Ghana’s Data Protection Act, New Privacy Legislation

Ghana’s Data Protection Act, New Privacy Legislation

Ghana’s Data Protection Act, 2012, or the Data Protection Act for short is a privacy law that was passed in Ghana in 2012. In addition to establishing the rules and responsibilities of data controllers and processors operating within Ghana, the Data Protection Act also established the Data Protection Commission, or DPC for short. The DPC was established “to protect individuals’ privacy and personal data by regulating the processing of personal information, to outline the process to obtain, hold, use, or disclose personal information, defining the rights of data subjects, prohibited conducts of processing, third-country processing of data relating to data subjects covered by the Act, third-country data subject processing in Ghana, and related matters.

What is the scope and application of the Data Protection Act?

What are the data principles that data controllers and processors must adhere to under the Data Protection Act?

Under Ghana’s Data Protection Act, data controllers and processors operating within the country must adhere to the following data protection principles when collecting, processing, or disclosing the personal data of Ghanaian citizens:

Moreover, the obligation of data subjects to consent to the processing of their personal data is a condition that must also be fulfilled by data controllers, unless said data controllers can effectively demonstrate that such processing is:

What are the rights of data subjects under the Data Protection Act?

In comparison to many other data privacy laws around the world, the Data Protection Act affords numerous rights to data subjects within Ghana as it pertains to their personal privacy. These rights include:

In terms of penalties in relation to non-compliance, the Data Protection Commission, or DPC for short has the authority to enforce the Data Protection Act. However, the passing of the Data Protection Act also established an amnesty period for all individuals, agencies, and organizations. As such, enforcement decisions that have been made as it pertains to the Data Protection Law have not been publicized as of the writing of this article. However, data controllers and processors who fail to comply with the law are subject to a monetary fine of up to 150 penalty units, a term of imprisonment of up to one year, or both.

Ghana’s Data Protection differs from other well-known international privacy policies such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR. However, the provisions of the Data Protection Act clearly outline the obligations that data controllers and processors must abide by when processing the personal data of data subjects, as well as set forth the punishments for failing to do so. As such, the data privacy rights of Ghanaian citizens have been guaranteed by law, whether they are physically within Ghana or in another country.