Data Protection Act, 2012

Last updated
Data Protection Act, 2012
Ghana Parliament Emblem.png
Ghana Parliament
  • AN ACT to establish a Data Protection Commission, to protect the privacy of the individual and personal data by regulating the processing of personal information, to provide the process to obtain, hold, use or disclose personal information and for related matters.
CitationAct 843
Territorial extent The Republic of Ghana
Enacted by Ghana Parliament
Assented toMay 10, 2012
Signed by President of the Republic of Ghana
Effective 16 October 2012
Administered by Data Protection Commission
Keywords
Status: Current legislation

The Data Protection Act, 2012 (The Act) [1] is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

Contents

History

The Act was first introduced in the Ghana Parliament in 2010, but was subsequently withdrawn by the then Minister of Communications, Haruna Iddrisu, to be revised. [2] Parliament passed the bill in 2012, [3] which then received Presidential assent on May 10, 2012. [4] The notice of the Act was gazetted on 18 May 2012, [4] and in accordance with Section 99, the Act came into effect on 16 October 2012. [5]

Structure

The Act is made up of 99 sections that are arranged under various headings, as follows:

HeadingSections
Data Protection Commission1-10
Administration11-13
Finances of the Commission14-16
Application of principles of data protection17-34
Rights of data subjects and others35-36
Processing of special personal data37-45
Data protection register46-59
Exemptions60-74
Enforcement75-81
Records obtained under data subject's right of access82-83
Information provided to Commission84-85
Miscellaneous and general provisions86-99

Key terms

Key terms in the Act are defined in the interpretation section, section 96. Unless the context otherwise requires, section 96 provides the following definitions to the notable terms:

data controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed

“data processor” in relation to personal data means any person other than an employee of the data controller who processes the data on behalf of the data controller

“data subject” means an individual who is the subject of personal data

“foreign data subject” means data subject information regulated by laws of a foreign jurisdiction sent into Ghana from a foreign jurisdiction wholly for processing

“personal data” means data about an individual who can be identified,(a) from the data, or (b) from the data or other information in the possession of, or likely to come into the possession of the data controller

“processing” means an operation or activity or set of operations by automatic or other means that concerns data or personal data and the (a) collection, organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or other means available, or (d) alignment, combination, blocking, erasure or destruction of the information or data

“recipient” means a person to whom data is disclosed, including an employee or agent of the data controller or the data processor to whom data is disclosed in the course of processing the data for the data controller, but does not include a person to whom disclosure is made with respect to a particular inquiry pursuant to an enactment

“special purposes” means any one or more of the following: (a) the purpose of journalism, (b) where the purpose is in the public interest, (c) artistic purposes, and (d) literary purposes

Application of the Act

The Act is applicable, where

  1. the data controller is established in Ghana and the data is processed in Ghana,
  2. the data processor is not established in Ghana, but uses equipment, or uses the services of a data processor carrying on business in Ghana, to process data, or
  3. the information being processed originates either partly or wholly from Ghana. (Section 45(1))

Data which originates externally and merely transits through Ghana is however, not protected by the Act (Section 45(4)). The Act applies to the Ghanaian Government, and for that purpose, each government department is treated as a data controller. (Section 91)

Data protection principles

The Act provides for 8 principles that data processors have to take into account in processing data, in order to protect the privacy of individuals. These principles are similar to the OECD Guidelines [6] and the Data Protection Directive of the European Union. [7]

The data protection principles are enumerated at Section 17 as follows:

  1. accountability
  2. lawfulness of processing
  3. specification of purpose
  4. compatibility of further processing with purpose of collection
  5. quality of information
  6. openness
  7. data security safeguards, and
  8. data subject participation.

Accountability

The accountability principle of data protection is seen generally as a fundamental principle of compliance. [8] It requires that a data controller should be accountable for compliance with measures which give effect to data protection principles. [9]

The Act requires a person who processes personal data to ensure that the data is processed without infringing the rights of the data subject, and should be processed in a lawful and reasonable manner (Section 18(1)). Where the data to be processed involves a foreign data subject, the data controller or processor must ensure that the personal data is processed according to the data protection laws of the originating jurisdiction (Section 18 (2)).

