Listen to this article now
We may be living in a generation that knows no privacy and yet if there was such a time we ought to strive for such constructs, now will be most appropriate. The problem, as I see it, is networks! Networks, in its primary and technical sense, have become the reason for our hyper interconnected world. All critical infrastructure ranging from energy, transportation, banking, and finance are now enabled by computer networks. The blessings of a hyperconnected environment have become the challenge for privacy. The central evolving question in law and policy is therefore how we secure the CIA (Confidentiality, Integrity and Availability) of both the networks and the information held by the computers. The threat to this new reality of a highly connected world is enormous and ranges from access intrusions, aka. hacks, all down to more benign but important issues of sharing one’s own personal data with the proliferation of social media. Social Engineering has become as dangerous in modern times as hacks and so today I focus on the laws that regulate Data Protection in Ghana with the view that there may yet be left some privacy, however philosophical, in our world today.
Privacy is argued as fundamental of all rights, and debates on privacy have much rooted in philosophy dating back to Aristotle’s Publicus versus Privatus distinction where the former is communis whiles the latter personal. The “Right to Privacy” is significantly argued as a Human Right enshrined in the Universal Declaration of Human Rights and in many constitutions including Ghana’s 1992 Constitution. At the minimum, the right circumscribes the right to inviolability of the home and to the secrecy of communications. Article 18(2) reads:
“No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.” (Emphasis Mine)
Without any detailed analysis, it appears the suggested constitutional right to privacy can be “violated” within the law under such widely constructed claw back provision. I often ask, what is protection of morals? Whose morals? And how does that warrant violation of a right so guaranteed as fundamental as the right to privacy? But those questions are for another day.
The more fundamental question for today is the definition of what this constitutional right to privacy means and what its limits of enforceability may be. I am yet to come by any law that defines what “Privacy” is. The closest may be what William Prosser described as “rather definite” violations of privacy rights which are:
- Intrusion upon a person’s seclusion or solitude, or into his private affairs.
- Public disclosure of embarrassing private facts about an individual.
- Publicity placing one in a false light in the public eye.
- Appropriation of one’s likeness for the advantage of another (Prosser 1960, 389).
In Policy, data protection is the process that guarantees privacy of data. Data protection is not a new concept but has become an increasingly important subject with the digital evolution. Data has become a resource as valuable as natural resources (if you disagree, ask the value of one Ghana Card, and a thousand overhead bridges may not compare). The focus of the rules on data protection therefore must be as important as the rules that protect our gold and oil. However, the laws on data protection must however contrast with those public laws that protect access to public goods. Data privacy must protect individual autonomy and the ability of the individual to control access to his personal information.
The Data Protection Act, 2012 (Act 843) defines ‘Data’ in very broad terms which ordinarily is progressive for the laws of Data Privacy. Section 96 reads:
“Data” means information which
(a) is processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a),(b) or (c) but forms part of an accessible record;
The Act 843 which thus establishes a Data Protection Commission, with a central objective “to protect the privacy of the individual and personal data…” can therefore be read broadly to encompass all forms of records accessible in Ghana. It is not in doubt that Personal Data is particularly important to our data protection regimes. “Personal Data” is defined in the law as “data about an individual who can be identified, (a) from the data, or (b) from the data or other information in the possession of, or likely to come into the possession of the data controller.” Our quest is therefore to understand the framework that exists to protect individual privacy and personal data in Ghana.
The first thing noteworthy is that the law adopts both a prescriptive and rule-based approach as well as a principle-based approach to data privacy regulations in Ghana. The Act established eight (8) principles of which any Data Controller may be minded. These principles are laid out in Section 17 of Act 843 and expanded through to Section 26. Section 17 reads:
“A person who processes data shall take into account the privacy of the individual by applying the following principles: (a) accountability (b) lawfulness of processing (c) specification of purpose (d) compatibility of further processing with purpose of collection (e) quality of information (f) openness (g) data security safeguards and (h) data subject participation.”
A principle-based approach to regulation some argue may be non-enforceable but is one I find particularly interesting in the development of the law. Let us at this point find direction in the issues and questions I have come to determine as difficult in the operation of the law. Before I venture into those difficult terrains, however, I wish to provide a useful guide to readers on some rights they are guaranteed under the law.
- Right to Access. Under Section 32 of Act 843, every person has the right to request a data controller to give a description of the personal data which is held by the party including data about the identity of a third party or a category of a third party who has or has had access to the information. This may be very simple information about readers’ data privacy right but an information I hope they find useful in its simplicity. The law gives you the right to know what personal data of yours is held by any data controller and who else may have access to it. If you keep wondering why you receive unsolicited messages, try asking the vendor. As a matter of fact, Section 40 provides that, “A data controller shall not provide, use, obtain, procure or provide information related to a data subject for the purposes of direct marketing without the prior written consent of the data subject.”
- Right to Prevent Processing. Section 39 gives any data subject the right to request a data controller to cease from processing his personal data for a specified purpose or in a specified manner and the data controller shall comply or indicate reasons why it may not be able to comply within 21 days. A right of further recourse may lay with the Data Protection Commission or the Courts. This may be interesting for some institutions sharing data with third parties for purposes of profiling persons for automated decisions like loan provision. This trend of automated decision is further provided for in Section 41. As they say, we watch this space for its evolution.
