Data Protection Act, 2012

The Data Protection Act, 2012 (The Act) is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

History
The Act was first introduced in the Ghana Parliament in 2010, but was subsequently withdrawn by the then Minister of Communications, Haruna Iddrisu, to be revised. Parliament passed the bill in 2012, which then received Presidential assent on May 10, 2012. The notice of the Act was gazetted on 18 May 2012, and in accordance with Section 99, the Act came into effect on 16 October 2012.

Structure
The Act is made up of 99 sections that are arranged under various headings, as follows:

Key terms
Key terms in the Act are defined in the interpretation section, section 96. Unless the context otherwise requires, section 96 provides the following definitions to the notable terms:

“data controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed

“data processor” in relation to personal data means any person other than an employee of the data controller who processes the data on behalf of the data controller

“data subject” means an individual who is the subject of personal data

“foreign data subject” means data subject information regulated by laws of a foreign jurisdiction sent into Ghana from a foreign jurisdiction wholly for processing

“personal data” means data about an individual who can be identified,(a) from the data, or (b) from the data or other information in the possession of, or likely to come into the possession of the data controller

“processing” means an operation or activity or set of operations by automatic or other means that concerns data or personal data and the (a)	collection, organisation, adaptation or alteration of the information or data, (b)	retrieval, consultation or use of the information or data, (c)	disclosure of the information or data by transmission, dissemination or other means available, or (d)	alignment, combination, blocking, erasure or destruction of the information or data

“recipient” means a person to whom data is disclosed, including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment

“special purposes” means any one or more of the following: (a)	the purpose of journalism, (b)	where the purpose is in the public interest, (c)	artistic purposes, and (d)	literary purposes

Application of the Act
The Act is applicable, where
 * 1) the data controller is established in Ghana and the data is processed in Ghana,
 * 2) the data processor is not established in Ghana, but uses equipment, or uses the services of a data processor carrying on business in Ghana, to process data, or
 * 3) the information being processed originates either partly or wholly from Ghana. (Section 45(1))

Data which originates externally and merely transits through Ghana is however, not protected by the Act (Section 45(4)). The Act applies to the Ghanaian Government, and for that purpose, each government department is treated as a data controller. (Section 91)

Data protection principles
The Act provides for 8 principles that data processors have to take into account in processing data, in order to protect the privacy of individuals. These principles are similar to the OECD Guidelines and the Data Protection Directive of the European Union.

The data protection principles are enumerated at Section 17 as follows:
 * 1) accountability
 * 2) lawfulness of processing
 * 3) specification of purpose
 * 4) compatibility of further processing with purpose of collection
 * 5) quality of information
 * 6) openness
 * 7) data security safeguards, and
 * 8) data subject participation.

Accountability
The accountability principle of data protection is seen generally as a fundamental principle of compliance. It requires that a data controller should be accountable for compliance with measures which give effect to data protection principles.

The Act requires a person who processes personal data to ensure that the data is processed without infringing the rights of the data subject, and should be processed in a lawful and reasonable manner (Section 18(1)). Where the data to be processed involves a foreign data subject, the data controller or processor must ensure that the personal data is processed according to the data protection laws of the originating jurisdiction (Section 18 (2)).

Lawfulness of processing
Data processing is lawful where the conditions that justify the processing are present.

The Act has a minimality provision, which requires that personal data can only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. (Section 19)

The prior consent of a data subject is also required before personal data is processed. (Section 20) This requirement is, however, subject to exceptions. For instance, where the purpose for which the personal data is processed is necessary for the purpose of a contract to which the data subject is a party; authorised or required by law, to protect a legitimate interest of the data subject; necessary for the proper performance of a statutory duty or necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied (section 20(1)). Consent is also required for the processing of special personal data (Section 37(2) (b)). A data subject also object to the processing of personal data (section 20(2)), and the data processor is required to stop processing the data upon such objection (section 20(3)).