Lawfulness of processing

Data processing is lawful where the conditions that justify the processing are present. [10]

The Act has a minimality provision, which requires that personal data can only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. (Section 19)

The prior consent of a data subject is also required before personal data is processed. (Section 20) This requirement is, however, subject to exceptions. For instance, where the purpose for which the personal data is processed is necessary for the purpose of a contract to which the data subject is a party; authorised or required by law, to protect a legitimate interest of the data subject; necessary for the proper performance of a statutory duty or necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied (section 20(1)). Consent is also required for the processing of special personal data (Section 37(2) (b)). A data subject also object to the processing of personal data (section 20(2)), and the data processor is required to stop processing the data upon such objection (section 20(3)).

In terms of retention of records, the Act prohibits the retention of personal data for a period longer than is necessary to achieve the purpose of the collection, unless, the retention is required by law, is reasonably necessary for a lawful purpose related to a function or activity, is required for contractual purposes, or the data subject has consented to the retention. (Section 24(1)). The retention requirement is, however, not applicable to personal data that is kept for historical, statistical, or research purposes, (section 24(2)), except that such records must be adequately protected against access or used for unauthorized purposes (Section 24(3)). Where a person uses a record of personal data to make a decision about the data subject, the data must only be retained for a period required by law or a code of conduct, and where no such law or code of conduct exists, for a period which will afford the data subject an opportunity to request access to the record. Upon the expiration of the retention period, the personal data must, however, be deleted or destroyed, in a manner that prevents its reconstruction in an intelligible form, or the record of the personal data must be de-identified. (Sections 24(4), (5), (6)).

A data subject may also request that a record of personal data about that data subject held by a data controller be destroyed or deleted where the data controller no longer has the authorisation to retain that data. (Section 33(1) (b))

Specification of purpose

The Act requires that a data controller who collects personal data do so for a specific purpose that is explicitly defined and lawful, and is related to the functions or activity of the person. (Section 22) The data controller who collects data is also required to take necessary steps to ensure that the data subject is aware of the purpose for which the data is collected. (Section 23)

Compatibility of further processing

The Act requires that where a data controller holds personal data collected in connection with a specific purpose, any further processing of that data must be compatible with the purpose for which the personal data was initially obtained. (Section 25(1))

The circumstances under which processing meets the compatibility requirement include where the data subjects consents to the further processing of the information, the data is in the public domain, further processing is necessary for purposes of fighting crime, for legislation that concerns protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person. (Section 25(3))

Quality of information

Under section 26 of the Act, a data controller who processes personal data must ensure that the data is complete, accurate, up to date and not misleading, having regard to the purpose for which that data is collected or processed.

Openness

The openness principle ensures that individuals know about, and can participate in enforcing their rights under a data protection regime. [11]

Section 27(1) makes it mandatory for a data controller who intends to process personal data to register with the Data Protection Commission. The Data Controller who intends to collect data must also ensure that the data subject is aware the nature of data being collected, the persons responsible for the collection, the purpose of the collection as well as whether or not the supply of data is mandatory or discretionary, among other things. (Section 27(2))

Where the data is collected from a third party, the Act requires the data subject to be informed before the data is collected, or as soon as practicable afterwards. (Section 27(3))

The Act provides circumstances under which the notification requirement is exempt, and they include where it is necessary to avoid compromising law enforcement, protect national security, or where it relates to the preparation or conduct of legal proceedings. Section 27(4))

Also, although it is not mandatory, a data controller can appoint a data protection supervisor, who would be responsible for monitoring compliance with the Act.(Section 58(1), (2)) The data protection supervisor may be an employee (Section 58(1)) and must meet the qualification criteria set out by the Data Protection Commission. (Section 58(7))

Data security safeguards

Under the Act, a data controller has a duty to prevent the loss of, damage to, or unauthorized destruction of personal data, as well as the unlawful access to or unauthorized processing of personal data. The data controller must therefore adopt appropriate, reasonable, technical, and organizational means to take necessary steps to ensure the security of personal data in its possession or control. (Section 28(1))

