The Digital Gold: Navigating Ghana’s Data Protection Landscape

Kakra Sarfo Amponsah (UGSOL ’28) – 1st place (Legally Speakin Relaunch Writing Contest)

Introduction

Data protection is a significant global issue in establishing trust in modern digital age. With
rapid technological development and innovations powered by increased internet development,
and globalization it has resulted in an unprecedented increase in the collection, processing, and
storage of personal data.[1] Therefore, safeguarding it is essential to ensure privacy and security
while maintaining trust in digital systems.[2] From mobile money transactions to government
services delivered online, data is the essence of the evolving digital ecosystem. Ghana has made
tremendous progress in establishing a legal framework for data protection. Notwithstanding advancements, challenges continue to endure and resolving them is essential due to the inherent risks associated with diffusion, raising apprehensions regarding privacy, security, and potential misuse of personal information. This article examines data protection in Ghana, highlighting its legal framework, challenges, achievements, and prospects for a better system.

Overview of Data Protection

Data processing encompasses managing personal data, including collecting, recording,
organizing, structuring, storing, modifying, retrieving, accessing, using, sharing, disseminating,
aligning, restricting, erasing, or destroying it.[3] Data protection includes the legal, ethical, and
technical precautions to ensure personal information is collected, and processed securely hence
protecting privacy rights.[4] In the international setting, frameworks like the General Data Protection Regulation (GDPR) in the European Union have established standards for personal data protection.[5] Ghana, like most developing countries, has aligned local legislation with such international standards while addressing unique local issues.

Regulatory Frameworks.

The protection of data in Ghana is entrenched in legal instruments and policies that
collectively aim to safeguard personal data.
The 1992 Constitution. – Article 18(2) of Ghana’s Constitution guarantees citizens’ right to
privacy. It states that no person’s privacy shall be interfered with unless it is necessary for
public safety or other lawful purposes.[6]
Electronic Communications Act, 2008 (Act 775). – This Act regulates the telecommunications
sector and includes provisions on protecting users’ personal information. It imposes a duty to
protect consumer information and prohibits unauthorized disclosure of user data by service
providers.[7]
Cybersecurity Act, 2020 (Act 1038). – The Cybersecurity Act addresses issues related to
cybercrime and cybersecurity. It permits limited interception of data under judicial oversight
for purposes such as national security or criminal investigations.[8]
National Data Strategy. Launched in July 2024, this initiative, in partnership with Smart
Africa and Team Europe, outlines a comprehensive framework for data governance in the
country, including ethical standards for data collection, storage, and usage.[9] The Data Protection Act, 2012 (Act 843). – This is Ghana’s official attempt to regulate data
protection. It represents a significant milestone towards the development of a strong legal
framework for data protection. Inspired by international practices, particularly the European
Union’s Data Protection Directive 95/46/EC (precursor to the GDPR), the DPA sets principles
and obligations to ensure the responsible and ethical collecting, processing, storing, and sharing
of personal data. Additionally, it created the Data Protection Commission (DPC) as the
regulatory authority.[10]

Overview of The Data Protection Act, 2012 (Act 843)
Definition of Personal Data – Personal data broadly refers to any information about an individual who can be identified from that data or, from diverse fragments of information, which when combined can lead to the identification of a person.[11] This includes names, addresses, contact details, biometric data,
financial information, and online identifiers like IP addresses and cookies.

