Responsible AI Use In Ghana: Legal Compliance At The Crossroads Of Data Protection And Cybersecurity.

Introduction

In today's digital economy, data has become a valuable asset, often referred to as the "new oil"¹. It powers innovation and enables businesses to optimize operations and personalize services.² However, with this power comes the great responsibility of handling personal data with care. As businesses increasingly integrate Artificial Intelligence (AI) into their operations, it is critical to understand the intersection between AI, data protection, and cybersecurity compliance. The rise of the use and availability of AI and other digital tools³ increases the potential risks of data mismanagement, including security breaches, legal non-compliance, financial losses, and reputational harm.⁴ To mitigate these risks, businesses must handle personal data responsibly and implement appropriate cybersecurity precautions and data protection compliance structures.

AI systems typically rely on large data sets, often containing sensitive personal information, making them particularly vulnerable to data breaches and cybersecurity incidents. Ghana's legal framework imposes clear obligations on institutions that process personal data or operate critical systems, especially in the event of security breaches involving personal data. For businesses operating in or expanding into Ghana, understanding local data protection and cybersecurity laws is essential, not just for regulatory compliance, but also earn the trust of clients, employees, and stakeholders.

The Legal Framework: Ghana's Data Protection Act

Ghana's data protection legal framework is anchored in the Data Protection Act, 2012 (Act 843) ("DPA"), enacted in accordance with the 1992 Constitution of Ghana, which guarantees the right to privacy.⁵ The DPA was enacted to safeguard personal data and ensure this fundamental right is upheld in the processing of personal data. The DPA provides guidelines on how personal data should be collected, stored, processed, and shared. It also established⁶ the Data Protection Commission ("DPC") to regulate data protection and oversee compliance.^[7] The DPA further defines the obligations of Data Controllers and Data Processors, as well as the rights of Data Subjects.

Additionally, Ghana has signed and ratified theAfrican Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention)⁸ and is a signatory to the Economic Community of West African States (ECOWAS) Supplementary Act A/SA.1/01/10 on Personal Data Protection, showing the country's commitment to meeting international data protection standards.

Ghana's data protection regime, as established under the DPA recognises three principal actors in the governance and processing of personal data:

1. Data Controllers: entities or persons that determine the purposes and methods of processing personal data, either alone, jointly, or through statutory authority⁹;
2. Data Processors :persons other than an employee of the data controller who processes the data on behalf of the data controller¹⁰; and
3. Data Subjects : an individual who is the subject of personal data¹¹.

What Should Business Owners Know in Terms of Data Protection in Ghana

Applicability of the DPA to Businesses

The DPA applies to all businesses that process personal data, regardless of size or industry; whether it is a small start-up or a large corporation.¹² The DPA however does not apply to data that originates outside of Ghana and merely transits through Ghana.¹³

How AI Works and Its Relationship with Data Protection

AI technologies rely heavily on personal data¹⁴, using it to power processes like machine learning. These systems can analyze patterns and make decisions that impact everything from personalized recommendations to financial assessments. However, the extensive data use in emerging technologies also raises important ethical questions such as; "How are individuals' personal data being used?", "Who has access to the personal data?", "Is the data sufficiently anonymized before its input into AI systems?", and "What are the potential long-term implications for individual privacy and autonomy?".

Understanding the risk landscape of AI deployment is essential to e quipping organizations to address the new challenges raised by the increased use of Al-enabled technology.¹⁵ In the context of data privacy, risk manifests in several areas, including financial, reputational, and regulatory exposure. Data privacy risks, in particular, pose a significant threat to the privacy rights and freedoms of individuals.

