Home | Goldstreet Business
Monday, January 30, 2023
  • Home
  • General News
    • Extractives
    • Auto
  • Business
    • Banking and Finance
    • AgriBusiness
    • Insurance
    • Mining
    • Oil and Gas
    • Real Estate/Housing
  • News
    • Top Stories
    • Agriculture
    • Maritime/Aviation
    • Energy
    • Education
    • Construction
  • Technology
    • ICT
    • Telecom
  • World
    • Africa
    • International
  • Editorial/Features
  • GSB Data Services
No Result
View All Result
  • Home
  • General News
    • Extractives
    • Auto
  • Business
    • Banking and Finance
    • AgriBusiness
    • Insurance
    • Mining
    • Oil and Gas
    • Real Estate/Housing
  • News
    • Top Stories
    • Agriculture
    • Maritime/Aviation
    • Energy
    • Education
    • Construction
  • Technology
    • ICT
    • Telecom
  • World
    • Africa
    • International
  • Editorial/Features
  • GSB Data Services
No Result
View All Result
Gold Business Logo
No Result
View All Result
Home Business Macroeconomic Bulletin

Your Privacy in an Interconnected World – Ghana’s Data Protection Laws

September 23, 2022
in Macroeconomic Bulletin, Opinion, Technology, Top Stories
0
Your Privacy in an Interconnected World – Ghana’s Data Protection Laws
Share on FacebookShare on Twitter

We may be living in a generation that knows no privacy and yet if there was such a time we ought to strive for such constructs, now will be most appropriate. The problem, as I see it, is networks! Networks, in its primary and technical sense, have become the reason for our hyper interconnected world. All critical infrastructure ranging from energy, transportation, banking, and finance are now enabled by computer networks. The blessings of a hyperconnected environment have become the challenge for privacy. The central evolving question in law and policy is therefore how we secure the CIA (Confidentiality, Integrity and Availability) of both the networks and the information held by the computers. The threat to this new reality of a highly connected world is enormous and ranges from access intrusions, aka. hacks, all down to more benign but important issues of sharing one’s own personal data with the proliferation of social media. Social Engineering has become as dangerous in modern times as hacks and so today I focus on the laws that regulate Data Protection in Ghana with the view that there may yet be left some privacy, however philosophical, in our world today.

Privacy is argued as fundamental of all rights, and debates on privacy have much rooted in philosophy dating back to Aristotle’s Publicus versus Privatus distinction where the former is communis whiles the latter personal. The “Right to Privacy” is significantly argued as a Human Right enshrined in the Universal Declaration of Human Rights and in many constitutions including Ghana’s 1992 Constitution. At the minimum, the right circumscribes the right to inviolability of the home and to the secrecy of communications. Article 18(2) reads:

RELATED POSTS

Policy rate increases to 28%; cost of loans to surge

Gulf Technology Systems, Ghana To Collaborate On Agricultural and Industrial Projects

“No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.” (Emphasis Mine)

Without any detailed analysis, it appears the suggested constitutional right to privacy can be “violated” within the law under such widely constructed claw back provision. I often ask, what is protection of morals? Whose morals? And how does that warrant violation of a right so guaranteed as fundamental as the right to privacy? But those questions are for another day.

The more fundamental question for today is the definition of what this constitutional right to privacy means and what its limits of enforceability may be. I am yet to come by any law that defines what “Privacy” is. The closest may be what William Prosser described as “rather definite” violations of privacy rights which are:

  1. Intrusion upon a person’s seclusion or solitude, or into his private affairs.
  2. Public disclosure of embarrassing private facts about an individual.
  3. Publicity placing one in a false light in the public eye.
  4. Appropriation of one’s likeness for the advantage of another (Prosser 1960, 389).

In Policy, data protection is the process that guarantees privacy of data. Data protection is not a new concept but has become an increasingly important subject with the digital evolution. Data has become a resource as valuable as natural resources (if you disagree, ask the value of one Ghana Card, and a thousand overhead bridges may not compare). The focus of the rules on data protection therefore must be as important as the rules that protect our gold and oil. However, the laws on data protection must however contrast with those public laws that protect access to public goods. Data privacy must protect individual autonomy and the ability of the individual to control access to his personal information.

