Majority of public sector institutions which function as data controllers have not complied with the data protection regulation that compels them to register with the Data Protection Commission (DPC) as enshrined by law.
Their failure to register implies that they are not under the radar of the Commission and thus are not cooperating with them. Some sector players have asserted that their refusal has the tendency to negatively impact on business operations and activities in the country.
Section 27 (1) of the Data Protection Act, 2012 (Act 843) states that a data controller who intends to process personal data shall register with the Commission. This makes it obligatory for institutions who perform such functions such as the Controller and Accountant General Department to register.
However, following a recent series of cautions, engagements, sensitization measures among other steps undertaken by the Commission, a majority of private sector institutions who function as data controllers have led the way in formalizing their operations by registering with the Commission.
According to the DPC, there have been prior series of engagements with the public sector to enable them fulfill their obligation within the spectrum of the law, but have since not registered.
Speaking with the Goldstreet Business last Wednesday, the Executive Director of the Commission, Ms. Patricia Adusei-Poku said she has personally contacted a number of Chief Executive Officers (CEOs) of public institutions on the need to register with the Commission, but they have since failed to do that.
“If they are not registering, then they are not being compliant and responsible. In the next few days, we are ready to kick off enforcement action against all organisations who have blatantly refused to register where some are large public sector organisations. Should we split our records, the private sector has performed better than public sector institutions”, she reiterated.
Data protection is now a legal necessity that is crucial to protecting and maintaining business and has now become a differentiative factor for businesses.
Every Data Protection Act contains a set of principles that businesses, organisations as well as government need to follow to in order to keep clients data secure, accurate and safe. These set of principles ensure that data that is collected is strictly used in a lawful manner.
Data that is stored needs to be properly protected. This is to prevent it from being misused by third parties for fraud – phishing scams, and identity theft. Protecting all this information, in accordance with the Data Protection Act, requires businesses to adhere to specific laid down principles.
Common data that institutions might store include employee records – names, addresses, electronic mails, telephone numbers, bank and credit card details, customer details, loyalty and among others. Such data contains sensitive information relating to staff, shareholders, business partners and clients as well as customers and other members of the public.