The 2023 Privacy AI Governance Report identified several critical risks associated with the use of AI systems that organizations must carefully navigate. These include:¹⁶

1. Bias in Al which may result in harm to individuals and potential fines for non-compliance;
2. Lack of appropriate governance which may lead to inefficient administrative processes and failure to identify or mitigate privacy risks;
3. Changing regulatory environment which results in legal uncertainty regarding Al systems;
4. Lack of available skilled personnel within the organization creating a gap in available resources prepared to tackle new challenges;
5. Use of third parties as vendors or contractors which amplifies organizational liability and complicates assessments of compliance responsibilities between controllers and processors;
6. The data-intensive nature of training AI systems, particularly when privacy best practices are not embedded in the development process, which poses considerable privacy risks including unauthorized collection, use, or disclosure of personal data;
7. The existence of Al systems on a connected network which increases the security risks surrounding the network, including insider threats, model exploitation and data breaches.

The DPA sets out eight basic principles including accountability, lawfulness of processing and specification of purpose, which serve as the cornerstone of lawful and responsible data handling and must be adhered to by all data controllers and processors operating within the jurisdiction.¹⁷

As AI becomes an integral part of modern business operations, organizations in Ghana must ensure that their deployment of AI systems complies with the core data protection principles set out in the DPA. This is particularly critical where AI applications involve the collection, use, or analysis of personal data. The following are key legal and ethical considerations which must be contemplated by businesses integrating AI tools into their processes:

a. Consent to Processing with AI

Data should only be processed with the prior consent of the data subject¹⁸ and such consent must be freely given, informed, and specific.¹⁹ Business owners must ensure that data subjects are informed of their right to object and withdraw their consent to the processing of their data at any time.²⁰ AI complicates informed consent due to its complexity and lack of transparency. Companies should implement clear and accessible consent notices or pop-up disclosures that use plain language to inform users about their rights and obtain valid consent for the processing of personal data in AI tools, third-party sharing, analytics and other automated processing activities.

b. Automated Decision-Making with AI

Data subjects have the right to submit a written notice to a data controller at any time, requesting that any decision which significantly affects them must not be based solely on the automated processing of their personal data.²¹ If a decision that significantly affects an individual is made solely on the basis of automated processing, the DPA imposes specific obligations on the data controller to promptly notify the individual that the decision was made through automated means and inform them about their right to request a review or reconsideration of the decision. This provision ensures that data subjects are not unfairly impacted by automated decisions and are given a fair opportunity for recourse.

Business owners that deploy AI systems for decision-making must incorporate meaningful human oversight and ensure that data subjects have the right to challenge and seek review of automated decisions. This requirement is crucial to mitigating the risk of bias inherent in some AI models, which can lead to unfair or discriminatory outcomes.

A notable example of such a discriminatory outcome occurred in relation to Amazon's experimental AI recruitment tool, which was ultimately discontinued after it was discovered that the system had taught itself to favour male candidates. The AI penalised résumés that included the word "women's", reflecting underlying biases in the data used to train the model. Such outcomes highlight the importance of human oversight and algorithmic accountability to protect individuals from discriminatory impacts of automated decision-making.²²

c. Data Retention and AI

Businesses should retain personal data only for as long as is necessary to achieve the purpose for which it was collected.²³ In the context of the commercial AI usage, clear retention policies must be in place to specify how long training and user data are stored. After the retention period, data must be securely deleted, anonymized or pseudonymised. Retaining data "indefinitely" for future AI use without a legal basis constitutes a breach of the DPA provisions.²⁴ This is a particularly important when the data is retained for purposes not originally contemplated by the data controller at the time the data subject gave their informed consent because further processing for purposes incompatible with the original collection purpose would be illegal.²⁵

d. Data Breach Notification Obligation

Al systems existing on an interconnected network increases security risks including insider threats, model exploitation and data breaches.²⁶ Data controllers are obligated to implement reasonable security measures to protect personal data, including technical and organizational safeguards to prevent unauthorized access or processing, data loss or damage, or breaches.²⁷

In the event that data controllers or processors reasonably believe that personal data has been accessed or obtained through unauthorized access or a security breach, they are legally obligated to notify the DPC and the affected data subject(s).²⁸ These notification obligations are triggered when the breach compromises the confidentiality, integrity, or availability of personal data processed or stored by AI systems or other digital platforms.

