RELEVANT INFORMATION

SYSTEMS RELATED LAWS

IN GHANA

04/06/2024 1
 An Act
• A bill which has passed through the various legislative steps
required for it and which has become law.
• Currently, (as of 2023) there are ONLY four relevant laws
appropriate for the digital/information systems/information
technology space. These are:
• Data Protection Act 843 (Year 2012)
• Cyber Security Act 1038 (Year 2020)
• Electronic Transactions Act 772 (Year 2008)
• Electronic Communications Act, 775 (Year 2008)
 DATA PROTECTION
ACT, 2012
ACT 843

04/06/2024 3
Table of Content
• Data Protection Act – What is it?

• Objectives

• Key Sections OF Act

• Crimes Tackled by Act

• Key Actors

• Social and Legal Implications

FABRIKAM 4
 DATA BREACH

• A data breach occurs when the data for

which your company/organisation is
responsible suffers a security incident
resulting in a breach of confidentiality,
availability or integrity (Source,
European Union).
 DAILY EXAMPLES OF DATA BREACHES

Losing portable devices Accidental disclosure of

Losing hard copy files
(laptops, tablets etc.) company data to a staff
or papers containing
and/or storage devices without proper
sensitive personal or
(flash drive, external permission or
company data.
hard drives, etc.) clearance levels.

Email errors–emails
Unauthorized data Spoofing, Phishing, BEC
sent to incorrect
access by a colleague attacks including
addresses, or the
staff without the hacking organization’s
disclosure of bulk email
proper credentials. databases
addresses.

7
 IMPACT OF A DATA BREACH

• Whatever the cause of a data breach maybe, some form of harm

can cause the organization’s employees and customers or clients.
• The harm may include:
• financial,
• social,
• reputational,
• psychological, or physical impacts on an individual and
 NOTIFICATION OF A DATA BREACH

•Whose duty is it to report of a data

breach?
•supervisory authority
•the company/organisation
 DATA PROTECTION COMMISSION IN THE
NEWS!
• Over 150 firms cited for breaching Data Protection Act

• http://citifmonline.com/2017/06/20/over-150-firms-cited-for-breaching-data-protection-act/

• The issue?

• These companies violated the requirement to register with the Data

Protection Commission , in accordance with Section 27 (1) of the
Data Protection Act, 2012 (Act 843).

• Portions of the law go after employees and not the company.

People are becoming aware of their rights!
• A senior academic at Lancaster University received a written
warning for making "illicit disclosures" after he responded to
a mother's complaint about her son's tuition.
• The professor replied immediately, listing the student's
modules, contact time etc.
BUT
• When the student became aware of the exchange, he
complained to the university that it had released the
information without his consent.
How the DPA works
• The 2012 Data Protection Act was passed by Parliament to control
the way information is handled and to give legal rights to people
who have information stored about them.
• Basically it works by:
• setting up rules that people have to follow
• having an Information Commissioner to enforce the rules

It does not stop organisations from storing and using information

about people.
It just makes them follow rules.
 KEY AC TORS
• Data Commission : Responsible for the enforcement of the DPA.
• Data Controller: This is those who collect, process and store
personal data in an organisation. Each government department is
treated as a data controller.
• Data Processor: Usually a third party that processes data on behalf
of the Data Controller
• Data Subject is the one whom the data collected is about.

FABRIKAM 13
 Personal data

• Personal data is anything that is specific to you.

• This could be demographics, your location, your email address and
other identifying factors.
• It’s usually in the news when it gets leaked (like the Ashley Madison
scandal) or is being used in a controversial way (when Uber worked
out who was having an affair).
• Different companies collect your personal data
• anytime you have to put in your email address or credit card details you
are giving away your personal data.
• Companies use your data to provide you with personalized
suggestions of products and services.
Sensitive or Personally Identifiable Information
• Full name (if not common)
• Home address
• Social security number (SSN)
• Email address (if private from an association/club membership, etc.)
• National identification number
• Passport number
• IP address (when linked, but not PII by itself in US)
• Vehicle registration plate number
• Driver's license number
• Face, fingerprints, or handwriting
• Credit card numbers
• Digital identity
• Date of birth
• Birthplace
• Genetic information
• Telephone number
• Login name, screen name, nickname, or handle
Personal but not so sensitive
• First or last name, if common
• Country, Region, postcode or city of residence
• Age, especially if non-specific
• Gender or race
• Tribe
• Name of the school you attend or workplace
• Grades, salary, or job position
• Criminal record
Rationale for DPA 2012
• More and more organisations are using computers to store and
process personal information.

• There is an apparent danger that the information could be misused or

get into the wrong hands.

