Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction.
The Act was first introduced in the Ghana Parliament in 2010, but was subsequently withdrawn by the then Minister of Communications, Haruna Iddrisu, to be revised.
These principles are similar to the OECD Guidelines[6] and the Data Protection Directive of the European Union.
(Section 25(1)) The circumstances under which processing meets the compatibility requirement include where the data subjects consents to the further processing of the information, the data is in the public domain, further processing is necessary for purposes of fighting crime, for legislation that concerns protection of tax revenue collection, the conduct of court proceedings, protection of national security, public health, or the life or health of the data subject or another person.
The openness principle ensures that individuals know about, and can participate in enforcing their rights under a data protection regime.
(Section 27(3)) The Act provides circumstances under which the notification requirement is exempt, and they include where it is necessary to avoid compromising law enforcement, protect national security, or where it relates to the preparation or conduct of legal proceedings.
Processing of personal data is necessary where it is to exercise a right, or fulfil an obligation conferred or imposed by law on an employer (Section 37(3)).
(Section 37(4)) Processing special personal data is presumed to be necessary where it is required for the purpose of legal proceedings, legal advice and for medical purposes, where it is undertaken by a health professional and subject to a duty of confidentiality between the patient and health professional.
(Section 37(6)) The prohibition on processing special personal data relating to religious or philosophical beliefs does not apply where the processing is carried out by a religious organisation of which the data subject is a member or by an institution founded upon the religious or philosophical principles with respect to persons associated with that institution and is necessary to achieve the aims of the institution (Section 38(1)).
(Section 4) Board members are allowed to hold office for a period not exceeding three years and cannot be appointed to more than two terms.
[14] The Act also mandates the President to appoint an Executive Director (section 11) who shall be responsible for the day-to-day administration of the DPC, as well as the implementation of the decisions of the Board.
(Section 47(1)) Knowingly supplying false information amounts to an offence punishable by a fine or imprisonment.
(Section 47(3)) The DPC has the right to refuse to grant an application where the particulars provided for inclusion in an entry in the register are insufficient, the data controller has not been able to provide the appropriate safeguards for the protection of the privacy of the data subject, and in the opinion of the DPC the applicant does not merit the grant of the registration.
(Section 56) The Act also provides for access by the public to the register, upon the payment of the prescribed fee.
The provisions of the Act are also not applicable for the protection of members of the public against specified loss or malpractice provisions (section 63) The processing of personal data is prohibited unless the processing is undertaken for the purpose of a literary or artistic material and the data controller reasonably believes the publication would be in the public interest and that compliance with the provision is incompatible with the special purposes.
(Section 66) Act does not apply where data is processed only for the purpose of managing an individual's domestic affairs.
(Section 89) The Minister responsible for communications may, in consultation with the DPC make regulations for the effective implementation of the Act.