Assessing Data Protection & Privacy Laws in Ghana

Culled from Cloud Computing in Ghana: Data Privacy, Regulatory Framework & Opportunities

A major area of policy that immensely impacts the provision of cloud services is data privacy. Although cloud computing is still in its infancy stages in Ghana, modern laws for people who are currently using facilities offered by cloud service providers are moderately adequate. Cloud computing has legal protection in Ghana under the country’s Data Protection Act, Electronic Communications Act, Electronic Transaction Act and Copyright Law, which meet “international standards”. Also, a draft cyber-crime policy exists, which would require significant expansion to align Ghana with international models.

Cloud service is primarily seen as a data-processing service in Ghana, and with the passing of Ghana’s Data Protection Laws, the privacy of data subjects are strongly protected under Ghana law.

One of the main factors enhancing the development and deployment of cloud computing in Ghana is the presence of a dedicated data protection act. Additionally, under the constitution of Ghana, an individual’s right to ownership of information and privacy was set out by parts of the Intellectual Property Law of the country.

No clear rights on data protection existed until the Electronic Transaction Act and the Electronic Communications Act were enacted in 2008 by the legislative instrument of Ghana. Ghana’s Data Protection Act was eventually passed by an Act of Parliament in 2012 to protect the privacy of the individual and personal data.

The Data Protection Act, 2012

As stated earlier, Ghana’s Data Protection Act necessitated the establishment of a Data Protection Commission (“Regulator”) whose main objective is to see to the protection of the privacy of individuals and their personal data, by regulating the processing of personal information, and to provide the process to obtain, hold, use or disclose personal information and for related matters. The Data Protection Act is centered on the principles of information handling which enable individuals to have specific rights in connection to their personal information, and place certain obligations on businesses and organizations that are in charge of processing it.

The Act covers a wide scope of both the public and private sector and offers a general level of privacy to uphold the data privacy rights of Ghanaians irrespective of where data is transferred and processed. Although the Act has some special provisions, the main principles are in agreement with the Organization for Economic Co-operation and Development (“OECD”) guidelines on data privacy, and might also be as wide-ranging as the European Union’s Data Protection Directive.

Data Processing and Storage in Ghana

The Data Protection Act, 2012 prohibits export of personal data unless the data controller “ensures an adequate level of protection”, as certified by the Act.

In terms of an individual’s data privacy, Section 17 of the Data Protection Act, 2012 states emphatically that any person who processes data shall take into account the privacy of the individual by applying the following principles:

(a) accountability;

(b) lawfulness of processing;

(c) specification of purpose;

(d) compatibility of further processing with purpose of collection;

(e) quality of information;

(f) openness;

(g) data security safeguards; and

(h) data subject participation.

This is in line with the eight principles of the OECD’s guidelines governing the protection of privacy and trans-border flow of personal data. The OECD’s guiding principles include collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability.

All Ghanaian citizens therefore have the right to personal data privacy, and therefore, based on this provision, an individual can initiate an action against a breach of data privacy by any cloud service provider (“data processor”).

The Data Controller and Processor in the Cloud

According to Section 96 of Ghana’s Data Protection Act, a “data controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed. In cloud computing, it is mostly the cloud customer who determines the purposes for which and the manner in which any personal data is processed. This further implies that the cloud customer, under Ghana’s Data Protection Act, is most likely to be the data controller and therefore will have overall responsibility for complying with the Data Protection Act.

A “data processor”, in relation to personal data, also means any person other than an employee of the data controller who processes the data on behalf of the data controller. The precise role of a cloud service provider needs to be reexamined with respect to whether or not it is processing personal data, since a cloud service provider can sometimes act as a “data processor” on behalf of the data controller, or at times operate as a data controller in its own capacity.

Section 96 of the Data Protection Act also defines “processing” as an operation or activity or set of operations by automatic or other means that concerns data or personal data and the

(a) collection, organization, adaptation or alteration of the information or data;

(b) retrieval, consultation or use of the information or data;

(c) disclosure of the information or data by transmission, dissemination or other means available; or the

(d) alignment, combination, blocking, erasure or destruction of the information or data

Based on this definition, the actions of a cloud service provider, in relation to storing data, can be termed as data processing. Section 18 (1) of the Data Protection Act, therefore further sets out clear guidelines for processing of personal data by highlighting that any person who processes personal data shall ensure that the personal data is processed:

(a) without infringing on the privacy rights of the data subject;

(b) in a lawful manner; and

(c) in a reasonable manner.