• Another reason the act was passed is to control the way information is
handled and to give legal rights to people who have information stored
about them.
FABRIKAM 17
Registration - https://dataprotection.org.gh/search-register
• “All who process personal information must register with the Commission unless otherwise directed. The Commission
registers Data Controllers and Processors online. As part of the measures to ensure openness and transparency aspects of
the registered data controllers and processors information will be made available on the Commission’s online public search
register”.
• WHAT IS REGISTRATION?
• Registration is the process by which data controller(s) and processor (s) inform the Commission on some the following:
• Who they are;
• the type(s) of personal data it holds;
• The nature of processing of personal information they engage in; How they ensure the protection of the personal information they collect or process; and
• Who their contact person is for data protection issues.

• WHO SHOULD REGISTER • Education

• Health administration and provision of
• Accountancy and auditing • services patient care
• Administration of justice • Credit Bureaus • Insurance administration
• Advertising, marketing and • Crime prevention and • Journalism and media
public relations for others prosecution of offenders • Legal services
• Canvassing political support (including some CCTV • Mortgage/insurance broking
among the electorate systems) • Pastoral care
• Constituency casework • Debt administration and • Pensions administration
• Consultancy and advisory factoring • Personal information processed by or
obtained from a credit reference agency
Exemptions
• Certain agencies or types of data are exempt from the DPA
• National Security
• Tax/revenue gathering agencies
• Judicial appointments & honours
• Corporate finance / negotiations
• Legal/professional privilege (doctor/patient)
• Human embryos/ IVF/adoption
 The Eight Principles of DPA 2012
For the personal data that Data Controllers store and process:

1.It must be collected and used fairly and inside the law.
2.It must only be held and used for the reasons given to the Commission.
3.It can only be used for those registered purposes and only be disclosed to those people
mentioned in the register entry.
4.The information held must be adequate, relevant and not excessive when compared
with the purpose stated in the register.
5.It must be accurate and be kept up to date.
6.It must not be kept longer than is necessary for the registered purpose.
7.The information must be kept safe and secure.
8.The files may not be transferred outside of the Ghana unless the country that the data
is being sent to has a suitable data protection law.
Principle 1 :Processing personal data fairly and lawfully
• This is the first data protection principle. In practice, it means that you
must:
• have legitimate grounds for collecting and using the personal data;
• not use the data in ways that have unjustified adverse effects on
the individuals concerned;
• be transparent about how you intend to use the data, and give
individuals appropriate privacy notices when collecting their
personal data;
• handle people’s personal data only in ways they would reasonably
expect; and
• make sure you do not do anything unlawful with the data.
Principle 1
• The Data Protection Act says that information should be treated as being obtained fairly if it is
provided by a person who is legally authorised, or required, to provide it.

Example 1
Personal data will be obtained fairly by the tax authorities if it is obtained from an
employer who is under a legal duty to provide details of an employee’s pay, whether or not
the employee consents to, or is aware of this.
• However, to assess whether or not personal data is processed fairly, you must consider more
generally how it affects the interests of the people concerned – as a group and individually.
Example 2
Where personal data is collected to assess tax liability or to impose a fine for breaking the
speed limit, the information is being used in a way that may cause detriment to the
individuals concerned, but the proper use of personal data for these purposes will not be
unfair.
Principle 1
• Is it possible to use or disclose personal data for a new purpose?
Example 4
A bookshop has had some customers for many years and has regularly sent them catalogues of new books. After a
while the company also started selling phones and other electronic gadgets. It is likely to be fair to start sending
catalogues advertising phones to long-established customers, who are unlikely to be surprised that the company
has diversified. However, customers are less likely to consider it reasonable if the company uses the interests they
have shown by their purchases to promote another company’s themed holidays (for example, holidays in Dubai or
Bali). Passing details of customers and their interests to other companies for marketing is likely to be unfair unless
they have agreed to this.

Example 5 - Local
The HR dept. has collected and kept job applicants’ data for many years. As part of a
strategy to reach out to as many clients as possible with a new contraceptive product, the
Marketing request the IT dept. to extract the applicants’ data for email advertisement.

Is this a fair use?

