In Ghana, the primary legislation governing privacy/ data protection is the Data Protection Act, 2012 (Act 843) (the Act); which defines data as information that is processed by means of equipment operating automatically in response to instructions or; information that is recorded and is intended for processing by means and equipment; or information that is recorded as part of a filing system with the intention that it form part of a filing system or an accessible record.
Once information is properly classified as “data,” there is a restraint on its direct collection from the data subject unless: the data is already part of a public record with the consent of the data subject, and its collection from another source is unlikely to prejudice a legitimate interest of the data subject.
A person collecting data (the data controller) must also ensure that the data subject is aware of the nature of the data being collected; the name and address of the person responsible for its collection; the purpose for which the data is required for collection; and whether or not the supply of the data by the data subject is discretionary or mandatory; the consequences of failure to provide the data; the requirement by law for its collection; the recipient of the data; the nature or category of the data; the existence of the right of access to and the right to request rectification of the data collected before the collection. Where the collection is carried out by a third party on behalf of the data controller, the third party must ensure that the data subject has the information listed above.
There is, however, an exception for the collection of the data from another source where it is necessary for a number of expressly designated purposes. For example, where it is needed for the detection or punishment of an offense or breach of law), or where
compliance would prejudice a lawful purpose for which compliance is not reasonably practicable.
A data controller who intends to process personal data is required to register with the Data Protection Commission, and a data controller who is not incorporated in Ghana must register as an external company, and there is also an obligation to data
controllers to appoint data protection officers.
As to the transfer of data, there are no specific provisions in the Act on the transfer of personal data. However, the sale, purchase, knowing or reckless disclosure of personal data or information is prohibited; and any person who knowingly or recklessly discloses personal data is liable on summary conviction to a fine of not more than 250 penalty units or to a term of imprisonment of not more than 2 years or to both.
A person who sells or offers for sale personal data is liable on summary conviction to a fine of not more than 2500 penalty units or to a term of imprisonment of not more than five years or to both a fine and a term of imprisonment. A penalty unit is equivalent to GHS 12 (approximately USD 2.20). Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an unauthorized person, the data controller or a third party who processes data under the authority of the data controller is required to notify the Data Protection Commission and the data subject of the unauthorized access or acquisition as soon as reasonably practicable after the discovery of the unauthorized access or acquisition of the data.
However, the data controller is allowed to delay the notification of the data subject in instances where the security agencies or the Data Protection Commission informs the data controller that the notification will impede a criminal investigation.
As to the use of data for the purposes of electronic marketing, the Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject. However, there are no specific provisions that relate to electronic marketing specifically.
Finally, while there are no specific provisions in relation to online privacy, a data controller is generally required to take necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate, reasonable, technical, and organizational measures.
If you have any further questions regarding Data privacy and protection in Ghana or any other business-related subject in Ghana or elsewhere on the African continent, please do not hesitate to contact us.
