DATA PROTECTION FACTSHEET
President: Nana Akufo-Addo
2021 Freedom House Score: 82/100
Data protection law? Yes, with data protection authority appointed
Privacy enshrined in Constitution: Yes, the right to privacy is recognised under Article 18(2) of the 1992 Constitution.
DPA legislation: The Data Protection Act, 2012 (Act 843) further guarantees the right to privacy. It came into force in October 2012 and applies both to data controllers based in Ghana and those who process data originating in Ghana.
Under the Act, data subjects have the right to:
- have their personal data corrected;
- access their personal data;
- prevent the processing of personal data that causes or is likely to cause unwarranted damage or distress to them;
- prevent the processing of personal data for purposes of direct marketing;
- not be subject to a decision by a data controller that would significantly affect them or have detrimental legal repercussions for them if the decision was solely based on automatic processing;
- exempt manual data; and
- be compensated for the data controller’s failure to comply with the provisions of Act 843, upon proof of damages.
Council of Europe Convention 108: No
Council of Europe Convention 185: Ratified
Malabo Convention: Ratified
ECOWAS Supplementary Act on Personal Data Protection: Signed
Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No
Applies to natural persons: Yes
Applies to juristic persons: Yes
Applies to public entities: Yes
Domestic/personal purposes exclusion: Yes
National security exclusion: Yes
Law enforcement exclusion: Yes
Cabinet or Executive Council exclusion: Yes
Judicial functions exclusion: Yes
Journalistic, literary or artistic purposes exclusion: Yes
Temporary copies exclusion: No
Other exclusion(s): Yes
Broad or vague exclusions: No
Applies to foreign entities: Yes
Excludes foreign entities that only transit personal data through the country: Yes
Personal data is data about an individual who can be identified either:
- from the data; or
- from the data and other information in the possession of, or likely to come into the possession of the data controller.
Special personal data is defined as personal data which relates to the following categories:
- a child who is under parental control in accordance with the law; or
- the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behaviour of an individual.
- Establishes that a data controller should be accountable for compliance with measures aimed at realising the data protection principles. Processors of personal data must ensure that data subjects’ privacy rights are not infringed upon by using the data in a lawful and reasonable manner.
- Lawfulness of processing
- Necessitates that the purpose of personal data processing be necessary, relevant and not excessive.
- Speciﬁcation of purpose
- Designed to guarantee that processing happens for specific purposes that are explicitly defined, lawful, and related to the functions or activities of the person collecting the data.
- Compatibility of further processing with purpose of collection
- Further processing of personal information must be compatible with the purpose for which it was initially obtained, but this requirement can be met if consent is given, if the data is in the public domain, or needed for the purposes of fighting crime, protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person.
- Quality of information
- Data controllers must ensure that personal data is complete, accurate, up to date, and not misleading, having regard to the purpose for the collection or processing of the personal data.
- Emphasises the need for data subjects to be made aware of the purpose for which their data is being collected, and gives a data subject the right to access and correct personal information.
- Data security safeguards
- Charges data controllers with a duty to prevent the loss of, damage to, or unauthorised destruction of personal data, as well as the unlawful access to or unauthorised processing of personal data. It demands that data controllers adopt appropriate, reasonable, technical, and organisational means to take necessary steps to ensure the security of personal data in their possession or control.
- Data subject participation
- The data controller must allow data subjects to exercise their rights under Act 843 regarding their personal data.
Notification that data is being processed: Yes
Notification to DPA in event of data breach: Yes
Notification to data subject in event of data breach: Yes
Timeframe for notification is specified: No
Exceptions exist to breach notifications: No
Requires a data processing register: Yes
Register is publicly available: Yes
Provides for terms of service icons: No
DPA must submit at least annual report: No
DPA report is made public: NA
Explicit provision for civil liability: Yes
Established/designates a Data Protection Authority: Yes
DPA is empowered to investigate: Yes
DPA is empowered to subpoena or request evidence: No
Law provides for criminal penalties: Yes
Law provides for administrative penalties: No
DPA is independently structured (does not exist within or receive instructions from another public body): No
DPA receives funding directly from the state budget/legislative body: Yes
DPA may receive some forms of external funding/own revenue: Yes
Adequate protections against undue removal: No
Number of members in DPA: 11
Maximum term length for members of the DPA (years): 6
Right of data subject to access a copy of their personal data: Yes
Right of data subject to request a correction of data: Yes
Right of data subject to request deletion of data: Yes
Justification required for a request for deletion: Yes
Defines the requirements for consent: No
DPA is mandated to participate in policy formulation: Unclear
While no provisions in Act 843 specifically pertain to transfer outside of national borders, selling or offering to sell the personal data of another person anywhere constitutes an offence punishable by a fine of not more than two thousand five hundred penalty units, a term of imprisonment of not more than five years, or both. An advertisement which indicates that personal data is or may be for sale is an offer to sell the data.
Provides a right not to be subject to automated decision-making: Yes