- Prohibition on Sales of Personal Data. I equally find Section 89 interesting. It reads, “A person who sells or offers to sell personal data of another person commits an offence and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both.”
- Processing of special personal data prohibited. Unless processing of personal data is necessary, the data subject consents, or is necessary in the exercise or performance of a right or an obligation imposed by law, the law prohibits processing of personal data relating to a child under parental control in accordance with the law, or the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behavior of an individual.
Now that these basic rights issues are settled, let us venture the more difficult question of data localisation, residency, and general data transfer requirements. As the cloud becomes the go-to for storage needs with applications and databases resident outside Ghana, the more difficult question for data controllers is, what are their requirements under law as it may pertain to the data collected in Ghana but processed and stored outside Ghana?
To answer this question, the principles become our guide, for which reason I find the principle-based approach to data privacy interesting. Although there appears to be generally no restriction on data transfer outside the jurisdiction in the Data Protection Act, data controllers must ensure that data processors who process personal data for the data controller, establish and comply with the security measures specified under Section 28 of Act 843 as well as the data-subject participation requirement.
A data controller shall only collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person. Section 18 of the Act requires that a person who processes personal data shall ensure that the personal data is processed a) without infringing the privacy rights of the data subject; (b) in a lawful manner; and (c) in a reasonable manner and a data controller or processor shall in respect of foreign data subjects ensure that personal data is processed in compliance with data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.
It appears all is well and good until one averts her mind to the Electronic Transactions Act, 2008 (Act 772). Section 57 of Act 772 provides that, “The Minister may declare certain classes of information relating to national security or the economic or social wellbeing of the public to be critical electronic record for the purposes of sections 58 to 62.” Section 58 then provides for the registration of these critical databases:
The Minister may by notice in the Gazette determine (a) requirements for the registration of a critical database (b) procedures for the registration of a critical database and (c) any other matter relating to registration.
This provision was further strengthened under Section 35 and 36 of Cybersecurity Act, 2020 (Act 1038). The Provisions for Critical Information Infrastructure suggest a different data protection regime, at least for the databases on which personal data reside for some industries. The data protection law must therefore be read together with the laws that provide for the infrastructure that houses the data in order to fully appreciate the requirement for data residency. Section 35 of Act 1038 reads:
- The Minister may, on the advice of the Authority, designate a computer system or computer network as a critical information infrastructure if the Minister considers that the computer system or computer network is essential for (a) national security, or (b) the economic and social well-being of citizens.
- Where the Minister designates a computer system or computer network as a critical information infrastructure, the Minister shall publish the designation in the Gazette.
- The Minister shall, in making a determination under subsection (1), consider if the computer system or computer network is necessary for
(a) the security, defence or international relations of the country;
(b) the production, preservation or identity of a confidential source of information related to the enforcement of criminal law;
(c) the provision of services directly related to
(i) communications and telecommunications infrastructure;
(ii) banking and financial services;
(iii) public utilities
(iv) public transportation; and
(v) public key infrastructure;
(d) the protection of public safety and public health, including systems related to essential emergency services;
(e) an international business or communication affecting a citizen of Ghana or any other international business in which a citizen of Ghana or the Government has an interest; or
(f) the Legislature, Executive, Judiciary, Public Services or security agencies.
4. The Minister shall, by publication in the Gazette, establish the procedure for the regulation of a critical information infrastructure.
Section 36 of Act 1038 makes it the obligation of the Cyber Security Authority to register critical information infrastructure. On October 1, 2021, the Directive for the Protection of Critical Information Infrastructure (CII) published by the Cyber Security Authority came into force. Among the 15-baseline technical and organisational requirements for owners of critical information infrastructure are the obligation to: implement relevant physical security measures for the physical protection of CII systems and its associated dependent assets and systems, create and keep a risk register which catalogues and profiles the various information and cyber risks targeting the designated CII and ensure that source codes of critical systems are kept in escrow. The real question therefore is, does these requirements apply to a Ghanaian data controller whose database sits in Ireland for any of the industries named by the directive?
The technical conversation of how these requirements may be possible without a localised datacentre can go on and on, but the answer to questions of data transfer and localisation becomes rather nuanced particularly for certain industries. The Directive for the owners of CII also requires them under the incident reporting regime to establish a Point of Contact for reporting cybersecurity incidents and receiving cybersecurity information as well as disclosing and reporting any vulnerabilities identified or discovered through internal or external security audits and assessments, within 72 hours of identifying or discovering the vulnerability.
Ghana’s landscape for data protection is fast growing. The principle-based approach to regulation will empower the Data Protection Commission and the other relevant agencies to implement even bolder directives but the summary of the matter will always remain; individual users have a personal responsibility to valuing and protecting their personal data.
Let us therefore find resolve in some technical admonishments; – you may enjoy cookies, but online cookies are small sometimes executable files, that may give someone a bypass to your personal information; change your passwords as often as you change your bedsheets and by all means, implement a two-factor authentication for whatever platform you consider holds important personal data. In all of this conversation, “scientia potentia est”. If you did not have a Latin teacher, “Knowledge” they say, “is Power”, so learn, become aware of the trends with digital evolution, make deliberate choices and informed decisions about sharing your personal data and do not become the product unknowingly!
My name is Yaw Sompa, I am a lawyer, an enterprise risk practitioner, and a certified information security master & trainer.