Principle 1
• What about disclosures that are in the best interests of the individual
concerned?
Example 6
A representative of ECG calls at a property to cut off the electricity or gas. He finds
that the property has been burgled and is not secure. The householder is out (and
cannot be contacted). He therefore telephones the police. This is likely to involve
disclosing the fact that the householder’s electricity or gas is being cut off for non-
payment. In such circumstances, it is reasonable to assume that, even if the
householder may be embarrassed that others will know they have not paid their
bills, they would be concerned about the burglary and about the protection of
their property.
Principle 2:Processing personal data for specified purposes
• In practice, the second data protection principle means that you must:
• be clear from the outset about why you are collecting personal
data and what you intend to do with it;
• comply with the Act’s fair processing requirements – including the
duty to give privacy notices to individuals when collecting their
personal data;
• comply with what the Act says about
notifying the Information Commissioner; and
• ensure that if you wish to use or disclose the personal data for any
purpose that is additional to or different from the originally
specified purpose, the new use or disclosure is fair.
Principle 2
• Why do I need to specify the purpose (or purposes) for which
personal data is to be processed?
• You need to be clear about the purpose or purposes for which you hold
personal data so that you can then ensure that you process the data in a way
that is compatible with your original purpose or purposes.
• Once personal data has been obtained for a specified purpose, can it
then be used for other purposes?
• The Data Protection Act does not prohibit this, but it does place a limitation
on it: the second data protection principle says, in effect, that personal data
must not be processed for any purpose that is incompatible with the original
purpose or purposes.
Principle 2
• When is one purpose compatible with another?
• If you wish to use or disclose personal data for a purpose that was not
contemplated at the time of collection (and therefore not specified in a
privacy notice), you have to consider whether this will be fair.
Example 7
A GP discloses his patient list to his wife, who runs a travel agency, so that
she can offer special holiday deals to patients needing recuperation.
Disclosing the information for this purpose would be incompatible with
the purposes for which it was obtained.

Example 8
The husband of the HR boss at XYZ owns an Insurance company. She
decides to fetch employee data for her husband’s company to covertly
contact employees with their services.
Principle 3:The amount of personal data you may hold
• This is the third data protection principle. In practice, it means you
should ensure that:
• you hold personal data about an individual that is sufficient for the purpose you are holding
it for in relation to that individual; and
• you do not hold more information than you need for that purpose.
• So you should identify the minimum amount of personal data you need
to properly fulfil your purpose. You should hold that much information,
but no more. This is part of the practice known as “data minimisation”.
• What is meant by “adequate, relevant and not excessive”?
• The Data Protection Act does not define these words.
• When is an organisation holding too much personal data?
• You should not hold more personal data than you need. Nor should the data you hold include
irrelevant details.
Principle 3
 Where sensitive personal data is concerned, it is particularly important to make
sure you collect or retain only the minimum amount of information you need.
Example 10
A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific
questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and
excessive to obtain such information from an individual who was applying for an office job.

Example 11
An employer holds details of the blood groups of all its employees. Some of them do hazardous work and the information is
needed in case of accident. For the rest of the workforce, though, such information is likely to be irrelevant and excessive.

 When is an organisation holding insufficient personal data?

Example 12
A CCTV system is installed to identify individuals entering and leaving a building. However, the quality of the CCTV images is
so poor that identification is difficult. This undermines the purpose for which the CCTV system was installed.

Example 13
Keeping a paper-based employee attendant sheet where staff scribble all kinds of handwriting…….
Principle 4: Keeping personal data accurate and up to date
• To comply with these provisions you should:
• take reasonable steps to ensure the accuracy of any personal data you obtain;
• ensure that the source of any personal data is clear;
• carefully consider any challenges to the accuracy of information; and
• consider whether it is necessary to update the information.
• Keeping Records of Mistakes
• Keeping a record of a mistake and its correction might also be in the
individual’s interests
Example 13
A mis-diagnosis of a medical condition continues to be held as part of a patient’s
medical records even after the diagnosis because it is relevant for the purpose of
explaining treatment given to the patient, or to additional health problems.
Principle 4
• What are “reasonable steps”?
• This will depend on the circumstances and, in particular, the nature of the personal data
and what it will be used for. The more important it is that the personal data is accurate,
the greater the effort you should put into ensuring its accuracy.

Example 16
An organisation recruiting a driver will want proof that the individuals they interview are entitled to drive the type of
vehicle involved. The fact that an applicant states in his work history that he worked as a Father Christmas in a
department store 20 years ago will not need to be checked for this particular job.