The Data Protection Act, 2012 (Act 843) defines ‘Data’ in very broad terms which ordinarily is progressive for the laws of Data Privacy. Section 96 reads:

“Data” means information which

(a) is processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or

(d) does not fall within paragraph (a),(b) or (c) but forms part of an accessible record;

The Act 843 which thus establishes a Data Protection Commission, with a central objective “To Protect The Privacy Of The Individual And Personal Data…” can therefore be read broadly to encompass all forms of records accessible in Ghana. It is not in doubt that Personal Data is particularly important to our data protection regimes. “Personal Data” is defined in the law as “data about an individual who can be identified, (a) from the data, or (b) from the data or other information in the possession of, or likely to come into the possession of the data controller.” Our quest is therefore to understand the framework that exists to protect individual privacy and personal data in Ghana.

The first thing noteworthy is that the law adopts both a prescriptive and rule-based approach as well as a principle-based approach to data privacy regulations in Ghana. The Act established eight (8) principles of which any Data Controller may be minded. These principles are laid out in Section 17 of Act 843 and expanded through to Section 26. Section 17 reads:

“A person who processes data shall take into account the privacy of the individual by applying the following principles: (a) accountability (b) lawfulness of processing (c) specification of purpose (d) compatibility of further processing with purpose of collection (e) quality of information (f) openness (g) data security safeguards and (h) data subject participation.”

A principle-based approach to regulation some argue may be non-enforceable but is one I find particularly interesting in the development of the law. Let us at this point find direction in the issues and questions I have come to determine as difficult in the operation of the law. Before I venture into those difficult terrains, however, I wish to provide a useful guide to readers on some rights they are guaranteed under the law.

  1. Right to Access. Under Section 32 of Act 843, every person has the right to request a data controller to give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information. This may be very simple information about readers’ data privacy right but an information I hope they find useful in its simplicity. The law gives you the right to know what personal data of yours is held by any data controller and who else may have access to it. If you keep wondering why you receive unsolicited messages, try asking the vendor. As a matter of fact, Section 40 provides that, “A data controller shall not provide, use, obtain, procure or provide information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject.”
  2. Right to Prevent Processing. Section 39 gives any data subject the right to request a data controller to cease from processing his personal data for a specified purpose or in a specified manner and the data controller shall comply or indicate reasons why it may not be able to comply within 21 days. A right of further recourse may lay with the Data Protection Commission or the Courts. This may be interesting for some institutions sharing data with third parties for purposes of profiling persons for automated decisions like loan provision. This trend of automated decision is further provided for in Section 41. As they say, we watch this space for its evolution.
  3. Prohibition on Sales of Personal Data. I equally find Section 89 interesting. It reads, “A person who sells or offers to sell personal data of another person commits an offence and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both.”
  4. Processing of special personal data prohibited. Unless processing of personal data is necessary, the data subject consents, or is necessary in the exercise or performance of a right or an obligation imposed by law, the law prohibits processing of personal data relating to a child under parental control in accordance with the law, or the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behavior of an individual.

Now that these basic rights issues are settled, let us venture the more difficult question of data localisation, residency, and general data transfer requirements. As the cloud becomes the go-to for storage needs with applications and databases resident outside Ghana, the more difficult question for data controllers is, what are their requirements under law as it may pertain to the data collected in Ghana but processed and stored outside Ghana?

To answer this question, the principles become our guide, for which reason I find the principle-based approach to data privacy interesting. Although there appears to be generally no restriction on data transfer outside the jurisdiction in the Data Protection Act, data controllers must ensure that data processors who process personal data for the data controller, establish and comply with the security measures specified under Section 28 of Act 843 as well as the data-subject participation requirement.

A data controller shall only collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person. Section 18 of the Act requires that a person who processes personal data shall ensure that the personal data is processed a) without infringing the privacy rights of the data subject; (b) in a lawful manner; and (c) in a reasonable manner and a data controller or processor shall in respect of foreign data subjects ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

It appears all is well and good until one averts her mind to the Electronic Transactions Act, 2008 (Act 772). Section 57 of Act 772 provides that, “The Minister may declare certain classes of information relating to national security or the economic or social wellbeing of the public to be critical electronic record for the purposes of sections 58 to 62.” Section 58 then provides for the registration of these critical databases:

The Minister may by notice in the Gazette determine (a) requirements for the registration of a critical database (b) procedures for the registration of a critical database and (c) any other matter relating to registration.

