Data privacy - Ghana

Laws: Data Protection Act, 2012 (Act 843)

Extra-territorial scope: Yes (see Survey A2.1)

Regulator: Data Protection Commission

What data is covered?

The law applies to Personal Data, which is data about an individual who can be identified either: (i) from the data itself; or (ii) from information in the possession of, or likely to come into the possession of, the Data Controller.

Also covered is Special Personal Data, being Personal Data relating to race, colour, ethnic or tribal origin, political opinion, religious or similar beliefs, health, sexual orientation, criminal offences and legal proceedings (and, indirectly, children’s data).

Key risks and considerations

1. An established regime; but compliance standards are less onerous than the GDPR.
2. Consent generally required, but exceptions exist (e.g. legitimate interests).
3. Law has extra-territorial effect (but data in transit through Ghana is not caught).
4. Clear data breach notification obligations (to individuals and the regulator).
5. Specific laws on direct marketing communications (usually requiring consent).

Compliance overview

Register with regulator: Data Controllers must register with the Commission, pay the requisite fee and renew the registration every 2 years.

Appoint a DPO: Not mandatory. However, in practice the Commission requires large Data Controllers to appoint a ''data protection supervisor''.

Appoint a CISO: No specific legal obligation to appoint an information security officer.

Formal compliance programme: No explicit requirement. However, there is a general obligation to apply the principle of accountability, which may necessitate such a programme.

Publish/provide privacy notice: A Data Controller collecting Personal Data must make Data Subjects aware of this and of certain information before the data is collected.

Maintain records of activities: Not required.

Conduct privacy assessment (DPIA): Not generally required (other than in respect of appointing a representative, see Survey B1.2), but may assist with broader compliance.

Data security measures: Data Controllers must secure the integrity of Personal Data through appropriate, reasonable, technical and organisational measures.

Enforcement and top fines

• Maximum possible fine: 5,000 penalty units (circa USD 3,900) 
• The Commission has the power to serve enforcement notices, which require a Data Controller to take (or refrain from taking) certain steps or cease processing Personal Data.
• Top fine imposed to-date: Reports are not clear on the levels of enforcement actions.
• Personal criminal liability may arise (with sentences of imprisonment reaching up to 10 years).

Generally, Personal Data must not be processed without the prior consent of the Data Subject. However, consent is not required if the processing is: (i) necessary for the purposes of a contract to which the individual is a party; (ii) authorised or required by law; (iii) necessary to protect a legitimate interest of the Data Subject; (iv) necessary to perform a statutory duty; or (v) necessary to pursue a legitimate interest of a Data Controller or a third party with whom the data is shared.

There are no specific provisions in the Data Protection Act on the sharing of Personal Data. The sale, purchase or known or reckless disclosure of personal data is prohibited. No contract is required for a transfer between Data Controllers. The processing of Personal Data for a Data Controller by a Data Processor must be governed by a written contract.

A Data Controller must inform the Commission of its intention to transfer the Personal Data internationally and of the intended destination countries, either as part of an initial registration or a renewal. Otherwise, there is no restriction on international data transfers outside of Ghana, and no data localisation requirement in Ghana.

The Data Protection Act imposes direct obligations on service providers (data processors), who must (among other things): (i) only process Personal Data with the prior knowledge of the Data Controller (under a mandatory contract); (ii) comply with the security measures and broader general principles of the Data Protection Act; (iii) and consider notifying data breaches to individuals and to the regulator.

Data Controllers must notify the regulator and individuals as soon as possible of qualifying data breaches, and maintain records of the response. See the aosphere Breach Response app for critical breach notification requirements.