Data Protection Principles
The DPA establishes fundamental principles that govern the processing of personal data. These
include:
i. Privacy of the individual: Data controllers are responsible for guaranteeing compliance with
the DPA, ensuring accountability, transparency about their data processing practices and data
subject participation, where the data subject may access, rectify, and erase their personal data.[12]
ii. Consent: Informed consent is crucial before processing personal data. Consent is the clear,
unambiguous and free agreement of a data subject, expressed through statements or affirmative
action, permitting the processing of their personal data.[13] Consent may be bypassed when data
processing is necessary for a contract involving the data subject, authorised by law, to protect
a legitimate interest of the data subject, for the performance of a statutory duty, to pursue the
legitimate interest of the data controller or third party.[14]
iii. Lawfulness of Processing: Personal data must be processed lawfully, fairly, and transparently.
Processing is lawful when the data subject gives consent, it is necessary for a contract, legal
compliance, protecting vital interests, for public interest, or pursuing legitimate interests that
do not override the rights and freedoms of the data subject, particularly in the case of a child.[15]
iv. Specification of Purpose: Data must be collected for definite, clear, and legitimate purposes.
The data subject must be informed about how their information will be used,[16] and should not
be kept for longer than is necessary for the purpose for which it was collected.[17]
v. Compatibility Limitation of Further Processing: Further processing of personal data must
be compatible with the original purpose.[18]
vi. Data Quality: Data must be precise, complete, and up-to-date.[19]
vii. Security Safeguards: Suitable technical and administrative measures must be executed to
protect personal data against unauthorized access, loss, destruction, or damage.[20]
Prohibition of Unauthorized Data Transfers: The DPA regulates transfer of personal data
outside Ghana, requiring data controllers to ensure adequate safeguards to protect the data in
the recipient country. This is particularly important in the context of cloud computing and
international data flows. The Act prohibits the sale or unauthorized exposure of personal data.[21]
viii. Offences and Penalties: Non-compliance can result in various offences, including unlawful
processing of personal data, failure to register with the DPC, and obstruction of the DPC’s
investigations. Penalties for violations range from fines to imprisonment.[22]

Rights of Data Subjects
i. Right to Access: The right to request access to their personal data held by a data controller.[23]
ii. Right to Rectification and erasure: The right to request the correction of inaccurate or
incomplete personal data and to request the deletion of their personal data under certain
circumstances.[24]
iii. Right to Object: The right to object to the processing of their personal data in certain
situations.[25]
iv. Right to Prevent Processing for Direct Marketing: The right to prevent their personal data
from being used for direct marketing purposes.[26]

Data Controller and Data Processor.
The DPA differentiates between data controllers and data processors. A data controller is the
natural or legal person, public authority, or entity that determines the purposes and means of
processing personal data, while a data processor processes data on behalf of the controller.[27]

Obligations
Organizations collecting or processing personal data must register with the DPC and comply
with strict guidelines on data handling and ensuring its security.[28] Registration allows the DPC
to maintain a database of data controllers operating in Ghana and to monitor their compliance
with the DPA.

Data Protection Commission (DPC)
The DPA creates the Data Protection Commission (DPC) as the independent regulatory body
responsible for overseeing the implementation and enforcement of the DPA.[29] The DPC has the power to: a. Register data controllers.
b. Investigate complaints of data breaches.
c. Issue enforcement notices.
d. Impose sanctions for violations of the DPA.
e. Promote public awareness of data protection issues.

Impact of DPA on Various Sectors
a. Financial Services: Banks, insurance companies, and other financial institutions collect and
process vast amounts of personal data. The DPA requires these organizations to implement
robust security measures and ensure compliance with data protection principles. The rise of
mobile money and digital banking further underscores the importance of data protection in this
sector.[31]
b. Healthcare: Healthcare providers collect and process sensitive personal data, including
medical records and patient information. The DPA mandates strict confidentiality and security
safeguards to protect this sensitive data. The increasing use of electronic health records and
telemedicine requires careful attention to data protection.[32]
c. Telecommunications: Telecommunication companies collect and process personal data related
to subscriber information, call logs, and location data. The DPA regulates the use of this data
and grants individuals the right to control how their data is used for marketing purposes.[33]
d. Education: Educational institutions collect and process personal data about students, teachers,
and staff. The DPA requires these institutions to protect this data and ensure that it is used only
for legitimate purposes.[34]
e. Retail and E-commerce: Retail businesses and e-commerce platforms collect and process
personal data about customers, including purchase history, payment information, and contact
details. The DPA regulates the use of this data for marketing purposes and requires these
businesses to implement appropriate security measures.[35]

The Importance of Data Protection in Ghana’s Development
Data protection is not just a regulatory requirement; it is necessary for Ghana’s progress:
Economic Growth: As Ghana embraces digitization and e-commerce, strong data protection
laws attract investments and build consumer confidence.[36]
Global Competitiveness: Adherence to international data protection standards enhances
Ghana’s position in global trade and partnerships.[37]
Human Rights Protection: Data protection safeguards the right to privacy, which is essential
in a democratic society.
Technological Innovation: A clear legal framework encourages innovation by providing
boundaries within which new technologies can operate.