This provision was further strengthened under Section 35 and 36 of Cybersecurity Act, 2020 (Act 1038). The Provisions for Critical Information Infrastructure suggest a different data protection regime, at least for the databases on which personal data reside for some industries. The data protection law must therefore be read together with the laws that provide for the infrastructure that houses the data in order to fully appreciate the requirement for data residency. Section 35 of Act 1038 reads:

  1. The Minister may, on the advice of the Authority, designate a computer system or computer network as a critical information infrastructure if the Minister considers that the computer system or computer network is essential for (a) national security, or (b) the economic and social well-being of citizens.
  2. Where the Minister designates a computer system or computer network as a critical information infrastructure, the Minister shall publish the designation in the Gazette.
  3. The Minister shall, in making a determination under subsection (1), consider if the computer system or computer network is necessary for

(a) the security, defence or international relations of the country;

(b) the production, preservation or identity of a confidential source of information related to the enforcement of criminal law;

(c) the provision of services directly related to

(i) communications and telecommunications infrastructure;

(ii) banking and financial services;

(iii) public utilities

(iv) public transportation; and

(v) public key infrastructure;

(d) the protection of public safety and public health, including systems related to essential emergency services;

(e) an international business or communication affecting a citizen of Ghana or any other international business in which a citizen of Ghana or the Government has an interest; or

(f) the Legislature, Executive, Judiciary, Public Services or security agencies.

4. The Minister shall, by publication in the Gazette, establish the procedure for the regulation of a critical information infrastructure.

Section 36 of Act 1038 makes it the obligation of the Cyber Security Authority to register critical information infrastructure. On October 1, 2021, the Directive for the Protection of Critical Information Infrastructure (CII) published by the Cyber Security Authority came into force. Among the 15-baseline technical and organisational requirements for owners of critical information infrastructure are the obligation to: implement relevant Physical Security Measures for the physical protection of CII systems and its associated dependent assets and systems, create and keep A Risk Register Which Catalogues And Profiles The Various Information and cyber risks targeting the designated CII and ensure that Source Codes Of Critical Systems are kept in escrow. The real question therefore is, does these requirements apply to a Ghanaian data controller whose database sits in Ireland for any of the industries named by the directive?

The technical conversation of how these requirements may be possible without a localised datacentre can go on and on, but the answer to questions of data transfer and localisation becomes rather nuanced particularly for certain industries. The Directive for the owners of CII also requires them under the incident reporting regime to establish a Point of Contact for reporting cybersecurity incidents and receiving cybersecurity information as well as Disclosing And Reporting Any Vulnerabilities identified or discovered through internal or external security audits and assessments, within 72 hours of identifying or discovering the vulnerability.

Ghana’s landscape for data protection is fast growing. The principle-based approach to regulation will empower the Data Protection Commission and the other relevant agencies to implement even bolder directives but the summary of the matter will always remain; individual users have a personal responsibility to valuing and protecting their personal data.

Let us therefore find resolve in some technical admonishments; – you may enjoy cookies, but online cookies are small sometimes executable files, that may give someone a bypass to your personal information; change your passwords as often as you change your bedsheets and by all means, implement a two-factor authentication for whatever platform you consider holds important personal data. In all of this conversation, “scientia potentia est”. If you did not have a Latin teacher, “Knowledge” they say, “is Power”, so learn, become aware of the trends with digital evolution, make deliberate choices and informed decisions about sharing your personal data and do not become the product unknowingly!

My name is Yaw Sompa, I am a lawyer, an enterprise risk practitioner, and a certified information security master & trainer.

facebookShare on Facebook
TwitterTweet
Source: Yaw Sompa
ShareTweetShare

Related Posts

Economy Picks Up

Policy rate increases to 28%; cost of loans to surge

January 30, 2023
Gulf Technology Systems, Ghana To Collaborate On Agricultural and Industrial Projects

Gulf Technology Systems, Ghana To Collaborate On Agricultural and Industrial Projects

January 30, 2023
GhanaWeb partners with Maxwell Investments Group on entrepreneurship-based content

GhanaWeb partners with Maxwell Investments Group on entrepreneurship-based content

January 26, 2023
The next “AMAZON” in Africa will need a Functioning Address System

The next “AMAZON” in Africa will need a Functioning Address System

January 23, 2023
NCA grants provisional approval for the sale of Vodafone Ghana to Telecel

NCA grants provisional approval for the sale of Vodafone Ghana to Telecel

January 17, 2023
Next Post
“International Financial System Skewed Against Africa; Reform It Now” – President Akufo-Addo

“International Financial System Skewed Against Africa; Reform It Now” – President Akufo-Addo

Oil Prices Edge Down, Recession Fears Back in Focus

Oil Prices Edge Down, Recession Fears Back in Focus

Discussion about this post

Archives

<
January 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
▼
>
MonTueWedThuFriSatSun
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
   1234
567891011
12131415161718
19202122232425
262728293031 
       
