Beginning next week, the enforcement unit of the Data Protection Commission (DPC) and the police will carry out joint enforcement exercise aimed at institutions who function as data controllers and therefore have access to the public’s personal or business data to ensure outmost compliance of regulatory data protection requirements.
Institutions found culpable of data protection breaches will from henceforth, not be allowed to access and process personal and confidential business data and may subsequently face prosecution too.
This comes at the back of numerous complaints concerning data protection breaches the Commission has received from the public on the misuse and mishandling of their personal data by data controllers who transfer such data to third parties without their permission.
Since last quarter of 2017, more than 500 complaints on data protection breaches have been reported by individuals and enterprises who felt that their right to privacy is being infringed, adding that they had not given such details to any third party. Such complaints have since been documented and there have been many, verbal complaints made to officials of the Commission, but which are undocumented since they were not made formally.
According to the Commission, privacy infringements come in different forms such as unsolicited calls and messages and institutions found culpable include, in particular the telecom companies, loan institutions, microfinance and insurance companies – who in most cases attempt to sell their respective data to third parties.
To avert continuous data breaches, the Commission acknowledges that many such culprit institutions were unaware of the offence. Hence, it began a series of engagements with them in order to build their capacity to effectively manage peoples personal data to safeguard their rights and privacy as stated in the Data Protection Act, 2012 (Act 843).
However, an official of the Commission told this paper that despite the queries concerning complaints of data breaches, and subsequent warnings sent to such institutions, majority of them have since not responded or desisted from repeating such infringements.
“Once we write to the institutions, it is mandatory on their part to give us response. They are also supposed to send us their policies on data protection. If they don’t meet the standards of the Commission, they are supposed to be trained in order to monitor compliance”, the official reiterated.
Speaking with the Goldstreet Business, the Executive Director of the Commission, Madam Patricia Adusei-Poku said the number of complaints could have been more if individuals are fully aware that such activities infringe on the right to privacy.
“Our culture does not encourage reporting. Many people do not know that they can report such activities to the Commission for action to be taken”, she noted.
To ensure that peoples personal data are safeguarded, the Commission has recently trained the first 100 professional data protection supervisors and placed them in various public institutions. It is a state policy and a legal mandate of the Commission to have only certified data protection supervisors to lead such departments in all institutions to monitor compliance.
Data protection is now a legal necessity that is crucial to protecting and maintaining business integrity and competitiveness.
Common data that institutions might store include employee records – names, addresses, electronic mails, telephone numbers, bank and credit card details, customer details, loyalty and among others. Such data contains sensitive information relating to staff, shareholders, business partners and clients as well as customers and other members of the public.
Protecting all this information, in accordance with the Data Protection Act, requires businesses to adhere to specific laid down principles.