Data Protection Act

OVERVIEW OF  DATA PROTECTION ACT, 2012 (ACT 843)

The Data Protection Act, 2012 (Act 843) sets out the rules and principles governing the collection, use, disclosure and care for your personal data or information by a data controller or processor. It recognises a person’s right (data subject rights)  to protect their personal data or information by mandating a data controller or processor to process (collect, use, disclose, erase, etc) such personal data or information in accordance with the individual’s  rights. The Act also established the Data Protection Commission as an independent statutory body to ensure and enforce compliance. 


WHY DATA PROTECTION?

In Ghana, the recognition of the right to privacy with respect to the processing of personal data or information led to the passage of the Act 843 to further guarantee the right to privacy enshrined under Article 18(2) of the 1992 Constitution.

Large amounts personal data generated in the country are kept across servers, networks and various filing systems in different locations (electronically & manually), locally and abroad.  These have the potential of being shared by different legal and natural persons, across borders and  in a manner that the data subject could not have envisaged at the time the initial information  is given. These information systems used in the collection and storage of such personal information can therefore pose considerable challenges to one’s right to privacy. As this trend continues to grow rapidly with progressively sophisticated technology with considerable abilities to hold large amounts of information, it is necessary to address privacy concerns with data protection laws.

HOW DOES ACT 843 WORK?

The Act provides standard principles that must be complied with by all who process personal information across the country and beyond. The law applies to all forms of personal data or information stored on both electronic and non-electronic platforms.

The Act is premised on the fundamental rule that all who process personal data must take into consideration the right of that individual to the privacy of his or her communications. This recognition by a data controller or processer should lead to the application of the following Eight (8) Basic Principles whiles processing such information.


    • Accountability,
    • Lawfulness Of Processing,
    • Specification Of Purpose,
    • Compatibility Of Further Processing With Purpose Of
      Collection,
    • Quality Of Information,
    • Openness,
    • Data Security Safeguards, and,
    • Data Subject Participation.

For further explanations on the principles, click HERE

 

WHEN DOES THE DATA PROTECTION ACT COME INTO EFFECT?

The Act was assented to in May 2012 and came into force in accordance with Section 99, Act 843 on 16th October 2012. Registration of the Data Controllers and Data Processors will start from 1st January 2015. Prior to registration, the Commission urges all data controllers and processors to start self-regulatory processes to ensure their compliance by reviewing their data protection polices in line with the Act.

The Data Protection Act, 2012. can be downloaded from the link below: