The Data Protection Commission will this year begin the strict enforcement of Data Protection Act, 2012 (Act 843), and set out the rules and principles governing the collection, use, disclosure and care for personal data or information by a data controller or processor.
Apart from ensuring that businesses that do not have the licence do not bid for or secure government contracts, the enforcement will also lead to the prosecution of defaulters.
The commission has thus urged individuals, organisations and businesses that collect, hold or process personal data to register with the commission and obtain a license to avoid breaching the law.
At a news conference in Accra yesterday as part of the Data Privacy Week celebrations, the Executive Director of the Data Protection Commission, Ms Patricia Adusei-Poku, said in accordance with the Data Protection Act, 2012, such entities — apart from acquiring the licence — were also required to put in place internal privacy or data protection policies, processes and procedures to ensure the safety of such data.
Data Privacy Week
The Data Privacy Week is observed from January 24–January 28 each year.
It is an international effort to create awareness of digital data privacy, and how it is being used and sometimes exploited by businesses.
The week celebration is to raise awareness and promote privacy and data protection best practices.
It is also intended to promote events and activities that encourage compliance with privacy laws and regulations; and create dialogues among stakeholders interested in advancing data protection and privacy.
Collaborations
Aside prosecution, Ms Adusei-Poku said the commission was in talks with other regulatory agencies to insist on the attainment of a data protection licence as a prerequisite for engaging with entities.
For instance, she said, talks were advanced for the Public Procurement Authority (PPA) to demand for a data protection licence before entities could bid for government contracts.
“Internal bodies are demanding for the licence as part of contract due diligence, and that is driving more entities to come and register with us.
“So if your work doesn’t make you go to a regulator who may demand for the licence, your internal auditor will demand for it,” she said.
Ms Adusei-Poku further indicated that the commission was also collaborating with the Ghana Revenue Authority (GRA) to release the details of all active companies in the country to the commission.
“So if you are a company that pays tax, we will get your details anyway and you will have to come and register with us,” she stressed.
She said the collaboration would help the commission to engage about 1,000 businesses every quarter.
Special court
Ms Adusei-Poku said the commission had engaged the Minister of Justice and the Office of the Chief Justice to set up special courts for the prosecution of defaulters.
“We are compiling a list for the ministry, but there is a plan to have a fast-track court to prosecute institutions that are going under the radar and have refused to take the licence. We have already spoken to the Chief Justice and he has given his support,” she said.
She said the commission was working with the government to set up a national artificial intelligence (AI) centre to help monitor and protect individual data.
Ms Adusei-Poku intimated that beyond obtaining a licence, entities must have a permanent data protection officer who would be certified by the commission.
The entities, she said, must also nominate a supervisor to take charge of data protection and privacy issues.
Among other things, she said, they must avoid faxing personal information unless absolutely necessary, and when doing so, make sure the recipient was waiting on the other end, and to collect personal data only if it was really necessary and not to collect more than what was needed from individuals.
Commission
The Data Protection Commission is an independent statutory body established under the Data Protection Act, 2012 (Act 843) to protect the privacy of the individual and personal data by regulating the processing of personal information.
The commission provides for the process to obtain, hold, use or disclose personal information and for other related issues bordering on the protection of personal data.