Data Protection Commission
The Data Protection Commission is an independent statutory body established under the Data Protection Act, 2012 (Act 843). The objective of the commission is to protect the privacy and personal data of the individual by regulating the processing of personal information; and to provide the process to obtain, hold, use, or disclose personal information.
The functions of the Commission are to keep and maintain the data protection register; implement and monitor compliance with the provisions of the Act and make the administrative arrangements it considers appropriate for the discharge of its duties. The Commission can also investigate any complaint under the Data Protection Act and determine it in the manner the Commission considers fair.
Data Protection Register
The Data Protection Act has established a register of data controllers known as the Data Protection Register. By the provisions of the Act, all data controllers shall register with the Commission.
A data controller means a person, company, institution, or organisation who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes and how personal data is processed or is to be processed.
A data controller shall apply to the Commission for inclusion in the Register. Where a data controller intends to keep personal data for two or more purposes, the Commission shall make separate entries for each purpose in the Register.
The Commission shall register an applicant if the applicant has satisfied the conditions required for registration and provide the successful applicant with a certificate of registration.
A person who fails to register as a data controller but processes personal data commits an offence and is liable on summary conviction to a fine of not more than two hundred and fifty penalty units or a term of imprisonment of not more than two years or to both.
Recent Updates on Defaulting Organisations
On the 26th of January 2022 at a Data Protection Conference, the Executive Director of the Data Protection Commission, Patricia Adusei-Poku stated that the Commission is set to begin the prosecution of Data Controllers that have refused to register with the Commission or renew their data protection licences.
The Data Protection Commission explained that there would be a grace period (dates not confirmed) to allow data controllers register or renew their licences.
After the grace period ends, all remaining defaulters would be served with ‘Enforcement Notices’ requiring the data controller to;
- take or refrain from taking the steps specified within the notice;
- refrain from processing any personal data or personal data of a description specified in the notice; or
- refrain from processing personal data in a manner specified in the notice.
The Data Protection Act states that a person who fails to comply with an enforcement notice commits an offence and is liable on summary conviction to a fine of not more than one hundred and fifty penalty units or to a term of imprisonment of not more than one year or to both.
In addition, the Commission is currently in talks with the Chief Justice of Ghana to create a fast-track High Court to hear Data Protection related matters. This is to aid in the quick prosecution of bodies that contravene the Data Protection Act and the requirements of the enforcement notices.
Lastly, the Commission intends to impose the hiring of data protection supervisors on companies that have breached the Data Protection Act.
A data supervisor is a person who is responsible for the monitoring of the data controller’s compliance with the provisions of the Act. The Commission shall provide the criteria for qualification to be appointed as a data protection supervisor. Thus, a person shall not be appointed as a data protection supervisor unless the person satisfies the criteria set by the Commission.
The data supervisor would be an employee of the data controller, not the Commission.