Introduction
The advancement of technology has brought with it new and improved ways of violating an individual's right to privacy. Lack of privacy prevents an individual from the freedom of exploration or experimentation as the individual constantly feels monitored and is expected to act in a way pleasing to the entire public. Lack of privacy also subjects the individual to danger as his or her personal information is accessible to an unauthorized person who could stalk the individual, gain access to the individual's financial details and accounts and more.
It is for this reason that the Constitution, 1992 of Ghana per Article 18(2) says that, “No person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others”.
In furtherance of the objective of promoting privacy and preventing its violation, the Data Protection Act, 2012 (Act 843), was enacted to provide the requisite guidelines for protecting and safeguarding individuals' privacy.
This write-up focuses on what measures are taken to protect the privacy of individuals and entities.
Application of the Act
Act 843 applies to a data controller concerning data where,
- the data controller is established in this country and the data is processed in this country,
- the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data, or
- processing is in respect of information which originates partly or wholly from this country.
The Act further applies to data processors.
Data controllers are persons who, simply put, determine the purpose for and the manner in which personal data is processed or is to be processed.
Data processors are those who process data on behalf of the data controllers, apart from employees of the data controllers.
The standard principles that data processors and data controllers are to abide by are laid out in Act 843 as accountability, lawfulness of processing,specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness,data security safeguards, and data subject participation.
In conjunction with the above, data controllers and data processors are to ensure that the personal data they process shall be processed without infringing on the privacy of the data subject, in a lawful manner, and in a reasonable manner. This connotes that first and foremost that the right of the data subject should be of utmost concern to the data processor and should be within the ambits of the law.
In modern times, it is the norm for businesses or professionals to remain in one country or continent and do business across the globe. This would necessarily involve the receipt of personal data from data subjects in foreign jurisdictions. It is for this reason that Act 843 requires data processors and controllers to ensure that any data received from foreign data subjects is processed in compliance with the data protection legislation of the foreign jurisdiction of that subject where the personal data originates from that foreign jurisdiction.
Is the consent of a data subject necessary before the data is processed?
The simple answer is yes but not in all circumstances. It is paramount and essential to obtain the prior consent of the data subject before proceeding to process the personal data of that subject unless it is
- necessary for the purpose of a contract to which the data subject is a party
- authorised or required by law
- to protect a legitimate interest of the data subject
- necessary for the proper performance of a statutory duty; or
- necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
How should the data be collected?
Ordinarily, personal data ought to be collected directly from the data subject and not from any other source. The permitted instances where the data may be collected from a different source are, among others, wherethe data is contained in a public record, the data subject has deliberately made the data public, the data subject has consented to the collection of the information from another source, or the collection of the data from another source is not likely to prejudice a legitimate interest of the data subject.
In collecting data from data subjects, the data controller must ensure that the data subject is aware of the nature of the data being collected,the name and address of the person responsible for the collection,the purpose for which the data is required for collection,whether or not the supply of the data by the data subject is discretionary or mandatory,the consequences of failure to provide the data,the authorised requirement for the collection of the information or the requirement by law for its collection,the recipients of the data,the nature or category of the data, and the existence of the right of access to and the right to request rectification of the data collected before the collection.
However, these requirements shall not apply in certain instances which are listed as follows:
- avoid the compromise of the law enforcement power of a public body responsible for the prevention, detection, investigation, prosecution or punishment of an offence
- for the enforcement of a law which imposes a pecuniary penalty
- for the enforcement of legislation which concerns revenue collection
- for the preparation or conduct of proceedings before a court or tribunal that have been commenced or are reasonably contemplated
- for the protection of national security
- to avoid the prejudice of a lawful purpose
- to ensure that the data cannot be used in a form in which the data subject is identified, or
- because the data is to be used for historical, statistical or research purposes.
Registration of data controller
The Data Protection Act mandates the registration of any data controller who intends to process personal data to register with the Data Protection Commission.
It is an offence for a data controller to process data without registering with the Data Protection Commission which is punishable either by a fine or imprisonment or both.
Are there any remedies for failing to comply with the provisions of the Act?
Section 43 provides that where an individual suffers damage or distress through the contravention by a data controller of the requirements of this Act, that individual is entitled to compensation from the data controller for the damage or distress.
Data Controllers are therefore to be minded of violating the provisions of the Data Protection Act.
Conclusion
The enactment of the Data Protection Act is a step in the right direction to getting companies and individuals to participate in the protection of the fundamental human rights of citizens and individuals across the globe. This provides some form of safety and assurance that individuals can live with some degree of comfort knowing that their privacy rights are protected.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.