 123456
78910111213
14151617181920
21222324252627
282930    
       
     12
3456789
10111213141516
17181920212223
24252627282930
31      
   1234
567891011
12131415161718
19202122232425
2627282930  
       
1234567
891011121314
15161718192021
22232425262728
293031    
       
    123
45678910
11121314151617
18192021222324
25262728293031
       
  12345
6789101112
13141516171819
20212223242526
27282930   
       
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
    123
45678910
11121314151617
18192021222324
252627282930 
       
 123456
78910111213
14151617181920
21222324252627
28293031   
       
 123456
78910111213
14151617181920
21222324252627
28      
       
     12
3456789
10111213141516
17181920212223
24252627282930
31      
  12345
6789101112
13141516171819
20212223242526
2728293031  
       
1234567
891011121314
15161718192021
22232425262728
2930     
       
    123
45678910
11121314151617
18192021222324
25262728293031
       
  12345
6789101112
13141516171819
20212223242526
27282930   
       
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
   1234
567891011
12131415161718
19202122232425
262728293031 
       
 123456
78910111213
14151617181920
21222324252627
282930    
       
     12
3456789
10111213141516
17181920212223
24252627282930
31      
   1234
567891011
12131415161718
19202122232425
2627282930  
       
1234567
891011121314
15161718192021
22232425262728
293031    
       
1234567
891011121314
15161718192021
22232425262728
       
       
    123
45678910
11121314151617
18192021222324
25262728293031
       
 123456
78910111213
14151617181920
21222324252627
28293031   
       
      1
2345678
9101112131415
16171819202122
23242526272829
30      
   1234
567891011
12131415161718
19202122232425
262728293031 
       
 123456
78910111213
14151617181920
21222324252627
282930    
       
     12
3456789
10111213141516
17181920212223
24252627282930
31      
  12345
6789101112
13141516171819
20212223242526
2728293031  
       
1234567
891011121314
15161718192021
22232425262728
2930     
       
    123
45678910
11121314151617
18192021222324
25262728293031
       
  12345
6789101112
13141516171819
20212223242526
27282930   
       
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
     12
3456789
10111213141516
17181920212223
242526272829 
       
  12345
6789101112
13141516171819
20212223242526
2728293031  
       
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
    123
45678910
11121314151617
18192021222324
252627282930 
       
 123456
78910111213
14151617181920
21222324252627
28293031   
       
      1
2345678
9101112131415
16171819202122
23242526272829
30      
   1234
567891011
12131415161718
19202122232425
262728293031 
       
1234567
891011121314
15161718192021
22232425262728
293031    
       
     12
3456789
10111213141516
17181920212223
24252627282930
       
  12345
6789101112
13141516171819
20212223242526
2728293031  
       
1234567
891011121314
15161718192021
22232425262728
2930     
       
    123
45678910
11121314151617
18192021222324
25262728293031
       
    123
45678910
11121314151617
18192021222324
25262728   
       
 123456
78910111213
14151617181920
21222324252627
28293031   
       
     12
3456789
10111213141516
17181920212223
24252627282930
31      
   1234
567891011
12131415161718
19202122232425
2627282930  
       
1234567
891011121314
15161718192021
22232425262728
293031    
       
     12
3456789
10111213141516
17181920212223
24252627282930
       
  12345
6789101112
13141516171819
20212223242526
2728293031  
       
      1
2345678
9101112131415
16171819202122
23242526272829
3031     
    123
45678910
11121314151617
18192021222324
252627282930 
       
 123456
78910111213
14151617181920
21222324252627
28293031   
       
      1
2345678
9101112131415
16171819202122
23242526272829
30      
   1234
567891011
12131415161718
19202122232425
262728293031 
       

RECOMMENDED

Economy Picks Up

Policy rate increases to 28%; cost of loans to surge

January 30, 2023
Gulf Technology Systems, Ghana To Collaborate On Agricultural and Industrial Projects

Gulf Technology Systems, Ghana To Collaborate On Agricultural and Industrial Projects

January 30, 2023

MOST VIEWED

Plugin Install : Popular Post Widget need JNews - View Counter to be installed
  • Energy
  • Health
  • Auto
  • International
  • Subscription Form
  • Staff Webmail
  • About Us
  • Contact Us
Call us: +233 24 432 0902 | info@goldstreetbusiness.com

© Copyright © 2020 goldstreetbusiness.com. All Rights Reserved.

No Result
View All Result
  • Homepages
    • Homepage Layout 1
    • Homepage Layout 2
  • World
  • Business
  • Technology
  • Health

© Copyright © 2020 goldstreetbusiness.com. All Rights Reserved.

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.