In terms of retention of records, the Act prohibits the retention of personal data for a period longer than is necessary to achieve the purpose of the collection, unless, the retention is required by law, is reasonably necessary for a lawful purpose related to a function or activity, is required for contractual purposes, or the data subject has consented to the retention. (Section 24(1)). The retention requirement is, however, not applicable to personal data that is kept for historical, statistical, or research purposes, (section 24(2)), except that such records must be adequately protected against access or used for unauthorized purposes (Section 24(3)). Where a person uses a record of personal data to make a decision about the data subject, the data must only be retained for a period required by law or a code of conduct, and where no such law or code of conduct exists, for a period which will afford the data subject an opportunity to request access to the record. Upon the expiration of the retention period, the personal data must, however, be deleted or destroyed, in a manner that prevents its reconstruction in an intelligible form, or the record of the personal data must be de-identified. (Sections 24(4), (5), (6)).

A data subject may also request that a record of personal data about that data subject held by a data controller be destroyed or deleted where the data controller no longer has the authorisation to retain that data. (Section 33(1) (b))

Specification of purpose
The Act requires that a data controller who collects personal data do so for a specific purpose that is explicitly defined and lawful, and is related to the functions or activity of the person. (Section 22) The data controller who collects data is also required to take necessary steps to ensure that the data subject is aware of the purpose for which the data is collected. (Section 23)

Compatibility of further processing
The Act requires that where a data controller holds personal data collected in connection with a specific purpose, any further processing of that data must be compatible with the purpose for which the personal data was initially obtained. (Section 25(1))

The circumstances under which processing meets the compatibility requirement include where the data subjects consents to the further processing of the information, the data is in the public domain, further processing is necessary for purposes of fighting crime, for legislation that concerns protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person. (Section 25(3))

Quality of information
Under section 26 of the Act, a data controller who processes personal data must ensure that the data is complete, accurate, up to date and not misleading, having regard to the purpose for which that data is collected or processed.

Openness
The openness principle ensures that individuals know about, and can participate in enforcing their rights under a data protection regime.

Section 27(1) makes it mandatory for a data controller who intends to process personal data to register with the Data Protection Commission. The Data Controller who intends to collect data must also ensure that the data subject is aware the nature of data being collected, the persons responsible for the collection, the purpose of the collection as well as whether or not the supply of data is mandatory or discretionary, among other things. (Section 27(2))

Where the data is collected from a third party, the Act requires the data subject to be informed before the data is collected, or as soon as practicable afterwards. (Section 27(3))

The Act provides circumstances under which the notification requirement is exempt, and they include where it is necessary to avoid compromising law enforcement, protect national security, or where it relates to the preparation or conduct of legal proceedings. Section 27(4))

Also, although it is not mandatory, a data controller can appoint a data protection supervisor, who would be responsible for monitoring compliance with the Act.(Section 58(1), (2)) The data protection supervisor may be an employee (Section 58(1)) and must meet the qualification criteria set out by the Data Protection Commission. (Section 58(7))

Data security safeguards
Under the Act, a data controller has a duty to prevent the loss of, damage to, or unauthorized destruction of personal data, as well as the unlawful access to or unauthorized processing of personal data. The data controller must therefore adopt appropriate, reasonable, technical, and organizational means to take necessary steps to ensure the security of personal data in its possession or control. (Section 28(1))

The data controller is also required to take reasonable measures to identify and forestall any reasonably foreseeable risks, and ensure that any safeguards put in place are effectively implemented and updated continually. (Section 28(2))

The data controller must also observe both generally accepted and industry specific best practices in securing data, (Section 28(3)) as well as ensure that data processors comply with security measures. (Section 30) Where the data processor is not domiciled in Ghana, the data controller must ensure that the data processor complies with the relevant laws of its country. (Section 30(4))

The Act also requires the data controller to, as soon as reasonably practicable, notify the Data Protection Commission and the data subject of any security breaches to its system, and take steps to ensure that the integrity of the system is restored.(Section 31))

Data subject participation
A data subject can, subject to proving the data subject's identity, request a data controller to confirm if the data controller holds that data subject's personal data, describe the nature of the personal data held, and the identity of any third party who has or has previously had access to that data (Section 32(1)). The request must however be made in a reasonable manner, within a reasonable time, after paying any prescribed fees and in a form that is generally understandable (Section 32(2)).

