Population: 31,072,945

Capital: Accra

President: Nana Akufo-Addo

2021 Freedom House Score: 82/100

Data protection law? Yes, with data protection authority appointed

Privacy enshrined in Constitution: Yes, the right to privacy is recognised under Article 18(2) of the 1992 Constitution.

DPA legislation: The Data Protection Act, 2012 (Act 843) further guarantees the right to privacy. It came into force in October 2012 and applies both to data controllers based in Ghana and those who process data originating in Ghana.

Under the Act, data subjects have the right to:

• have their personal data corrected;
• access their personal data;
• prevent the processing of personal data that causes or is likely to cause unwarranted damage or distress to them;
• prevent the processing of personal data for purposes of direct marketing;
• not be subject to a decision by a data controller that would significantly affect them or have detrimental legal repercussions for them if the decision was solely based on automatic processing;
• exempt manual data; and
• be compensated for the data controller’s failure to comply with the provisions of Act 843, upon proof of damages.

ICCPR: Ratified

Council of Europe Convention 108: No

Council of Europe Convention 185: Ratified

Malabo Convention: Ratified

ECOWAS Supplementary Act on Personal Data Protection: Signed

Council of Europe Additional Protocol to Convention 108 (Treaty No. 181): No

Applies to natural persons: Yes

Applies to juristic persons: Yes

Applies to public entities: Yes

Domestic/personal purposes exclusion: Yes

National security exclusion: Yes

Law enforcement exclusion: Yes

Cabinet or Executive Council exclusion: Yes

Judicial functions exclusion: Yes

Journalistic, literary or artistic purposes exclusion: Yes

Temporary copies exclusion: No

Other exclusion(s): Yes

Broad or vague exclusions: No

Applies to foreign entities: Yes

Excludes foreign entities that only transit personal data through the country: Yes

Personal data is data about an individual who can be identified either:

• from the data; or
• from the data and other information in the possession of, or likely to come into the possession of the data controller.

Special personal data is defined as personal data which relates to the following categories:

• a child who is under parental control in accordance with the law; or
• the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behaviour of an individual.

The eight data protection principles enumerated in Act 843 mirror those in the OECD Guidelines and the EU Data Protection Directive (95/46/EC).

1. Accountability
   • Establishes that a data controller should be accountable for compliance with measures aimed at realising the data protection principles. Processors of personal data must ensure that data subjects’ privacy rights are not infringed upon by using the data in a lawful and reasonable manner.
2. Lawfulness of processing
   • Necessitates that the purpose of personal data processing be necessary, relevant and not excessive.
3. Specification of purpose
   • Designed to guarantee that processing happens for specific purposes that are explicitly defined, lawful, and related to the functions or activities of the person collecting the data.
4. Compatibility of further processing with purpose of collection
   • Further processing of personal information must be compatible with the purpose for which it was initially obtained, but this requirement can be met if consent is given, if the data is in the public domain, or needed for the purposes of fighting crime, protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person.
5. Quality of information
   • Data controllers must ensure that personal data is complete, accurate, up to date, and not misleading, having regard to the purpose for the collection or processing of the personal data.
6. Openness
   • Emphasises the need for data subjects to be made aware of the purpose for which their data is being collected, and gives a data subject the right to access and correct personal information.
7. Data security safeguards
   • Charges data controllers with a duty to prevent the loss of, damage to, or unauthorised destruction of personal data, as well as the unlawful access to or unauthorised processing of personal data. It demands that data controllers adopt appropriate, reasonable, technical, and organisational means to take necessary steps to ensure the security of personal data in their possession or control.
8. Data subject participation
   • The data controller must allow data subjects to exercise their rights under Act 843 regarding their personal data.

Notification that data is being processed: Yes

Notification to DPA in event of data breach: Yes

Notification to data subject in event of data breach: Yes

Timeframe for notification is specified: No

Exceptions exist to breach notifications: No

Requires a data processing register: Yes

Register is publicly available: Yes

Provides for terms of service icons: No

DPA must submit at least annual report: No

DPA report is made public: NA

Explicit provision for civil liability: Yes

Established/designates a Data Protection Authority: Yes

DPA is empowered to investigate: Yes

DPA is empowered to subpoena or request evidence: No

Law provides for criminal penalties: Yes

Law provides for administrative penalties: No

DPA is independently structured (does not exist within or receive instructions from another public body): No

DPA receives funding directly from the state budget/legislative body: Yes

DPA may receive some forms of external funding/own revenue: Yes

Adequate protections against undue removal: No

Number of members in DPA: 11

Maximum term length for members of the DPA (years): 6

Right of data subject to access a copy of their personal data: Yes

Right of data subject to request a correction of data: Yes

Right of data subject to request deletion of data: Yes

Justification required for a request for deletion: Yes

Defines the requirements for consent: No

DPA is mandated to participate in policy formulation: Unclear

While no provisions in Act 843 specifically pertain to transfer outside of national borders, selling or offering to sell the personal data of another person anywhere constitutes an offence punishable by a fine of not more than two thousand five hundred penalty units, a term of imprisonment of not more than five years, or both. An advertisement which indicates that personal data is or may be for sale is an offer to sell the data.

Provides a right not to be subject to automated decision-making: Yes