The Data Protection Act, 2012 (Act 843) protects individual privacy and personal data by regulating the collection, use, disclosure, adaptation or destruction of personal data and providing procedures for the processing of personal data.
This refers to data about an individual from which the identity of the individual can be determined, or which, together with other information in the possession of the data controller, makes it possible to identify the individual.
A data controller is a person who determines the purposes for and the manner in which personal data is to be processed. The Act applies to a data controller:
Yes. A data processor is a person who processes personal data on behalf of a data controller. Processing of data involves the collection, organisation, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, blocking, erasure or destruction of the data.
Yes, a data controller who controls the processing of personal data originating from Ghana, is required to register with the Data Protection Commission within 20 days of commencement of business. This registration must be renewed every two years.
A data controller can register with the Data Protection Commission by filling and submitting a form which requires the provision of the relevant details of the data controller and information about the type, processes, purpose etc. of the data that it intend to collect and process.
No, a data processor is not required to register with the Data Protection Commission. However, a data processor must ensure that personal data is processed in a lawful and reasonable manner and without infringing the privacy rights of the data subject.
To enable a data controller to lawfully collect personal data, the data subject must be made aware of the following:
Personal data must be processed in a lawful and reasonable manner and without infringing the privacy rights of the data subject. Processing of personal data should be necessary, relevant and not excessive. A data controller who records personal data shall not retain the personal data for a period longer than is necessary for the purpose for which the data is collected. Additionally, a data controller shall take necessary steps to ensure the integrity and security of personal data that it collects and processes. A person shall not process the personal data of a data subject without the consent of the data subject, unless the purpose for which the personal data is processed is
Yes, the data subject has the right to ask for information held about him from a data controller. This is known as subject access request.
Yes, the data subject may object to the processing of personal data. Where a data subject objects to the processing of personal data, the person who processes the personal data must stop the processing of the data.