The data controller is also required to take reasonable measures to identify and forestall any reasonably foreseeable risks, and ensure that any safeguards put in place are effectively implemented and updated continually. (Section 28(2))

The data controller must also observe both generally accepted and industry specific best practices in securing data, (Section 28(3)) as well as ensure that data processors comply with security measures. (Section 30) Where the data processor is not domiciled in Ghana, the data controller must ensure that the data processor complies with the relevant laws of its country. (Section 30(4))

The Act also requires the data controller to, as soon as reasonably practicable, notify the Data Protection Commission and the data subject of any security breaches to its system, and take steps to ensure that the integrity of the system is restored.(Section 31))

Data subject participation

A data subject can, subject to proving the data subject's identity, request a data controller to confirm if the data controller holds that data subject's personal data, describe the nature of the personal data held, and the identity of any third party who has or has previously had access to that data (Section 32(1)). The request must however be made in a reasonable manner, within a reasonable time, after paying any prescribed fees and in a form that is generally understandable (Section 32(2)).

A data subject can also request a data controller to correct or delete personal data about the data subject that is held by the data controller and which is inaccurate, irrelevant, excessive, out of date, incomplete, or misleading (Section 33(1)). Upon receipt of the request, the data controller must either comply with the request or provide the data subject with credible evidence in support of the data. (Section 33(2)).

Special personal data

Under section 96, "special personal data" means personal data which consists of information that relates to (a) the race, colour, ethnic or tribal origin of the data subject; (b) the political opinion of the data subject; (c) the religious beliefs or other beliefs of a similar nature, of the data subject; (d) the physical, medical, mental health or mental condition or DNA of the data subject; (e) the sexual orientation of the data subject; (f) the commission or alleged commission of an offence by the individual; or (g) proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in the proceedings;

The Act prohibits the processing of data which relates to children under parental control, or to the religious or philosophical beliefs, ethnic origin, race, trade union membership, political opinions, health, sexual life or criminal behaviour of an individual Section 37(1).

Special personal data may, however, be processed where it is necessary or the data subject has given consent to the processing (Section 37(2)). Processing of personal data is necessary where it is to exercise a right, or fulfil an obligation conferred or imposed by law on an employer (Section 37(3)). Special personal data relating to data subjects may also be processed where it is necessary for the protection of the vital interest of the data subject, where it is impossible for the data subject to give consent, or the data controller cannot reasonably be expected to obtain consent, or consent by the data subject has been unreasonably withheld. (Section 37(4))

Processing special personal data is presumed to be necessary where it is required for the purpose of legal proceedings, legal advice and for medical purposes, where it is undertaken by a health professional and subject to a duty of confidentiality between the patient and health professional. (Section 37(6))

The prohibition on processing special personal data relating to religious or philosophical beliefs does not apply where the processing is carried out by a religious organisation of which the data subject is a member or by an institution founded upon the religious or philosophical principles with respect to persons associated with that institution and is necessary to achieve the aims of the institution (Section 38(1)).

Rights of data subjects

Under the Act, a data subject has the right to have his personal data corrected (section 33), to access his personal data (section 35); to prevent the processing of personal data that causes or is likely to cause unwarranted damage or distress to him (section 39); to prevent processing of personal data for purposes of direct marketing (section 40); to require a data controller not to take a decision that would significantly affect him solely on the processing by automatic means (section 41); to exempt manual data (Section 42), to be compensated for the data controller's failure to comply with the provisions of the Act, upon proof of damages (Section 43); and to have inaccurate data rectified (Section 44)

The Data Protection Commission

The Act establishes a Data Protection Commission with two main objects,

  1. Protect the privacy of the individual and personal data by regulating the processing of personal information, and
  2. Provide the process to obtain, hold, use or disclose personal information. (section 2)

The functions of the DPC are to:

  1. Implement and monitor compliance with the provisions of the Act,
  2. Make administrative arrangements its considers appropriate for the discharge of its duties
  3. Investigate and fairly determine any complaints made under the Act, and
  4. Keep and maintain the Data Protection Register

(section 3)