Achievements
Ghana’s noteworthy improvements in strengthening data protection include:
Public Awareness Campaigns: Initiatives such as the “Right to Know” campaign have
improved public understanding of data protection laws.
Increased Data Controllers Registration: More organizations are registering with the DPC,
signalling growing compliance.
International Collaboration: Ghana has engaged with international bodies to align its data
protection practices with global standards.

Data Breaches and Their Implications
Personal data breach is a security violation resulting in accidental or unlawful destruction,
alteration, unauthorized disclosure, or access to personal data. Data breaches are increasingly
common worldwide, with severe consequences for individuals and organizations. In Ghana:
– Breaches can lead to identity theft, financial fraud, or reputational damage.
– Organizations found negligent may face fines or imprisonment under the Data
Protection Act.
To mitigate these risks, organizations must adopt strong security measures such as encryption,
access controls, and regular audits.

Challenges of Data Protection
Notwithstanding the established legal framework, challenges obstruct efficient implementation
of data protection legislation in Ghana:
Low Public Awareness. A significant obstacle is the lack of public awareness regarding data
protection rights. Most Ghanaians are unaware of their rights under the DPA or how to assert
them and organizations lack detailed knowledge of their obligations. This lack of awareness
undermines the effectiveness of the law and limits the demand for compliance.
Weak Enforcement. Despite the DPC having the power to investigate complaints and impose
sanctions, its enforcement efforts have been relatively limited partly due to resource constraints
that limit its ability to monitor compliance and enforce sanctions on violators. Absence of
enforcement mechanisms leads to a failure for organizations to register with the DPC or adhere
to data protection principles.
Speedy Technological Advancements. The speed of technological innovation often exceeds
the existing legal framework, creating gaps in regulation. Emerging technologies like artificial
intelligence (AI) and big data analytics, pose new risks to privacy that current laws may not
address sufficiently.
Cross-Border Data Transfers. The global reach of digital services poses significant
challenges to regulate cross-border data flows effectively.
Limited Capacity Building. Ghana faces a shortage of trained professionals in data protection
and cybersecurity. Data protection is inherently tied to cybersecurity. Increasing cyberattacks
and data breaches pose risks to both individuals and organizations. Effective implementation
of the DPA requires a skilled workforce to enforce the law and provide guidance to
organizations on data protection. The DPC needs to invest in training staff and building
capacity within the broader legal and technological ecosystem.

Technology in Data Protection
Technology is the driving force behind improved data security:
– Encryption: Maintains security of sensitive information secure during transmission.
– Blockchain: Provides immutable records that increase transparency and
accountability.
– Artificial Intelligence: Can detect anomalies indicative of potential breaches. AI
powered tools can analyse network traffic and identify suspicious patterns that may
indicate a data breach. These tools can also automate data protection tasks, such as data
classification and access control.
These technologies come with their own set of challenges that require careful management.

