Data Protection Commission positioning itself as gateway to Africa

The Data Protection Commission (DPC) is positioning itself as a gateway to Africa by trailblazing the delivering of its supervisory mandate to international best practice standards.

A statement issued by the DPC and copied to the Ghana News Agency said the Commission had implemented the continent’s first training of Privacy Practitioners to European standards thus introducing a new internationally recognised career path in this niche industry for Africa.

It said the Commission was committed to contributing effectively to the national transformation agenda by underpinning the efforts to safeguard and protect the rights of individuals through the enforcement of the requirements of the Data Protection Act, 2012 (Act 843).

To this end, the Commission entreats all “Data Controllers” to demonstrate their accountability and compliance with the Data Protection Act, 2012 (Act 843).

It said Act 843 sets out the rules and principles governing the collection, use disclosure and care for personal data or information by a Data Controller or processor.

The statement said DPC was mandated by Act 843 Sec 2 to “Protect the privacy of the individual and personal data by regulating the processing of personal information, and provide the process to obtain, hold, use or disclose personal information”.

It said compliance with Data Protection Act applies to organisations in all sectors, both public and private and third sectors/NGOs.

The statement said it also applies to all electronic records as well as many paper records.

It said Act 843 binds all Data Controllers under Section 27 (1); “a Data Controller who intends to process personal data shall register with the Commission”.

It said a person who was either alone or jointly with other persons or in common with other persons or as a statutory duty determines the purpose for and the manner in which personal data is processed or is to be processed.

It noted that it was data about an individual who could be identified from data or other information in the possession of or likely to come into the possession of the Data Controller, such as employee’s data.

It said an in individual who was the subject of personal data, in order words a person whose data such as date of birth, place of birth, telephone number, employment and medical information, could be linked to them and was in the possession of, or likely to come into the possession of the data controller.

On the obligation of Data Controllers, it said they were register with the DPC, subject to renewal every two year (Act 843, Sec. 50).

On what is processing, the statement said any operation or activity or set of operations which was performed on person data or on sets of personal data, whether or not by automated means such as collection, recording, organisation, storage, viewing, alteration, retrieval, restriction or destruction.

It noted that under the Data Protection Act, Data Subjects were guaranteed some rights; such as the right to access personal information, the right to request amendment (correction and deletion) and the right to prevent processing of your personal information.

It said the Data Protection Act, 2012 (843) requires Data Controllers and Processors who control or process and use personal data to register with the DPC (Section 27).

It noted that all Data Controllers who intend to collect personal data must ensure that the Data Subject was aware of the nature of the data being collected, the contact information Data Protection Supervisors, the purpose for collection, as well as legal grounds for the collection of the personal data.