The DPC is governed by an 11-member board that is appointed by the President of Ghana, and the Act provides for certain specific institutional representation. (Section 4) Board members are allowed to hold office for a period not exceeding three years and cannot be appointed to more than two terms. (Section 5(1)) Allowances for Board members are approved by the Minister responsible for Communications in consultation with the Minister responsible for Finance. (Section 9) The board was officially sworn in on 1 November 2012, [12] is currently chaired by Prof. Justice Samuel Kofi Date-Bah, a retired justice of the Supreme Court of Ghana. [13] The DPC was officially launched on 18 November 2014. [14]

The Act also mandates the President to appoint an Executive Director (section 11) who shall be responsible for the day-to-day administration of the DPC, as well as the implementation of the decisions of the Board. (Section 12). Mrs. Teki Akuetteh Falconer is the current Executive-Director. [13]

Under the Act, the sources of the DPC's funds include money approved by parliament, donations and grants, money that accrues to the DPC in the performance of its functions and any money that the Minister responsible for Finance approves. (Section 14)

The DPC is also granted power to serve enforcement notices on data controllers requiring them to refrain from contravening the data protection principles. (Section 75) The enforcement notice may be cancelled or varied either by the DPC, on its own motion, or upon application by a recipient of the notice. (Section 76)

The Data Protection Register

The Act provides for the establishment of a Data Protection Register which is to be maintained by the DPC and to which data controllers must compulsorily register. (Section 46) Applications for registration as a data controller is to be made in writing and the Act provides for certain particulars, such as the business name and address of applicant, a description of personal data to be collected and a description of purpose for the processing of personal data. (Section 47(1)) Knowingly supplying false information amounts to an offence punishable by a fine or imprisonment. (Section 47(2)) Also, a separate entry in the register must be made for each separate purpose for which the data controller wishes to process the data. (Section 47(3))

The DPC has the right to refuse to grant an application where the particulars provided for inclusion in an entry in the register are insufficient, the data controller has not been able to provide the appropriate safeguards for the protection of the privacy of the data subject, and in the opinion of the DPC the applicant does not merit the grant of the registration. (Section 47(1))Upon refusing a registration application, the DPC is required to inform the applicant of the reasons for the refusal, and in such an event, the applicant may apply to the High Court for judicial review of the decision. (Section 47(2))

Registration as a data controller is subject to renewal every two years (section 50). The DPC also has the power to cancel a registration for good cause. (Section 52) It is an offence to process personal data without registering. (Section 56)

The Act also provides for access by the public to the register, upon the payment of the prescribed fee. (Section 54)

General exemptions

The Act provides several exemptions for different purposes as follows: The processing of personal data is exempt from the provisions of the Act where it relates to national security (section 60) and in relation to crime and taxation (section 61); the disclosure of personal data relating to health, education and social work; (section 61); is prohibited, unless it is required by law.

The provisions of the Act are also not applicable for the protection of members of the public against specified loss or malpractice provisions (section 63)

The processing of personal data is prohibited unless the processing is undertaken for the purpose of a literary or artistic material and the data controller reasonably believes the publication would be in the public interest and that compliance with the provision is incompatible with the special purposes. (Section 64)

The provisions on non-disclosure do not apply, where the disclosure is required by any law or by a court. (Section 66) Act does not apply where data is processed only for the purpose of managing an individual's domestic affairs. (Section 67)

The data protection principles do not apply to personal data if it consists of references given in confidence, for the purposes of education, appointment to an office or the provision of a service by the data subject. (Section 68)

The subject information provisions of the Act do not apply to personal data, where it is likely to prejudice the combat effectiveness of the Armed Forces (Section 69); where it is processed to assess the suitability of a person for judicial appointment or to confer a national honour (Section 70) or if it consists of information in respect of a claim to professional privilege or confidentiality. (Section 74)

Personal data is exempt from the provisions of the Act where it relates to examinations marks processed by the data controller and is in relation with the individual's results,(Section 72) or consists of information recorded by a candidate for academic purposes (section 73)

Miscellaneous provisions

The Act prohibits the purchase of personal data, the knowing or reckless disclosure of personal data, and the contravention of this provision amounts to an offence. (Section 88)

The Act also makes the sale, the offering to sell, and the advertising of the sale of personal data an offence. (Section 89)

The Minister responsible for communications may, in consultation with the DPC make regulations for the effective implementation of the Act.

