller.

(2)   The request shall be made
       (a)   within a reasonable time;
       (b)   after the payment of the prescribed fee, if any;
       (c)   in a reasonable manner and format; and
      (d)   in a form that is generally understandable.

Correction of personal data (Section 33)

(1)   A data subject may request a data controller to
       (a)   correct or delete personal data about the data subject held by or under the control of the data controller that is inaccurate,
       (b)   irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or
       (c)   destroy or delete a record of personal data about the data subject held by the data controller that the data controller no longer has the authorisation to retain.

(2) On receipt of the request, the data controller shall comply with the request or provide the data subject with credible evidence in support of the data.

(3) Where the data controller and the data subject are unable to reach an agreement and if the data subject makes a request, the data controller shall attach to the record an indication that a request for the data has been made but has not been complied with.

(4) Where the data controller complies with the request, the data controller shall inform each person to whom the personal data has been disclosed of the correction made.

(5) The data controller shall notify the data subject of the action taken as a result of the request.

Your personal information or data is important and you have a key role to play in protecting such information.

The Data Protection Act,2012 (Act 843) guarantees your right to privacy by giving you the power to access and control how your personal information is processed, collected, used and disclosed.

Section 18 (1) states: A person who processes personal data shall ensure that the personal data is processed
        (a) without infringing the privacy rights of the data subject;
            (b) in a lawful manner; and
          (c) in a reasonable manner.

Here are some of the rights guaranteed under the Act.

Access to personal information
Once you provide a proof of identity, you may request for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. You have a right to also know how the information is being processed, by whom and who has access it.
Right to amend your personal information
You have the right to request amendment (correction and deletion) of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal data or information that is under the control of a data controller/ processor. And on the receipt of the request, the data controller must comply or provide you with valid reasons why he can’t comply.
Right to prevent processing of your personal information.
You can at any time by notice ask the data controller or processor to cease processing of your personal information.
Rights to freedom from automated decision making
An individual is entitled at any time by notice in writing to a data controller to require the data controller to ensure that; any decision taken on his behalf by the data controller which significantly affects that individual is not based solely on an automated process.
Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated, unless you agree to this. For example, such decisions may be about your work performance, reliability, mental health condition, etc
Right to prevent processing of personal data for direct marketing purpose
A data controller or processor shall not provide, use, obtain, or provide information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject.
Individuals are entitled at any time by notice in writing to a data controller to require the data controller not to process personal data of that subject for the purposes of direct marketing and to obtain compensation where such process caused any damage to them.
Right to seek compensation through the courts
Individuals who suffer damage and distress through the contravention by a data controller or processor are entitled to compensation from the data controller or processor and can seek such compensation through the Courts.
Right to complain to the Data Protection Commission
Where you are having difficulty in exercising your rights or if you feel that any person or organization is not complying with their responsibilities, you may complain to the Data Protection Commission that can investigate the issue and ensure that your rights are upheld.

Practical Measures to Protecting your Personal Information

List of security measures individuals could personally take to protect the privacy of their data both automatic and manual [+] read more

You are a data controller if you can answer YES to the following question:-

Do you collect, hold and process personal information?
Do you determine how personal information collected should be processed?
Do you determine what personal information should be collected and or kept?

DATA CONTROLLERS

The Data Protection Act, 2012(Act 843) defines a "data controller" as “a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed” .

The data controller is therefore the individual or legal person or body who controls and is responsible for the collection, keeping and use of personal information in computer systems or in manual files.

If you or your organisation controls and has responsibility over the personal information it collects or holds, then you or your organisation (as the case may be) are a data controller. If in doubt or unsure about your status, please contact the Commission.

DATA PROCESSORS

You are a data processor if you can answer YES to the following questions;

Do you collect, hold or process personal data, but do not exercise responsibility for or control over how the personal data is processed?
Do you have little or no freedom in the determination of what the data processing should entail?

The Data Protection Act, 2012(Act 843) defines a “data processor” “as any person other than an employee of the data controller who processes the data on behalf of the data controller”. They only process data on the instruction of the data controller. Examples of data processors include payroll companies, accountants and market research companies their responsibility is to keep data from unauthorized access, disclosure, destruction and accidental loss.

It is possible for a person (legal person) to be both a data controller and a data processor, in respect of distinct sets of personal information.

If you or your organisation process the personal information, but some other individual or organisation decides and is responsible for how you process that personal information, then the said individual or other organisation that determines how you process the personal information is the data controller, and your organisation is the "data processor"

DATA PROCESSING OBLIGATIONS

Today, personal information such as names, telephone numbers, pictures, addresses, birth dates, medical reports, accounts, and credit card information and many others are collected by individuals or organizations and processed for various reasons. We rely on you or your organisation to use or divulge such personal information as intended and to keep it safe. The privacy and data protection rights of an individual must therefore be respected by those collecting and processing such information. Read more...