DPA releases the Data Protection Act (Act 843)

Owing to the controversial definition of ‘Privacy of Data” in Africa and beyond, the Data Protection Commission (DPC) has positioned itself as a gateway to Africa by trailblazing the delivering of its supervisory mandate to International best practice standards.

To this end, the Commission has enforced the Data Protection Act 2012 (Act 843) to raise national awareness on the need for data protection.

The Commission released a press statement detailing the need for privacy of data, the extent of applicability of data privacy and the need for organizations to register with the Data Protection Commission.

Details of the Data Protection Act which requires data collection and processors who control or process and use personal data to register with DPC are captured in the document below;

Read full statement below


THE DATA PROTECTION ACT, 2012 ACT 843

NATIONAL AWARENESS


PURPOSE: BRIEF TO MEDIA PARTNERS.

BACKGROUND:

THE DATA PROTECTION ACT 2012, (ACT 843)

Act 843 sets out the rules and principles governing the collection, use disclosure and care for personal data or information by a Data Controller or processor.

The Data Protection Commission (DPC) is mandated by Act 843 Sec 2 to:
“Protect the privacy of the individual and personal data by regulating the processing of personal information, and provide the process to obtain, hold, use or disclose personal information”.

The DPC is positioning itself as a gateway to Africa by trailblazing the delivering of its supervisory mandate to international best practice standards. The Commission has implemented this continents first training of Privacy Practitioners to European standards thus introducing a new internationally recognized career path in this niche industry for Africa.

The Commission is committed to contributing effectively to the national transformation agenda by underpinning the efforts to safeguard and protect the rights of individuals through the enforcement of the requirements of the Data Protection Act, 2012 (Act 843).

To this end, the Commission entreats all “Data Controllers” to demonstrate their accountability and compliance with the Data Protection Act, 2012 (Act 843)

COMPLIANCE WITH THE DATA PROTECTION COMMISSION.

Compliance with Data Protection Act applies to organisations in all sectors, both public and private and third sectors/NGOs. It also applies to all electronic records as well as many paper records.
Act 843 binds all Data Controllers under Section 27 (1); “a Data Controller who intends to process personal data shall register with the Commission”.

WHO IS A DATA CONTROLLER – Sec.96

A person who is either alone or jointly with other persons or in common with other persons or as a statutory duty determines the purpose for and the manner in which personal data is processed or is to be processed.

WHAT IS PERSONAL DATA – Sec.96

It is data about an individual who can be identified from data or other information in the possession of or likely to come into the possession of the Data Controller. E.g. employee’s data.

WHO IS A DATA SUBJECT – Sec.96

An individual who is the subject of personal data, in order words a person whose data such as date of birth, place of birth, telephone number, employment and medical information etc. could be linked to them and is in the possession of, or likely to come into the possession of the data controller.

OBLIGATIONS OF DATA CONTROLLERS

Register with the Data Protection Commission – renewal every 2 year (Act 843, Sec.50)

Implement appropriate technical and organizational measures (Act, Sec.28)

Practically, the above requires entities to:

o Implement appropriate (state-of-the-art) security measures

o Implement data protection and other sector specific policies

o Digitized and centralized records management and documentation

o Implement an enterprise level risk management

Appoint a Data Protection Supervisor (Act 843, Sec.58)

Demonstrate compliance to the Act proactively and on request (Act 843, Sec.27)
Notification of breaches without undue delay (Act 843, Sec.31)

APPOINT A DATA PROTECTION SUPERVISOR – Sec.58

Section 58 – Controller shall appoint “a certified and qualified ‘’ Data Protection Supervisor (DPS)

Section 58 (2) Tasks of the Data Protection Supervisor: He /She could be an employee

To inform and advise of obligations

To monitor compliance

To provide advice with Data Protection Impact Assessment (DPIA)

To cooperate and liaise with DPC

To monitor performance

To have due regard to risk associated with processing operations

The DPS is a strategic role that develops, coordinates and manages an organization’s privacy strategy/program.

o Ensure that operation and business adhere to the relevant data protection laws

o Ensures DP considerations and processes are incorporated into business practices

o Has a dual responsibility to the Institution and the Data Protection Commission.

WHAT IS PROCESSING? (Sec. 96)

Any operation or activity or set of operations which is performed on person data or on sets of personal data, whether or not by automated means such as collection, recording, organization, storage, viewing, alteration, retrieval, restriction or destruction.

THE PRINCIPLES OF PROCESSING. (Sec.17)

Under the Data Protection Act, 2012 (Act 843), there are 8 principles. Processing of individuals personal data must follow these principles to ensure that the data been processed are:

• Processed fairly, lawfully and transparently

• Processed only for specified, explicit and legitimate purposes.

• Adequate, relevant and limited.

• Accurate (and rectified if inaccurate).

• Not kept for longer than necessary.(minimum necessary)

• Processed securely - to preserve the Confidentiality, Integrity and Availability of the personal data.

• Processed with the participation of Data Subjects

• Processed ensuring compatibility of further processing with purpose of collection.

RIGHTS OF DATA SUBJECTS.

Under the Data Protection Act, Data Subjects are guaranteed some rights as stated below;

• The right to access your personal information.

• You have the right to request amendment (correction and deletion)

• The right to prevent processing of your personal information.

• The right to prevent automated decision making.

• The right to prevent processing of personal data for direct marketing purpose.

• The right to seek compensation through courts.

• The right to complain to the Data Protection Commission.

THE NEED TO REGISTER WITH THE DATA PROTECTION COMMISSION.

The Data Protection Act, 2012 (843) requires Data Controllers & Processors who control or process and use personal data to register with the DPC (Section 27).

All Data Controllers who intend to collect personal data must ensure that the Data Subject is aware of the nature of the data being collected, the contact information Data Protection Supervisors, the purpose for collection, as well as legal grounds for the collection of the personal data.
WHAT NEXT!!

1. REGISTER WITH THE COMMISSION

To register kindly visit www.dataprotection.org.gh

2. APPOINT A DATA PROTECTION SUPERVISOR (DPS)

Get someone trained by the DPC

3. IMPLEMENT A PRIVACY PROGRAM

DPS should commence work

4. ASSESS YOUR COMPLIANCE REPORT

Produce a compliant report