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Privacy Act of 1974</span>

The Privacy Act of 1974, a United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records and sets forth various agency record-keeping requirements. Additionally, with people granted the right to review what was documented with their name, they are also able to find out if the "records have been disclosed" and are also given the right to make corrections.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<i>Personal Information Protection and Electronic Documents Act</i> 2000 Canadian law

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

The Register of data controllers was a United Kingdom database under the control of the UK Information Commissioner's Office mandated by section 19 of the Data Protection Act 1998.

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. The Russian Federal Law on Personal Data, implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access". Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Board of Audit and Inspection</span> Supreme audit institution of South Korea

The Board of Audit and Inspection is a national organization headquartered in Seoul, South Korea. Its primary function is the audit and inspection of the accounts of state and administrative bodies.

The Ley Federal de Protección de Datos Personales en Posesión de los Particulares, is a law of Mexico, approved by the Mexican Congress on April 27, 2010. The law aims to regulate the right to informational self-determination. The law was published on July 5, 2010, in the Official Gazette and entered into force on July 6, 2010. Its provisions apply to all natural or legal persons who carry out the processing of personal data in the applicable exercise of their activities. Companies such as banks, insurance companies, hospitals, schools, telecommunications companies, religious organizations, and professionals such as lawyers, doctors, and others, are required to comply with the provisions of this law.

The Organic Law 15/1999 of December 13 on Protection of Personal Data was Spanish organic law that guaranteed and protected the processing of personal data, public liberties, and fundamental human rights, and especially of personal and family honor and privacy. It was approved by the General Court on December 13, 1999. This law was developed based on Article 18 of the Spanish Constitution of 1978, the familiar and personal right to privacy, and the secrecy of communications.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

<span class="mw-page-title-main">Protection of Personal Information Act, 2013</span> South African privacy legislation

The Protection of Personal Information Act is a piece of legislation which governs the law of data protection and privacy in South Africa. The act was passed to regulate the right to privacy, as enshrined by section 14 of the Constitution of South Africa, and would work in conjunction with the Promotion of Access to Information Act. The President of South Africa assented to the Act on 19 November 2013. As part of the regulation a new government agency was created, the Information Regulator, an independent body which is empowered to monitor and enforce compliance of the PoPI Act within the public and private sector. The act came into force 1 July 2020, which commenced a one-year grace period during which all South African entities were expected to become compliant. The grace period ended 30 June 2021, with the commencement of the act on the 1 July 2021.

References

  1. "Data Protection Act, 2012 (Act 843)" (PDF). Archived from the original (PDF) on 2018-05-04. Retrieved 2015-03-04.
  2. Acquaye, Nana Appiah (20 July 2011). "Data Protection Bill Withdrawn". Biztech Africa. Retrieved 4 March 2015.
  3. "Data Protection Bill Passed". Ghanaweb. Retrieved 4 March 2015.
  4. 1 2 Data Protection Act, 2012
  5. "Data Protection Act". Data Protection Commission. Archived from the original on 12 February 2015. Retrieved 4 March 2015.
  6. "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" . Retrieved 4 March 2015.
  7. "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data". 24 October 1995. Retrieved 4 March 2015.
  8. Alhadeff, Joseph, Brendan Van Alsenoy and Jos Dumortier. The Accountability Principle in Data Protection Regulation: Origin, Development and Future Direction]." Guagnin, Daniel, et al. Managing Privacy Through Accountability. Palgrave Macmillan, 2012. 50-82
  9. Roos, Anneliese (March 2006). "Core principles of data protection law". The Comparative and International Law Journal of Southern Africa. 39 (1): 126.
  10. Roos 2006, p. 108.
  11. Roos 2006, p. 118.
  12. "Governing board of Data Protection Commission inaugurated". Ghana News Agency. 1 November 2012. Retrieved 4 March 2015.
  13. 1 2 "Governing Body". Data Protection Commission official website. Archived from the original on 17 March 2015. Retrieved 4 March 2015.
  14. Mensah, Mary; Solomon, Erasmus. "Data Protection Commission launched". Graphic Online. Retrieved 4 March 2015.