CALL TO COMPLY WITH THE REQUIREMENT TO REGISTER UNDER THE DATA PROTECTION ACT, 2012 (ACT 843)

The Data Protection  Commission and individuals that collect , use or process any kind of personal  information on person living in Ghana to register as Data Controllers or Data Processors.

DPC is an independent statutory body establish under Data Protection Act, 2012 (Act843) is Article 18(2) of the 1992 Constitution that guarantees the right to the privacy of personal communications in Ghana. The Data  Protection Act ,2012 (Act 843)provides for the  methods  or mechanisms to process personal information in order  to maintain  public  trust  and confidence as well as protect  and guarantee the right  to privacy  in the light  of increased processing and dissemination of personal information in the country.

Who is required to register with the Commission?

The Act mandates all who process personal data to register with the Commission whether or not their core function include the processing of personal data. Personal data is any information about an individual or from which an individual can be identified.

Personal  data  includes , names addresses, telephone numbers pictures, images  captured  on cctv, salary slip, medical records etc. just to mention a few. The Data Protection Act, 2012 (Act 843) defines personal data in SECTION 96 as follows:

“Personal data” means data about an individual who can be identified

(a)    From data, or

(b)   From the data or other information in the possession of, or likely to come into the possession of the data controller:

Processing  of personal  data means  any kind  of activity or process that involves  personal  information and that  may include viewing, recording, using, reviewing, amending  shredding, deleting or erasing  the information, Section  96  defines  processing as follows:

“processing “ means  an operation  or activity  or set of operations by  automatic  or other  means  that  concerns  data or personal  data and includes the

(a)    Collection, organization, adaption or alteration of the information or data.

(b)   Retrieval, consultation or use of the information or data

(c)    Disclosure of the information or data by transmission, dissemination or other means available, or

(d)   Alignment, combination, blocking, erasure or destruction of the information or data:

The Act under Section 27(1) also mandates that:

A data controller is defined under Section 96 as follow:

“data controller” means  a person  who either  alone ,jointly  with other persons  or in  common with  other persons  or as a statutory  duty determines  the purpose  for  and the  manner in which  personal  data  is processed or is to be  processed;

The Commission is therefore calling on institution and individuals who is the performance of their functions process personal information that includes the following to register.

·         Employment records

·         Educational /childcare records

·         Medical/Health Records

·         Records of consultants one

·         Works with from time to time

·         Names, telephone numbers and address of visitors to premises

·         Security records

·         Criminal records

·         Financial records

·         Administrative records

·         Licensing records

·         Pictures, videos and related images

·         Personal information is collected for journalistic purposes

·         Legal records

·         Investigation records

An institution or individual who falls  to register as a data controller but  processes  personal  information  commits  an offence  under the Data Protection  Act ,2012 (Act 843) and will be liable  for prosecution after  the grace period.

How to Register?

An application  for registration as a data  controller shall be completed online  through  the  Commission ‘s Portal  (http://www.dataprotection.org.gh/register-us) and the applicant  shall furnish the Commission with their  particulars . An applicant who knowingly supplies false information in support of an application for registration as a data controller commits an offence.

Examples of Data Controllers

The following are some further examples of institutions that collects, hold, use and process personal information who are mandated to register.

·         All Governmental bodies or institutions (Executive, Parliament, Judiciary) eg. MDAs, MMDAs, Authority, Commissions, Agencies, Judicial Service, Office of Parliament, etc.

·         All nursery, primary and tertiary educational  institutions

·         Accounting firms

·         Auditing firms

·         Law firms

·         Limited  liability  Companies

·         Partnerships

·         Regulatory  Bodies

·         Churches , Mosques and Other Religious

·         Financial  institutions

·         Medical/Health  institutions/centres /clinics

·         Fitness  centres

·         Insurance  Firms

·         Non-Governmental  Bodies

·         Associations

If you are an individual  that collects large  amounts  of personal information and  determine how such  information  must be  used  then  you qualify  as a Data  Controller and must  register. Employees are however exempted from registering as Data Controllers .The following are some examples individual Data Controllers who are mandated by law to register.

·         Actor/Director /Producer

·         Accountant

·         Architect

·         Author

·         Consultant

·         Dentist

·         Dermatologist

·         Designer

·         Doctor /Physician

·         Economist

·         Elected Representative

·         Engineer

·         Entertainer

·         Historian

·         Journalist

·         Lawyer /Barrister/Solicitor

·         Nurses /Midwives

·         Parliamentarian

·         Pathologist

·         Pharmacist

·         Philosopher

·         Pilot

·         Politician

·         Preachers

·         Programmer

·         Psychologist

·         Singer/Songwriter

·         Sportsman/Coach/Manager

·         Statistician

·         Student

·         Surgeon

·         Teacher/lecturer/Professor

Publication of Registered Data Controllers & Processors

The Commission is mandated to make the Register available to members of the public.

The Commission will therefore publish all registered data controllers’ and processors’ on the commission‘s online public register after 31st July 2015.

Anyone  giving  out their  personal  information  can therefore check  the data  protection  status  of the institution  or individual they are  giving  their personal  information  to .All  individuals giving  out  their personal  information  do so  at their  own risk  if the  information  is given  to an institution  or individual that has  not registered with the  Commission in  accordance  with the Act. Visit https.//registration.dataprotection.org.gh to search the Register.

Registration of Data Controllers commenced on 1^st May 2015. An institution or individual existing prior to commencement of Act 843 has three (3) months to comply with the requirement to register. The three (3) month period expires on 31^st July 2015.

To register, kindly visit https://registration.dataprotection.org.gh

For more information please contact the Data Protection Commission at the following:

Data Protection Commission

Room No.51, First Floor

Ministry of Communication Building

Ministerial Enclave

P.O. BOX CT7195, Accra

TEL: +233 (0) 2631 455

FAX +233 (0)30 2631 477

EMAIL ADDRESS:info@dataprotection.org.gh

WEBSITE: www.dataprotection.org.gh

To protect the privacy of the individual and personal data by regulating the processing of personal information