The primary legislation that protects data privacy is the Data Protection Act. The purpose of the Data Protection Act is to establish a Data Protection Commission ('DPC'), to protect individuals' privacy and personal data by regulating the processing of personal information, to outline the process of obtaining, holding, using, or disclosing personal information, defining the rights of data subjects, prohibited conducts of processing, third country processing of data relating to data subjects covered by the Data Protection Act, third country data subject processing in Ghana, and related matters.  

Scope and Applicability. 

Territorial scopes.

 The Data Protection Act applies to a data controller in the following cases: 

• If the controller is based in the country and processes data there;  

• If the controller is not based in the country but uses equipment or a data processor operating in the country to process data;  

• If the processing involves information that originates, either partially or wholly, from the country. 

Material scopes.

Section 18 of the Act  states that the Data Processing of Personal Data Act must be done in a manner that ensures that the personal data is processed: 

• without infringing the privacy rights of the data subject; 

• in a lawful manner; 

• and in a reasonable manner  

Legal bases 

1 .consent 

2. Contract with the data subject 

3. Legal Obligation 

4. Interest in the data subject. 

5. Public Interest. 

6. Legitimate interests of the data controller 

7. Legal bases in other instances    

Principles.

The principles of data subject privacy that every data controller must consider when processing data are: 

• accountability; 

• the lawfulness of processing; 

• specification of purpose; 

• compatibility of further processing with the purpose of collection; 

• quality of information; 

• openness; 

• data security safeguards; and 

• data subject participation. 

Controller and Processor Obligation. 

Data transfers 

Data transfer can occur in two main scenarios:  

1. When a third-country BPO processes data in Ghana, the data controller must comply with relevant data protection laws. The BPO cannot invoke the Data Protection Act if it violates the rights of data subjects and can be held accountable to the Data Protection Commission (DPC) for any violations. 

2. When personal data under the Data Protection Act is outsourced to third-country BPOs, the legal framework for data centers and cloud storage will be shaped by inter-regulatory agreements that address emerging technology trends and national interests. 

Data processing records 

Data retention principles require the maintenance of processing records and ensure that data is not held longer than the specified retention period. 

Data protection impact assessment 

Data Protection Impact Assessments (DPIAs) are essential for all data controllers, as the Data Protection Act establishes the Data Protection Commission (DPC) as a regulatory authority overseeing compliance. Controllers must continuously monitor for compliance to prevent breaches. In the event of security breaches, the Act's disclosure requirements make DPIAs a critical practice, as such violations always necessitate conducting a DPIA. 

Data Protection Officer appointment 

The Data Protection Act designates data protection officers as data protection supervisors (DPS). While data controllers don't need to appoint a DPS, the role involves monitoring the controller's compliance with the Act's provisions. 

Data Breach notification. 

Section 31 of the Act requires notification to both the data subject and the Data Protection Commission (DPC) if there are reasonable grounds to believe that personal data has been accessed or acquired by unauthorized individuals. This notification must provide enough information for the data subject to take protective measures and should occur "as soon as reasonably practicable" after the breach is discovered. 

Data Retention 

The Data Protection Act treats the data retention framework for personal data kept for historical, statistical, or research purposes differently. Data controllers must ensure that records containing personal data are adequately protected from unauthorized access or use. 

Children's data.

Under the Data Protection Act, the processing of data relating to a child who is under parental control under the law is prohibited unless otherwise provided by the Data Protection Act.  

Special categories of personal data.

 Unless otherwise specified in this Act, a person may not process personal data related to: (a) a child under parental control, or (b) an individual's religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life, or criminal behavior.  

Controller and processor contracts.

 The Data Protection Act Addresses Business Process Outsourcing (BPO) from foreign data controllers, imposing obligations on data processors to ensure compliance during processing according to the relevant foreign jurisdiction. It requires that for BPO inflows from foreign-based data controllers, processing must adhere to the data protection laws of the originating jurisdiction when personal data from that jurisdiction is sent to the country for processing.  

Data Subject Rights 

1. Right to be informed 

2. Right to access 

3. Right to rectification 

4. Right to erasure 

5. Right to object/opt out 

6. Right to data portability. 

7. Right not to be subject to automated decision-making 

Penalties 

The Data Protection Act provides for penalty provisions to be made for offenses created under the Regulations. Where a person commits an offense under this Act in respect of which a penalty is not specified, the person is liable on summary conviction to a fine of not more than five thousand penalty units or a term of imprisonment of not more than ten years or to both.  The Data Protection Act provides for penalty provisions to be made for offenses created under the Regulations.