Failure to promptly report such breaches not only exposes affected individuals to harm but also places businesses at risk of regulatory sanctions and reputational damage. Consequently, businesses leveraging AI must implement robust technical and organisational measures to detect, report, and mitigate data breaches in accordance with the DPA.

Incident Reporting under the Cybersecurity Act, 2020 (Act 1038)

Incident Reporting Obligation

In addition to the obligations imposed by the DPA, the Cybersecurity Act, 2020 (Act 1038) establishes mandatory cybersecurity incident reporting requirements for owners and managers of Critical Information Infrastructure (CII), operating in Ghana.h3²⁹ CII refers to systems considered essential to national security or the economic and social well-being of citizens.^[30] Owners of CII must report cybersecurity incidents to the relevant Computer Emergency Response Team (CERT) within 24 hours of detection.h3³¹

A cybersecurity incident may broadly be defined to include any act, whether successful or attempted, involving unauthorized access to, disruption of, or misuse of an information system or the data stored within it.h3³² Given that AI tools often interact with cloud-based systems and third-party APIsh3³³, they are particularly susceptible to such vulnerabilities.

The Cybersecurity Authority of Ghana ("CSA") oversees national incident response coordination through the National CERT³⁴, as well as Sectoral CERTs dedicated to specific critical sectors.³⁵ For example³⁶:

1. The Bank of Ghana's Security Operations Centre handles incidents in the financial sector.
2. The National Communications Authority CERT addresses telecommunications sector incidents.
3. The NITA Security Operations Centre oversees government ICT infrastructure.

Entities and individuals not affiliated with any Sectoral CERT may report cybersecurity incidents directly to the National CERT via the designated point of contact.³⁷

Therefore, in the event of a cybersecurity incident involving the use of AI deployed by a business that results in a data breach, the business will also be obligated to notify the relevant Computer Emergency Response Teams as part of its incident reporting duties.

Sanctions for Non-Compliance

Failure by an owner of a CII to report a cybersecurity incident in accordance with statutory obligations will result in an administrative penalty of ranging from 250 penalty units to 10,000 penalty units (GHS 3,000.00 to GHS 120,000.00).h3³⁸

For businesses that do not fall within the definition of a CII, the head of the institution is still required to report any detected cybersecurity incident to the relevant Sectoral CERT or the National CERT within 24 hours. Failure to comply with this reporting obligation may result in an administrative penalty ranging from 250 to 5,000 penalty units (GHS 3,000.00 to GHS 60,000.00).³⁹

Business Integration with AI Use

Given the data-intensive and often automated nature of AI tools, businesses must adopt a holistic approach, ensuring that their AI deployment strategies are embedded within a compliance framework that integrates both data protection and cybersecurity. This includes:

1. Implementing robust data governance policies;
2. Ensuring incident response protocols are in place;
3. Appointing a Data Protection Supervisor where necessary; and
4. Training staff on data security and cybersecurity risks.

Failure to align AI operations with these legal requirements may result in severe regulatory consequences, particularly in cases of data breaches or cyberattacks affecting personal data processed through AI systems. As the use of AI systems and other data intensive innovations becomes more prevalent in society, data controllers must be vigilant about data usage policies, implement adequate safeguards, and remain accountable to both the DPC and the CSA. Compliance is not only a legal obligation but also a critical trust-building measure in the responsible deployment of AI.

Footnotes

1 Bogdan Halcu, 'Personal Data: The New "Oil" of The Digital Economy' (Chambers and Partners, November 29, 2016), at https://chambers.com/articles/personal-data-the-new-oil-of-the-digital-economy last accessed 21 May 2025 and Kiran Bhageshpur (Forbes Technology Council), 'Data Is The New Oil -- And That's A Good Thing' (Forbes, November 15, 2019), at https://www.forbes.com/councils/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/ last accessed 21 May 2025.

2 ITonDemand, 'Why Data is Your Most Valuable Business Asset' (February 14, 2025), at https://itondemand.com/2025/02/14/why-data-is-your-most-valuable-business-asset/ last accessed 7 May 2025.

