Ghana’s Data Protection Law In The Digital Age
By Mawutodzi K. Abissath
There is this Ghanaian proverb which admonishes: “When the rhythm of the drum beat changes, the dance movement must also change accordingly.”
Information Communication Technology (ICT) has revolutionalised the way mankind has been doing things from birth to death. So, any nation that fails to change in accordance with technology should not blame Jesus if its citizens’ biometric data are not recorded and stored in the database in the kingdom of heaven. But the heavenly database which is known as “Akashic” record requires neither laptop nor digital camera to process philosophically.
It was in 1998 that the then Ministry of Communications now Ministry of Information first initiated a move to formulate a comprehensive ICT Policy for Ghana. Eventually, it was in 2004 that the draft policy document was finalised and legally christened as Ghana ICT Policy for Accelerated Development (ICT4AD).
Ghana has since made some strides in the field of ICT. For instance, the Ghana-India Kofi Annan Centre for Excellence in ICT (AITI-KACE) has seen the light. Over 90 fully operational Community Information Centre (CICs) aimed at bridging the digital divide between the urban and rural centres in most of the 170 districts are in place.
At least over 60.000 laptops are being distributed to various schools and there is a dream to supply Ghanaian teachers also with free laptops throughout the country.
Further, plans are far advanced for the realisation of Digital Terrestrial Television Broadcasting system to replace analogue television by 2014, in accordance with the International Telecommunications Union’s global policy.
A modern National Data Centre complex is under construction here in Accra where all relevant data from archaeology to zoology, from the Gold Coast to Ghana will be stored upon completion. But it must be admitted that Ghana still has some kilometres to travel when it comes to equitable spread of ICT infrastructure. This is because some rural schools are still learning ICT without having seen a computer before, let alone touching an electronic mouse.
What is commendable, though, is the fact that before the National Data Centre becomes operational, Ghana’s Ministry of Communications has adopted some pragmatic measures, by taking legal steps to ensure legal protection of data expected to be stored at the Data Centre. This, the Ministry has done by championing the enactment of the Data Protection Act, 2012 (Act 843) passed by Ghana’s Parliament in March 2012.
The object of this piece is not to pretend to be providing legal interpretation of the law. That is the responsibility of the Supreme Court of Ghana. Our duty is to inform and educate the people of Ghana that there is a law that seeks to protect their privacy and personal data. Thus, when filling in legal documents such as Passport, visa, medical or admission forms etc, they must know what to write and what not to about themselves. Period!
When the Law becomes fully operational, Ghanaians will have the right to refuse to give some information or data about themselves or their relatives when they are not sure what the information or data was going to be used for. This is very crucial especially when filling in online application forms.
Irononically, at the time of writing this article, the Coalition on Right to Information Ghana, a civil society group, seems to be on collision course with Ghana’s Parliament for pussy-footing the passage of the Right to Information Bill.
It appears this particular Bill was put before Parliament before the Holy-Ghost descended on the apostles in Jerusalem some 2000 years ago. And yet, no one knows when a traditional birth attendant will be trained in basic computer literacy to deliver the Bill fast online to the concerned coalition members and Ghanaians.
On the other hands, is it enough to insist on one’s right to information only? Ghanaians also have the birth right to know their legal right to decide what type of data they ought to give about themselves when, how, why, for what purpose and to whom. That is the essence of the Data Protection Act, 2012 (Act 843).
Against this backdrop, on Thursday, June 14, 2012, the Ministry of Communications, under the e-Ghana project, organised a one day workshop to educate various MDAs and private sector organisations on the Data Protection Act at the La-Palm Royal Beach Hotel here in Accra.
The event which was themed “Ensuring the Protection of Privacy for the Information Age” was expected to have assembled over 300 participants. Unfortunately, however, as typical of the Ghanaian lukewarm attitude and apathy towards certain urgent issues of national dimension, only a hand-full of invited stakeholders came for the programme.
But day turned out to be very, very productive indeed! For the first time some of us had the privilege of being tutored and mentored by legal dynamos like Professor Kofi Kumados of this world. Prof. Kumado, a Constitutional Lawyer of global eminence, and Dean of Faculty of Law, University of Ghana, descended from his ivory tower, and came down on earth to dissect the anatomy of the Data Protection Law to the appreciation of some of us lay-mortals.
We were schooled that the Data Protection Act (843) seeks to give practical meaning to Article 18 (2) of the 1992 Constitution on the privacy of communication in the digital age.
Article 18 (2) stipulates: “No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in free and democratic society for public safety or economic well-being of the country, for the protection of health, or morals, for the prevention of disorder or crime or for the protection of the right or freedoms of others.”
Thus, Article 1 (1) of Act 843 established the Data Protection Commission to operationalise Article 18 (2) quoted above. It says, “There shall be established a Data Protection Commission to protect the privacy of the individual and personal data by regulating the processing of personal information, to provide the process to obtain, hold, use or disclose personal information and for related matters.”
Article 3 mandates the Commission among other things “to implement and monitor compliance with provisions of this Act (843); make administrative arrangements it considers appropriate for the discharge of its duties.”
The Law further authorises the Commission “to investigate any complaints and determine it in the manner the Commission considers fair, and keep and maintain the Data Protection Register.”
Touching on journalism, literature and art, Article 64 (1) stipulates, “A person shall not process personal data unless (a) the processing is undertaken by a person for the publication of a literary or artistic material; (b) the data controller reasonably believes that publication would be in the public interest; and (c) the data controller reasonably believes that, in all the circumstances, compliance with the provision is incompatible with the special purposes.”
A fundamental aspect of the Law every Ghanaian must know is what is referred to as “Data Subject” and “Date Controller.” For a layman’s understanding, Data Subject refers to a person whose data or information is being collected or processed; while Data Controller denotes a person or institution collecting the data or information for whatever purposes.
For analogy, let’s say, if Kofi is a foot-ball player filling in a form to join the Agro Ventures Foot-ball Cub, then Kofi is a Data Subject. And the Agro Ventures Foot-ball Club, which is collecting Kofi’s data as a player is the Data Controller.
According to the Law (Act 843), for Agro Ventures to qualify and be recognised as a Data Controller in Ghana, they must register with the Data Protection Commission. And it was explained that a person or an institution can register both as a Data Subject and a Data Controller as well.
Act (843) requires that, when the Data Protection Commission comes into being, all MDAs will have to register with the Commission as Data Controllers because they already have data of their employees.
Ghana is not the first country on this planet of technology to see the need for Data Protection Law. Advanced countries like the USA, Europe and Singapore, have been operating data protection regimes for generations. And yet they are still confronted with some data protection challenges.
“For example, a recent survey by Privacy and American Business showed that 81% of Net users, and 79% of users who buy products and services on the Net, expressed concern about potential threats to their personal privacy while online.”
The research indicates that, “While only 6% of Net users said that their online privacy had been violated, 70% to 72% were worried about unauthorised access and use of their e-mails, web site tracking and personal profiling,” write Louis Harris & Associates and Dr. Alan Westin, "E-Commerce & Privacy: What Net Users Want" (1998).
Ghana’s Ministry of Communications in this respect must be applauded for being proactive and initiating the Data Protection Act (843) even before the proposed National Data Centre becomes operational.
Nevertheless, it is suggested that the Ministry must expedite action on the actual inauguration of the Data Protection Commission. But it is instructive to learn that a committee has already been set up to work out the modalities. Ghana must start doing things according to the exigencies of the digital age.
The author is Deputy Director/Head of IT, Information Services Dept., Ministry of Information, Accra, Ghana