Standards for the Collection of Personal Data in Ghana

Ghana’s Data Protection Act establishes benchmarks by which every data controller in Ghana must operate. These benchmarks are applicable anytime someone (either a company or an individual) collects personal data that can be linked to a specific individual in Ghana. Data collection or processing that does not meet the standards is prohibited. The required standard for the collection of personal data, articulated in Section 21 to 23 of the Data Protection Act states that personal data must be collected directly from a data subject and could be collected indirectly only if the data is contained in a public record; subject has deliberately made the data public; subject has consented to the collection of the information from another source; is not likely to prejudice a legitimate interest of the data subject; or is for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law.

Other standards for data collection are mentioned in Section 22, which stipulate that a data controller who collects personal data shall collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person.

Finally, section 23 emphasizes that before any data collection is embarked on, the Data subject needs to be made aware of the purpose of collection of the data.

Per the provisions and standards for collecting personal data, all foreign firms must comply with this Act whenever they process personal data involving Ghanaian citizens.

Registration of Data Controllers under Law

Section 46 of the Data Protection Law provides a directive for the setting up of a Data Protection Register (“the Register”).The Data Protection Commission’s main objective is to keep and maintain the Register as well as register all data controllers who process data with the Commission. Data controllers are expected to renew every 2 years under this Act.

The Act also states unequivocally under Section 53 that a data controller who has not been registered under the Act shall not process personal data, therefore rendering their services illegal until the right registration procedures have been followed. Companies in Ghana that store sensitive information with cloud service providers are, as a result, obligated to register with the Data Protection Commission in order to render their actions legal.

Demand for Written Contracts

The Data Protection Act, 2012 stipulates that whenever a data controller discloses personal data to a data processor, there should be a written contract in place rather than a mere data sharing agreement. The data controller is also required to ensure that the data processor abides by the relevant security laws that are in place.

Cloud customers in Ghana are required by law to ensure that they enter into a written agreement with cloud providers and it is important for the contract to include service level agreements (“SLA”s) stating specific parameters and minimum levels for each element of the service provided. This written contract needs to outline the obligations and responsibilities of the parties and must conform to Ghana’s data privacy laws.

Cross-Border Transfer of Data in Ghana

Section 45(1) of Ghana’s Data Protection Act focuses on explaining who this law applies to in terms of where data originates from and is stored. It states that except as otherwise provided, the Act should be applied to a data controller in respect of data where:

(a) the data controller is established in this country and the data is processed in this country;

(b) the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data; or

(c) processing is in respect of information which originates partly or wholly from this country;

Section (4) also goes on to explain that this Act does not apply to data which originates externally and merely transits through this country.

Section 30 (4) stipulates that where a data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the relevant privacy laws of this country. If a data processor is domiciled in Europe or the USA, the data controller needs to make sure that the data processor doesn’t breach any laws, and complies with all security measures of the country by ensuring that the data processor establishes and maintains the confidentiality and security measures necessary to ensure the integrity of the personal data as outlined in Section 30 (3).

Any individual who is not in Ghana and finds their data being processed in the country would still have to comply with the data laws of their originating country. That is according to Section 18 (2), which suggests that a data controller or processor shall, in respect of foreign data subjects, ensure that personal data is processed in compliance with the data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.

Government Threat to Data Security

The government of Ghana has the authority to access personal data stored in the cloud even without a warrant or judicial approval. That is, if an individual holds stored data which is deemed to be a threat to national security.

Under a more secure and trusted data privacy practice, it would be mandatory for the government to have a warrant before issuing an order to be able to access the processed data of an individual, which is not readily accessible to the public.

Section 60 (2) further gives the Minister of Communications the power to order for any processed data to be accessed, even if there has not been any judicial review or court findings that are reasonable grounds to necessitate that action.

Notwithstanding this fact, Section 60 (4) allows anybody who is directly affected by the actions of the Minister to order the access of an individual’s personal data to seek redress in court, so as to determine whether the actions of the Minister are lawful or not.