3 Ibid; World Bank Group, 'Digital Transformation', (World Bank, April 21 2025) at https://www.worldbank.org/en/topic/digital/overview#1 last accessed 7 May 2025.

4See ITonDemand, 'Why Data is Your Most Valuable Business Asset' (February 14, 2025), at https://itondemand.com/2025/02/14/why-data-is-your-most-valuable-business-asset/ last accessed 7 May 2025.

5 The 1992 Constitution of Ghana, Article 18(2).

6 Data Protection Act, 2012 (Act 843), Sections 1.

7 See ibid, Sections 2 and 3.

8 AU, 'African Union Convention on Cyber Security and Personal Data ProtectionStatus List', at https://au.int/sites/default/files/treaties/29560-sl-AFRICAN_UNION_CONVENTION_ON_CYBER_SECURITY_AND_PERSONAL_DATA_PROTECTION.pdf last accessed 12 May 2025.

9 Data Protection Act, 2012 (Act 843), Section 96.

10 Ibid.

11 Ibid.

12 See Data Protection Act, 2012 (Act 843), Section 45(1).

13 Ibid, Section 45(4).

14 DataGuard Insights, 'The Growing Data Privacy Concerns with AI: What You Need to Know' (DataGuard, 4 September 2024) https://www.dataguard.com/blog/growing-data-privacy-concerns-ai/ accessed 29 April 2025.

15 International Association of Privacy Professionals and FTI Consulting, 'Privacy and AI Governance Report' p 4 (January 2023) at https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf last accessed 29 April 2025.

16 International Association of Privacy Professionals and FTI Consulting, 'Privacy and AI Governance Report' p 12 (January 2023) at https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf last accessed 29 April 2025.

17 Data Protection Act, 2012 (Act 843), Section 17.

18 Data Protection Act, 2012 (Act 843), Section 20.

19 Ibid, Sections 27 and 35.

20 Ibid, Section 20.

21 Ibid Section 41.

22 The Guardian, 'Amazon ditched AI recruiting tool that favored men for technical jobs', The Guardian Newspaper, Thursday 11^th October 2018) at https://www.theguardian.com/technology/2018/oct/10/amazon-hiring-ai-gender-bias-recruiting-engine last accessed 20 May 2025.

23 Data Protection Act, 2012 (Act 843), Section 24.

24 Ibid.

25 Ibid, Section 25.

26 International Association of Privacy Professionals and FTI Consulting, 'Privacy and AI Governance Report' p 12 (January 2023) at https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf last accessed 29 April 2025.

27 Data Protection Act 2012 (Act 843), Section 28(1).

28 Data Protection Act, 2012 (Act 843), Section 31.

29 Cybersecurity Act, 2020 (Act 1038), Section 39.

30 Ibid, Section 35.

31 Ibid, Sections 47(5) and 39(1)(a).

32 Cybersecurity Act, 2020 (Act 1038), Section 97.

33 Arya Ai, 'What are AI APIs, and How Do They Work?' at https://arya.ai/blog/what-are-ai-apis-and-how-do-they-work#:~:text=An%20AI%20API%20is%20a,artificial%20intelligence%20and%20machine%20learning last accessed 20 May 2025.

34 Cybersecurity Act, 2020 (Act 1038), Section 42.

35 Ibid, Section 44.

36 Cybersecurity Authority, Ghana's CERT ecosystem, at https://www.csa.gov.gh/sectoral-cert#:~:text=Ghana's%20Computer%20Emergency%20Response%20Team%20(CERT)%20Ecosystem&text=The%20National%20CERT%20(CERT%2DGH,international%20stakeholders%20including%20sectoral%20CERTs last accessed 20 May 2025.

37 Cybersecurity Act, 2020 (Act 1038), Section 48(3).

38 Ibid, Section 39(2) (a) and Second Schedule.

39 Cybersecurity Act, 2020 (Act 1038), Section Section 47 and Second Schedule.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.