The Data Protection Act, 2012 (Act 843) (DPA) sets out the rules and principles governing the collection, use, disclosure, destruction and care of personal data or information by a data controller (organisations) or processor. The Data Protection Commission (Ghana) is an independent body set up to ensure and enforce compliance to the DPA which came into force on 16 October 2012.
The Act provides standard principles that must be complied with by all who process personal information across the country and beyond. The law applies to all forms of personal data or information stored on both electronic and non-electronic platforms.The Act is based on a basic rule that all who process personal data consider the rights of the individual privacy of his or her communications.
Eight (8) Basic Principles must be applied and adhered to in processing personal data
- Lawfulness of Processing,
- Specification of Purpose,
- Compatibility of Further Processing With Purpose Of Collection,
- Quality of Information,
- Data Security Safeguards, and,
- Data Subject Participation.
For further explanations on the principles and how to adhere to the principles to ensure it is implemented practically to show accountability please Contact us
All organisations that obtain, hold, use or disclose (process) personal information must comply with the Act. These include the following:
- Register with the Data Protection Commission (section 56)
- Renew registration every two years
- Provide compliance report prior to renewal
- Appoint a dedicated Data Protection supervisor/officer (responsible person for DPC)
- Demonstrate compliance to the act
- Be available for audit on an adhoc basis
Section 56 of the Act makes Non-compliance to the act an offence which can result in enforcement by the Data Protection Commission. In addition to the above, non-compliance can lead to
- loss of customer trust
- Loss of business or tenders which stipulate adherence to data protection within and outside Ghana.
- Loss of reputation
- Loss of revenue
Registration & Renewal
All Data Controllers must register with the DPC and renew every two years. Information Governance Solutions provides registration and renewal services to allow you to focus on your core business knowing that it will be taken care of.
Dedicated Data Protection Supervisor/Officer as a Service (DPSaaS/DPOaaS)
Under the Ghana Data Protection Act 2012, all organizations that are deemed to be Data Controllers may appoint a Certified and qualified Data Protection Supervisor (DPS). This is the person who is responsible for monitoring and advising organization’s compliance with the DPA ACT 2012 and other data privacy requirements in other jurisdictions. This does not have to be an employee or the organization but must be a suitable qualified person, with the knowledge experience to undertake the required duties.
To assist you comply with this requirement under the Act, we offer the Data Protection Supervisor/Officer as a service (DPSaaS/DPOaaS) to organizations on a service contract basis depending on the size of the business. We offer the full service of a DP Supervisor/Officer by acting as your outsourced provider whilst tailoring it to your specific need according to the size of your organisation and specific processing of personal data. Or consultants are qualified to international standards (Europe – GDPR) as well as certified practitioners to the Ghana DPA 2012.
Since 2017, IGS has been delivering the Certified Data Protection Supervisor (Practitioner Level) for the Data Protection Commission Ghana.
Compliance Assessment and Reporting
Data controllers are required to submit a compliance report to the DPC prior to renewing their registration every two years. Registration with DPC shows that your organization is processing personal data legally and have processes, procedures and measures in place to comply with the eight (8) Data Protection principles and the DPA 2012 ACT (843).
Our service will conduct an initial compliance assessment and submit a report to your organisation to identify risk areas including potential and actual non-compliance(s). We deliver our report with recommendations and mitigation activities required to address any highlighted risks. This can be a one-off exercise or a periodically agreed assessment aligned with the needs of your business.
Audit Requirements (internal and external)
Our internal audit and sustainable compliance service will ensure that your organisation is proactively prepared for any DPC authorised spot checks with standardised documentary evidence, well trained staff, physically secured environment and appropriately protected hardware.
This service includes implementation of an evidence-based framework for continuous compliance, agreed set standards and minimum baseline requirements. We also provide bespoke Internal Auditor & Data protection Champion training to support your compliance obligations covering various legislations and International Standards such as ISO 27001, BS1012 (Coming soon), PIMS (Personal Information Management Systems) and support Privacy Compliance Framework (PCF).