In this respect, the Government of Ghana presents a threat to data security. In some countries, the instances in which government bodies such as the police or intelligence agencies may access personal data are not clear to cloud providers or their customers. This remains a challenge for Ghanaian cloud providers who might find it difficult to convince customers in other countries that Section 60, which grants the Ghanaian Government the authority to access data in support of national security or intelligence gathering activities does not mean there is a risk that their right to data privacy would be infringed upon.

Data Privacy Enforcers: Mandates of the Data Protection Commission in Ghana

As required by the revised OECD guidelines, there is the need to establish and maintain “privacy enforcement authorities”. The Data Protection Act establishes The Data Protection Commission as the central privacy regulator in Ghana, and is tasked under Section 75 with the enforcement of the privacy Act with the power to conduct investigations or bring proceedings in the context of enforcing. As recommended by the OECD of all privacy enforcement authorities, the Data Protection Commission is endowed with the resources and authority to:

(a) deter and sanction violations of laws protecting privacy;

(b) permit effective investigations, including the ability to obtain access to relevant information, relating to possible violations of laws protecting privacy; and

(c) permit corrective action to be taken against data controllers engaged in violations of laws protecting privacy.

The Electronic Communications Act, 2008

The Electronic Communications Act by the parliament of Ghana was passed in 2008. The Act was set up to provide for the regulation of electronic communications, the regulation of broadcasting, the use of the electro-magnetic spectrum and for related matters. Some sections of the electronic communications act also provide some limitations of how personal data should be accessed lawfully.

Under confidentiality and disclosure of personal information, Section 79, the Act explicitly states that a person who intentionally (a) discloses communication which that person knows was obtained in contravention of this Act, or (b) uses or discloses personal information in contravention of this Act, commits an offence and is liable on summary conviction to a fine of not more than one thousand five hundred penalty units or to a term of imprisonment of not more than four years or both.

Electronic Transaction Act, 2008

The Electronic Transactions Act, 2008 was set up by the legislative instrument of Ghana to provide for the regulation of electronic communications and related transactions, and to provide for connected purposes.

As noted by OECD, 2000, an electronic transaction is the sale or purchase of goods or services, whether between businesses, households, individuals, governments, and other public or private organizations, conducted over computer-mediated networks. The goods and services are ordered over those networks, but the payment and the ultimate delivery of the good or service may be conducted on or off-line.

Definition of “Electronic Record” under the Electronic Transaction Act, 2008

The Electronic Transaction Act defines “electronic record” as data generated, sent, received or stored by electronic means (a) voice, where voice is used in an automated transac­tion; and (b) a stored record.

As cloud computing also involves the storage of data, any aspects of the Electronic Transaction Act in respect to electronic record legally applies to the transmission and storage of data in the cloud.

Law Governing Digital Signatures in Ghana

“Digital signature”, under Section 144, is interpreted as data attached to, incorporated in, or logically associated with other data, and which is intended by the user to serve as a signature.

Digital signatures are often offered as part of cloud services and enables customers and partners to sign their documents online quickly and securely, improving performance while significantly expediting process times.

Digital signatures are ideal for cloud applications since they can be easily integrated into existing business processes, whether installed alongside the cloud offering or hosted online. A digital signature engine is usually hosted in a location which could be outside so that users can sign through a web interface without having to install software.

Digital Signatures have been given a clear legal weight under Section 10 of the Electronic Transaction Act

Section 10 of the Act surmises that:

(1) Where a law requires the signature of a person, that require­ment is deemed to be satisfied in relation to an electronic record if a digital signature is used

(2) A digital signature is deemed to be authentic if:

(a) the means of creating the digital signature is, within the context in which it is used, linked to the signatory and not to another person;

(b) the means of creating the digital signature was, at the time of signing, under the control of the signatory and not another person without duress or undue influence; and

(c) an alteration to the digital signature, made after the time of signing, is detectable

(3) Subsection (2) does not limit the right of a person:

(a) to prove the authenticity of a digital signature in any other way; or

(b) to adduce evidence in respect of the non-authenticity of a digital signature.