A data subject can also request a data controller to correct or delete personal data about the data subject that is held by the data controller and which is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading (Section 33(1)). Upon receipt of the request, the data controller must either comply with the request or provide the data subject with credible evidence in support of the data. (Section 33(2)).

Special personal data
Under section 96, "special personal data" means personal data which consists of information that relates to (a)	the race, colour, ethnic or tribal origin of the data subject; (b)	the political opinion of the data subject; (c)	the religious beliefs or other beliefs of a similar nature, of the data subject; (d)	the physical, medical, mental health or mental condition or DNA of the data subject; (e)	the sexual orientation of the data subject; (f)	the commission or alleged commission of an offence by the individual; or (g)	proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings;

The Act prohibits the processing of data which relates to children under parental control, or to the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behaviour of an individual Section 37(1).

Special personal data may, however, be processed where it is necessary or the data subject has given consent to the processing (Section 37(2)). Processing of personal data is necessary where it is to exercise a right, or fulfil an obligation conferred or imposed by law on an employer (Section 37(3)). Special personal data relating to data subjects may also be processed where it is necessary for the protection of the vital interest of the data subject, where it is impossible for the data subject to give consent, or the data controller cannot reasonably be expected to obtain consent, or consent by the data subject has been unreasonably withheld. (Section 37(4))

Processing special personal data is presumed to be necessary where it is required for the purpose of legal proceedings, legal advice and for medical purposes, where it is undertaken by a health professional and subject to a duty of confidentiality between the patient and health professional. (Section 37(6))

The prohibition on processing special personal data relating to religious or philosophical beliefs does not apply where the processing is carried out by a religious organisation of which the data subject is a member or by an institution founded upon the religious or philosophical principles with respect to persons associated with that institution and is necessary to achieve the aims of the institution (Section 38(1)).

Rights of data subjects
Under the Act, a data subject has the right to have his personal data corrected (section 33), to access his personal data (section 35); to prevent the processing of personal data that causes or is likely to cause unwarranted damage or distress to him (section 39); to prevent processing of personal data for purposes of direct marketing (section 40); to require a data controller not to take a decision that would significantly affect him solely on the processing by automatic means (section 41); to exempt manual data (Section 42), to be compensated for the data controller's failure to comply with the provisions of the Act, upon proof of damages (Section 43); and to have inaccurate data rectified (Section 44)

The Data Protection Commission
The Act establishes a Data Protection Commission with two main objects,
 * 1) 	Protect the privacy of the individual and personal data by regulating the processing of personal information, and
 * 2) 	Provide the process to obtain, hold, use or disclose personal information. (section 2)

The functions of the DPC are to: (section 3)
 * 1) 	Implement and monitor compliance with the provisions of the Act,
 * 2) 	Make administrative arrangements its considers appropriate for the discharge of its duties
 * 3) 	Investigate and fairly determine any complaints made under the Act, and
 * 4) 	Keep and maintain the Data Protection Register

The DPC is governed by an 11-member board that is appointed by the President of Ghana, and the Act provides for certain specific institutional representation. (Section 4) Board members are allowed to hold office for a period not exceeding three years and cannot be appointed to more than two terms. (Section 5(1)) Allowances for Board members are approved by the Minister responsible for Communications in consultation with the Minister responsible for Finance. (Section 9) The board was officially sworn in on 1 November 2012, is currently chaired by Prof. Justice Samuel Kofi Date-Bah, a retired justice of the Supreme Court of Ghana. The DPC was officially launched on 18 November 2014.

