Data Protection FAQs in Ghana
The Data Protection Act, 2012 (Act 843) protects individual privacy and personal data by regulating the collection, use, disclosure, adaptation or destruction of personal data and providing procedures for the processing of personal data.
- What is personal data?
This refers to data about an individual from which the identity of the individual can be determined, or which, together with other information in the possession of the data controller, makes it possible to identify the individual.
- Who is a data controller?
A data controller is a person who determines the purposes for and the manner in which personal data is to be processed. The Act applies to a data controller:
- who is established in Ghana and processes data in the country;
- who is not established in Ghana but uses equipment or a data processor carrying on business in the country to process the data; or
- who controls the processing of data which originates partly or wholly from Ghana.
- Is a data controller different from a data processor?
Yes. A data processor is a person who processes personal data on behalf of a data controller. Processing of data involves the collection, organisation, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, combination, blocking, erasure or destruction of the data.
- Is a data controller required to register with the Data Protection Commission?
Yes, a data controller who controls the processing of personal data originating from Ghana, is required to register with the Data Protection Commission within 20 days of commencement of business. This registration must be renewed every two years.
- How does a data controller register with the Data Protection Commission?
A data controller can register with the Data Protection Commission by filling and submitting a form which requires the provision of the relevant details of the data controller and information about the type, processes, purpose etc. of the data that it intend to collect and process.
- Is a data processor required to register with the Data Protection Commission?
No, a data processor is not required to register with the Data Protection Commission. However, a data processor must ensure that personal data is processed in a lawful and reasonable manner and without infringing the privacy rights of the data subject.
- What must the data subject be told before personal data is collected?
To enable a data controller to lawfully collect personal data, the data subject must be made aware of the following:
- The nature of the data being collected;
- The name and address of the person responsible for the collection;
- The purpose for which the data being collected is required;
- Whether or not the supply of the data by the data subject is discretionary or mandatory;
- The consequences of failure to provide the data;
- The authorised requirement for the collection of the information or the legal requirement for its collection
- The recipient of the data; and
- The existence of the right of access to and the right to request rectification of the data collected.
- How should personal data be processed?
Personal data must be processed in a lawful and reasonable manner and without infringing the privacy rights of the data subject. Processing of personal data should be necessary, relevant and not excessive. A data controller who records personal data shall not retain the personal data for a period longer than is necessary for the purpose for which the data is collected. Additionally, a data controller shall take necessary steps to ensure the integrity and security of personal data that it collects and processes. A person shall not process the personal data of a data subject without the consent of the data subject, unless the purpose for which the personal data is processed is
- necessary for the purpose of a contract to which the data subject is a party;
- authorised or required by law;
- necessary to protect a legitimate interest of the data subject;
- necessary for the proper performance of a statutory duty; or
- necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied
- Can the data subject access personal information that is collected by a data controller?
Yes, the data subject has the right to ask for information held about him from a data controller. This is known as subject access request.
- Can the data subject object to the collection and processing of personal data?
Yes, the data subject may object to the processing of personal data. Where a data subject objects to the processing of personal data, the person who processes the personal data must stop the processing of the data.