The Act also defines the conduct of any person relying on a digital signature under Section 13 as follows: A person who relies on a digital signature shall bear the legal consequences of failure to:

(a) take reasonable steps to verify the authenticity of a digital signature; or

(b) take reasonable steps where a digital signature is supported by a certificate, to:

(i) verify the validity of the certificate; or

(ii) observe any limitation with respect to the certificate.

Law Governing Data Encryption in Ghana

Encryption is a critical requirement for securing data files, and helps to protect data breach incidents and threats. Cloud encryption services are currently being offered by cloud storage providers where data or text is transformed using encryption algorithms for storage in the cloud.

The Electronic Transaction Act provides laws that guide data encryption.

Section 28 prohibits any person from selling or providing encryption or authentication services contrary to the provisions of this Act.

According to Section 29, an encryption or authentication service or product is deemed to have been provided in the country if it is made available:

(a) from a premises within the country;

(b) from a body incorporated in the country;

(c) to a person who is present or operating from any system in the country, when that person makes use of the service or product; or

(d) from a Ghanaian-associated or -related domain name or website

Certifying Agency: Data Encryption Regulating

The Certifying Agency was established by National Information Technology Agency. Established under the National Information Technology Agency Act 2008 (Ac 771), the body has been tasked under Section 31 of the Electronic Transaction Act to:

(a) issue licenses for encryption and authentication service;

(b) monitor the conduct, system and operation of encryption and authentication service providers to ensure compliance with conditions of the license, and the provisions of this Act;

(c) suspend the license of a license holder;

(d) revoke the license of a license holder; and

(e) appoint an independent auditing firm to conduct periodic audits of a license holder to ensure compliance with condi­tions of the license and this Act.

This therefore implies that all cloud service providers offering cloud encryption services are mandated to acquire a license from the Certifying Agency in order for their operations to be termed legal.

Law Governing Data Hosting in Ghana

The Electronic Transaction Act also provides enforceable laws which contain general security requirements for digital data hosting and cloud service providers.

Section 92 (1) explains that an intermediary or service provider who provides a service that consists of the storage of electronic records provided to a user of the service, is not liable for damages arising from information stored at the request of the recipient of the service, as long as the service provider;

(a) does not have actual knowledge that the information or an activity relating to the information is infringing on the rights of a third party;

(b) is not aware of facts or circumstances from which the in­fringing activity or the infringing nature of the information is apparent or can be reasonably inferred; and

(c) upon receipt of a take-down notification under this Act, takes action expeditiously to remove or to disable access to the information.

(2) The limitations on liability established by this section do not apply to a service provider, unless;

(a) it has provided an address to receive notifications of infringe­ment; or

(b) it has an agent for receipt of notification of infringement;

The Issue with Critical Database

A critical database, under the Electronic Transaction Act, means a crucial set of data in an electronic record related to national security or the economic well-being of the public, as determined by the Minister. Under this Act (Section 56 a), the Minister has the right to declare certain classes of information which are of impor­tance to the protection of the national security of the Republic or the economic and social well-being of its citizens to be critical electronic records for the purpose of this Act.

This means that any cloud service provider or individual, who holds information in the cloud pertaining to the national security or the economic well-being of Ghanaians, as determined by the Minister, needs to be registered as sensitive or classified data. The Minister of Communications therefore has the power to declare any stored data in the cloud as sensitive information and to require any such data to be registered with the NITA using laid down requirements determined by the Minister under Section 58 of the Act

Under Section 59, the Minister of Communications shall prescribe minimum standards for prohibitions in respect of:

(a) the general management of a critical database;

(b) access to, transfer and control of a critical database;

(c) infrastructural or procedural rules and requirements to secure the integrity and authenticity of a critical electronic record;

(d) procedures and technological methods to be used in the stor­age or archiving of a critical database;

(e) accident recovery plans in the event of loss of critical data bases or parts of the database;

(f) the security of the databases;

(g) the physical safety of a person in control of the critical data­base; and

(h) any other matter required for the adequate protection, man­agement and control of a critical database

Data Security Breach in Ghana

With regard to unauthorized access or interception of data, Section 124 states that a person who intentionally accesses or intercepts an electronic record without authority or permission commits an offence, and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both. In the case of unauthorized interference with data, Section 125 prescribes that a person who intentionally and without authority interferes with an electronic record in a way which causes the electronic record to be modified, destroyed or otherwise rendered ineffective, commits an offence, and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both.