Improvement
The future of data protection in Ghana hinges on addressing challenges and adapting the legal
framework to the evolving technological landscape. Several key developments are likely to
shape the future of data protection:
– Collaboration and Partnerships. DPC cooperation with government agencies, industries,
and civil society organizations promotes data protection awareness and compliance culture.
This includes conducting joint training programs, and developing industry-specific guidelines.
Collaboration with organizations such as Smart Africa can allow Ghana to leverage global
best practices.
– Increased Public Awareness and Education. To inform individuals about their data
protection rights and responsibilities sustained public awareness and education programs are
needed. This includes spreading information in local languages and using media platforms to
reach a wide audience. Launching a national data protection awareness week to raisepublic
awareness.
– Specific Regulations for Emerging Technologies. Developing specific regulations for
emerging technologies like artificial intelligence, blockchain, and the Internet of Things (IoT)
would address the novel data protection issues raised by these technologies. This would require
careful consideration of the ethical and societal implications of these technologies.
– Data Protection by Design and by Default. Controllers must adopt a risk-based
implementation of safeguards that align with the costs, and risks to individuals’ rights. The
measures must be integrated at the design and processing stage. Only necessary personal data
for the specific purpose may be processed. By implementing data protection by design and by
default, organizations can proactively protect personal data and minimize the risk of data
breaches.
– Data Breach Notification Requirements. Mandatory data breach notification requirements
would involve organizations notifying the DPC and affected individuals of a data breach. This
enhances transparency and accountability and allows timely response to data security
incidents.
– Harmonization with International Standards. Harmonization of legal framework with best
international practices including adopting GDPR-like regulations and implementing stringent
mechanisms for cross-border data transfers.
– Updating Legal Frameworks. Periodic reviews of current laws and Act 843 to counter
emerging issues in data protection and cybersecurity are necessary to ensure they remain
relevant considering technological advancements.
– Strengthening the DPC. To ensure compliance with the DPA, it is essential to enhance the
enforcement capabilities of the DPC. This includes expanding personnel, offering specialized
training, making the DPC autonomous, and streamlining enforcement procedures. Learning
and collaborating with countries that have developed data protection frameworks to adopt best
practices.
Through addressing these challenges and capitalizing on emerging opportunities, Ghana can
enhance its data protection system, promote innovation, and build trust in the digital age.

Conclusion
Data protection requires constant attention from policymakers, businesses, and individuals.
Ghana’s journey is an evolving process guided by the Data Protection Act, 2012, marked by
progress, challenges, and opportunities. By prioritizing data privacy, Ghana can foster a culture
of trust, accountability, and innovation, which are critical for digital transformation.
Complementing the gaps and leveraging technology advantageously, Ghana can create a robust
data protection regime establishing itself as a leader in data governance in Africa.