The Act also mandates the President to appoint an Executive Director (section 11) who shall be responsible for the day-to-day administration of the DPC, as well as the implementation of the decisions of the Board. (Section 12). Mrs. Teki Akuetteh Falconer is the current Executive-Director.

Under the Act, the sources of the DPC's funds include money approved by parliament, donations and grants, money that accrues to the DPC in the performance of its functions and any money that the Minister responsible for Finance approves. (Section 14)

The DPC is also granted power to serve enforcement notices on data controllers requiring them to refrain from contravening the data protection principles. (Section 75) The enforcement notice may be cancelled or varied either by the DPC, on its own motion, or upon application by a recipient of the notice. (Section 76)

The Data Protection Register
The Act provides for the establishment of a Data Protection Register which is to be maintained by the DPC and to which data controllers must compulsorily register. (Section 46) Applications for registration as a data controller is to be made in writing and the Act provides for certain particulars, such as the business name and address of applicant, a description of personal data to be collected and a description of purpose for the processing of personal data. (Section 47(1)) Knowingly supplying false information amounts to an offence punishable by a fine or imprisonment. (Section 47(2)) Also, a separate entry in the register must be made for each separate purpose for which the data controller wishes to process the data. (Section 47(3))

The DPC has the right to refuse to grant an application where the particulars provided for inclusion in an entry in the register are insufficient, the data controller has not been able to provide the appropriate safeguards for the protection of the privacy of the data subject, and in the opinion of the DPC the applicant does not merit the grant of the registration. (Section 47(1))Upon refusing a registration application, the DPC is required to inform the applicant of the reasons for the refusal, and in such an event, the applicant may apply to the High Court for judicial review of the decision. (Section 47(2))

Registration as a data controller is subject to renewal every two years (section 50). The DPC also has the power to cancel a registration for good cause. (Section 52) It is an offence to process personal data without registering. (Section 56)

The Act also provides for access by the public to the register, upon the payment of the prescribed fee. (Section 54)

General exemptions
The Act provides several exemptions for different purposes as follows: The processing of personal data is exempt from the provisions of the Act where it relates to national security (section 60) and in relation to crime and taxation (section 61); the disclosure of personal data relating to health, education and social work; (section 61); is prohibited, unless it is required by law.

The provisions of the Act are also not applicable for the protection of members of the public against specified loss or malpractice provisions (section 63)

The processing of personal data is prohibited unless the processing is undertaken for the purpose of a literary or artistic material and the data controller reasonably believes the publication would be in the public interest and that compliance with the provision is incompatible with the special purposes. (Section 64)

The provisions on non-disclosure do not apply, where the disclosure is required by any law or by a court. (Section 66) Act does not apply where data is processed only for the purpose of managing an individual's domestic affairs. (Section 67)

The data protection principles do not apply to personal data if it consists of references given in confidence, for the purposes of education, appointment to an office or the provision of a service by the data subject. (Section 68)

The subject information provisions of the Act do not apply to personal data, where it is likely to prejudice the combat effectiveness of the Armed Forces (Section 69); where it is processed to assess the suitability of a person for judicial appointment or to confer a national honour (Section 70) or if it consists of information in respect of a claim to professional privilege or confidentiality. (Section 74)

Personal data is exempt from the provisions of the Act where it relates to examinations marks processed by the data controller and is in relation with the individual's results,(Section 72) or consists of information recorded by a candidate for academic purposes (section 73)

Miscellaneous provisions
The Act prohibits the purchase of personal data, the knowing or reckless disclosure of personal data, and the contravention of this provision amounts to an offence. (Section 88)

The Act also makes the sale, the offering to sell, and the advertising of the sale of personal data an offence. (Section 89)

The Minister responsible for communications may, in consultation with the DPC make regulations for the effective implementation of the Act.