Section 129 further goes on to give more illegality to the access of stored data unlawfully; it states that whoever, without lawful authority, intentionally accesses a facility through which an electronic communication service is provided, commits an offence and is liable on summary conviction to a fine of not more than five thousand penalty units or to a term of imprisonment of not more than ten years or to both. Subsection (2) takes it further by making it illegal for anybody to exceed an authorization to access a facility or to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage in a system.

According to Section 132, a person who knowingly and without authority discloses a password, access code or any other means of gaining access to a program or electronic record held in a computer commits an offence, and is liable, on summary conviction, to a fine of not more than ten thousand penalty units or a term of imprisonment of not more than twenty years or to both.

Combination of the Criminal Offence Act and the Electronic Transactions Act to fight cyber-crimes

With regards to theft, Section 124 of the Criminal Offences Act 1960 (Act 29) on stealing has been modified under the Electronic Transaction Act to include anything done using an electronic processing or procuring procedure system, whether or not the appropriation was by use of an electronic processing procedure, and also to anything, whether or not the medium used in the receiving in whole or in part was an electronic record.

Section 122(2) of the Criminal Offences Act, 1960 (Act 29) on acts which amount to appropriation applies to the necessary modification to anything whether or not the moving, taking, obtaining, carrying away or dealing is by means of electronic processing or procuring procedure in part or in whole.

Section 108 subsection (2) of the Electronic Transaction Act interprets  “thing” to include any cyber offence which is  electronic-related and  results in the loss of property, identity, electronic payment medium, information, electronic record and any related matter whether tangible or intangible wherever located on any network if the accused is subject to prosecution under this Act.

Cyber-crime Laws

Cyber-crime is covered by some aspects of the Electronic Transaction Act, 2008. The Act gives powers to law enforcement officers in Section 98. The right gives the police powers to also act as cyber inspectors and to arrest and prosecute anybody who is believed to have committed an offence in relation to cyber-crimes. Section 98 (1) clearly outlines the additional powers of arrest, search and seizure of law enforcement agencies. Section 98 (2) further goes on to say that a law enforcement agent may seize any computer, electronic record, program, information, document, or thing in executing a warrant under this Act if the law enforcement officer has reasonable grounds to believe that an offence under this Act has been or is about to be committed. Law enforcers, after the issuing of a search warrant, are mandated to have access to stored data for investigation.

Copyright Act, 2005 Protecting Cloud Consumers in Ghana

Aside the acts discussed above, Ghana offers protection for data in storage through a combination of comprehensive IP laws. Civil sanctions, criminal sanctions, and the necessary courses of action are available for the unauthorized access of copyright holders’ works on the Internet. A copyright holder in this case can be any person who has data stored in the cloud.

Section 42 (1) under the Copyright Act and related rights offences states that: A person who manufactures, imports, distributes, exports, sells, rents, possesses for commercial purposes, offers to the public, advertises, communicates or otherwise provides any device, product or component that is designed or adapted to remove, alter or add electronic rights management information, or circumvents any technological protection measure applied by the right holder to the protected work; where the person performing the act knew or had reasonable grounds to know that the action induces, enables, facilitates or conceals an infringement of any copyright or related right protected under this Act without the license or authorization of the person whose rights are protected under this Act or the agent of that person whose rights are protected, infringes the protected rights and commits an offence punishable under section 43 of this Act.

Internet service providers (“ISPs”) may be held liable if they were either aware of the infringement or were aware of the information and should have known of the infringement and could technically prevent the transmission of the information.

Based on Section 43 of the Copyright Law, ISPs can be held liable for content that infringes copyright found on their sites or systems. Any person whose right is allegedly infringed on by the transmission of information via the internet can take legal action. Section 43 states that a person who infringes on a right protected under this Act commits an offence and is liable on summary conviction to a fine of not more than one thousand penalty units and not less than five hundred penalty units or to a term of imprisonment of not more than three years or to both; and in the case of a continuing offence, to a further fine of not less than twenty-five penalty units and not more than one hundred penalty units for each day during which the offence continues.

Download Full Report (PDF–505.15KB)