Endnotes

[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Preamble Paragraph (6).
[2] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Preamble Paragraph (7).
[3] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Art 4(2).
[4] European Commission, Data Protection Explained https://commission.europa.eu/law/law-topic/data
protection/data-protection-explained_en accessed 19 March 2025; TechTarget, What is Data Protection? (4
February 2025) https://www.techtarget.com/searchdatabackup/definition/data-protection accessed 19 March 2025.
[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
[6] THE 1992 CONSTITUTION OF THE REPUBLIC OF GHANA, Article 18(2).
[7] Electronic Communications Act, 2008 [Act 775], Section 28.
[8] Cybersecurity Act, 2020 (Act 1038), Section 86.
[9] Smart Africa, Ghana Develops National Data Strategy in Collaboration with Smart Africa and Team
Europe (2 July 2024) https://smartafrica.org/ghana-develops-its-national-data-strategy-in-collaboration-with smart-africa-and-team-europe/ accessed 19 March 2025; Ministry of Communications and Digitalisation, Ghana National Data Strategy Validation Workshop Kicks Off in Accra (27 June
2024) https://moc.gov.gh/2024/06/27/ghana-national-data-strategy-validation-workshop-kicks-off-in
accra/ accessed 19 March 2025.
[10] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Art 4(11); Data Protection Commission Ghana, https://moc.gov.gh/dpc/ accessed 19 March 2025.
[11] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Art 4(1); African Union, African Union Convention on Cyber Security and
Personal Data Protection (27 June 2014) art 1.
[12] The Data Protection Act, 2012 (Act 843), Section 17.
[13] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) [2016] OJ 2 119/42, Preamble Paragraph (32).
[14] The Data Protection Act, 2012 (Act 843), Section 20; REGULATION (EU) 2016/679 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation) [2016] OJ 2 119/42, Preamble Paragraph (39)-(40).
[15] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1, art 6(1); The Data Protection Act, 2012 (Act 843), Section 18.
[16] The Data Protection Act, 2012 (Act 843), Section 22-23.
[17] The Data Protection Act, 2012 (Act 843), Section 24.
[18] The Data Protection Act, 2012 (Act 843), Section 25.
[19] The Data Protection Act, 2012 (Act 843), Section 26.
[20] The Data Protection Act, 2012 (Act 843), Section 28.
[21] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ 2 119/42, Preamble Paragraph (49).
[22] The Data Protection Act, 2012 (Act 843), Section 95.
[23] The Data Protection Act, 2012 (Act 843), Section 35.
[24] The Data Protection Act, 2012 (Act 843), Section 44; The Data Protection Act, 2012 (Act 843), Section 33(1).
[25] The Data Protection Act, 2012 (Act 843), Section 39.
[26] The Data Protection Act, 2012 (Act 843), Section 40.
[27] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ 2 119/42, Art 4.
[28] The Data Protection Act, 2012 (Act 843), Section 46.
[29] The Data Protection Act, 2012 (Act 843), Section 1-3.
[30] The Data Protection Act, 2012 (Act 843), Section 3.
[31] CIPESA, Data Protection Policy Developed to Guide FinTechs in Ghana (June
2021) https://cipesa.org/2021/06/data-protection-policy-developed-to-guide-fintechs-in-ghana/ accessed 20 March 2025; Zenith Bank Ghana, Privacy Policy (1 January 2012) https://www.zenithbank.com.gh/tools
resources/privacy-policy/ accessed 20 March 2025.
[32] Modern Ghana, Strengthening Healthcare Cybersecurity in Ghana: The Role of the Data Protection Act, 2012 (Act 843) (11 October 2024) https://www.modernghana.com/news/1347900/strengthening-healthcare cybersecurity-in-ghana.html accessed 20 March 2025; Ministry of Health, Policy and Legal Framework for Health Management Information Systems (2016) https://www.moh.gov.gh/wp-content/uploads/2016/02/Policy-and-Legal-Framework-for-HMIS.pdf accessed 20 March 2025; IIPGH, Strengthening Healthcare Cybersecurity in Ghana: The Role of the Cybersecurity Act and Data Protection Act (7 October 2024) https://iipgh.org/strengthening-healthcare-cybersecurity-in-ghana-the-role-of-the-cybersecurity-act-and-data-protection-act/ accessed 20 March 2025.
[33] Journal of Law and Society, Data Privacy Regulations in Ghana: A Guide to GDPR
Compliance https://journal.hmjournals.com/index.php/JLS/article/download/2843/2529/5244 accessed 20
March 2025.
[34] The BFT Online, ICT Insights: Children’s privacy in school—a concern to both parents and school
authorities (4 May 2022) https://thebftonline.com/2022/05/04/ict-insights-childrens-privacy-in-school-a
concern-to-both-parents-and-school-authorities/ accessed 20 March 2025; Lincoln Community School, LCS Full
Privacy Notice (30 July 2024) https://www.lincoln.edu.gh/full-privacy-notice/ accessed 21 March 2025.
[35] Zoe, Akyea & Co., E-Commerce & the Law in Ghana https://zakyea.com/e-commerce-the-law-in
ghana/ accessed 21 March 2025; The BFT Online, Legal and regulatory framework of e-commerce in Ghana (15 November 2022) https://thebftonline.com/2022/11/15/legal-and-regulatory-framework-of-e-commerce-in-ghana/ accessed 21 March 2025.
[36] The BFT Online, The Data Protection Act: Unlocking job creation & business growth (4 March
2025) https://thebftonline.com/2025/03/04/the-data-protection-act-unlocking-job-creation-business
growth/ accessed 21 March 2025; Oaks Legal, The Impact of Ghana’s Data Protection Laws on Corporate
Operations (29 April 2023) https://oakslegal.net/the-impact-of-ghanas-data-protection-laws-on-corporate
operations-navigating-the-complexities-of-privacy-compliance/ accessed 21 March 2025.
[37] IIPGH, World Data Protection Day: Safeguarding Privacy and Building Trust in Ghana (27 January
2025) https://iipgh.org/world-data-protection-day-safeguarding-privacy-and-building-trust-in-ghana/ accessed 21 March 2025; Stiftung Neue Verantwortung, Country Profile Ghana https://www.interface
eu.org/storage/archive/files/ghana_country_profile.pdf accessed 21 March 2025.