Example 17
A business that is closing down recommends a member of staff to another organisation. Assuming the two employers
know each other, it may be reasonable for the organisation to which the recommendation is made to accept assurances
about the individual’s work experience at face value. However, if a particular skill or qualification is needed for the new
job role, the organisation would need to make appropriate checks.
Principle 5:Retaining personal data
• This is the fifth data protection principle. In practice, it means that
you will need to:
• review the length of time you keep personal data;
• consider the purpose or purposes you hold the information for in
deciding whether (and for how long) to retain it;
• securely delete information that is no longer needed for this
purpose or these purposes; and
• update, archive or securely delete information if it goes out of
date.
Principle 5
• Assuming that you have a good reason for processing personal data, it is
obvious that discarding that data too soon would be likely to disadvantage
your business and, quite possibly, to inconvenience the people the
information is about as well. However, keeping personal data for too long
may cause the following problems:
• There is an increased risk that the information will go out of date, and that
outdated information will be used in error – to the detriment of all concerned.
• As time passes it becomes more difficult to ensure that information is
accurate.
• Even though you may no longer need the personal data, you must still make
sure it is held securely.
• You must also be willing and able to respond to subject access requests for
any personal data you hold. This may be more difficult if you are holding more
data than you need.
Example 18
HR at ABC retains job applicants' data for the purposes of contacting them in the future if the position becomes available.
Is it right to do this?
 Principle 5
• What determines the length of a retention period?
• Personal data will need to be retained for longer in some cases than in others. How long you retain
different categories of personal data should be based on individual business needs. A judgement must
be made about:
• the current and future value of the information;
• the costs, risks and liabilities associated with retaining the information; and
• the ease or difficulty of making sure it remains accurate and up to date.
• The appropriate retention period is also likely to depend on the following.
• What the information is used for
Example 18
A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden
name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long
as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some
of this information for legal or operational reasons.

Example 19
Images from a CCTV system installed to prevent fraud at an ATM machine may need to be retained for several weeks, since a
suspicious transaction may not come to light until the victim gets their bank statement. In contrast, images from a CCTV system in a
pub may only need to be retained for a short period because incidents will come to light very quickly. However, if a crime is reported
to the police, the images will need to be retained until the police have time to collect them.
Principle 5
• The surrounding circumstances
• If personal data has been recorded because of a relationship between you and the
individual, you should consider whether you need to keep the information once the
relationship ends.
Example 20
A customer who no longer does business with you. When the relationship ends, you must decide what personal data to retain and
what to delete.
• You may not need to delete all personal data when the relationship ends. You may need
to keep some information so that you can confirm that the relationship existed – and
that it has ended – as well as some of its details.
Example 21
In the previous example, you may need to keep some personal data about the customer so that you can deal with any complaints
they might make about the services you provided.

Example 22
An employer should review the personal data it holds about an individual when that individual leaves the organisation’s
employment. It will need to retain enough data to enable the organisation to deal with, say, providing references or information
about the individual’s pension arrangements. However, personal data that is unlikely to be needed again should be removed from
the organisation’s records – such as the individual’s emergency contact details, previous addresses, or death-in-service beneficiary
details.
Principle 6: The rights of individuals (the data subject)
• This is the sixth data protection principle, and the rights of individuals
that it refers to are:
• a right of access to a copy of the information comprised in their
personal data;
• a right to object to processing that is likely to cause or is causing
damage or distress;
• a right to prevent processing for direct marketing;
• a right to object to decisions being taken by automated means;
• a right in certain circumstances to have inaccurate personal data
rectified, blocked, erased or destroyed; and
• a right to claim compensation for damages caused by a breach of the
 Principle 6: Subject access request
• What is an individual entitled to?
• Under the right of subject access, an individual is entitled only to their own personal data, and not
to information relating to other people (unless they are acting on behalf of that person)
• What is a valid subject access request?
• For a subject access request to be valid, it should be made in writing. You should also note the
following points when considering validity:
• Can I require individuals to use a specially designed form when making subject access requests?
• No. Many organisations produce subject access request forms, and you may invite individuals to
use such a form as long as you make it clear that this is not compulsory.
• I have received a request but need to amend the data before sending out the response. Should I send out
the “old” version?
• The Act specifies that a subject access request relates to the data held at the time the request was
received.
• Do I have to explain the contents of the information I send to the individual?
Example 23
You receive a subject access request from someone whose English comprehension skills are quite poor. You send a response and they ask you to translate the
information you sent them. The Act does not require you to do this since the information is in intelligible form, even if the person who receives it cannot
understand all of it. However, it would be good practice for you to help them understand the information you hold about them..

 Can I charge a fee for dealing with a subject access request?

 Yes, an organisation receiving a subject access request may charge a fee for dealing with it, except in certain circumstances relating to health records
Principle 6: damage or distress
• What is meant by “damage or distress”?
Example 24
An individual is refused a job in the construction industry and discovers that this is because the prospective employer checked his
name against a blacklist maintained by a third party. The blacklist consists of the names of people who are regarded as unsuitable
to be employed in the construction industry because they are trade union activists. The individual writes to the person who
maintains the blacklist asking them to remove his name as it is denying him the opportunity to gain employment.
In these circumstances, the person who maintains the blacklist would have great difficulty in establishing any legitimate basis for
processing the individual’s personal data in this way – because the assessment of “unsuitability” is arbitrary and lacks justification,
and because the individuals concerned were not told that their names had been placed on the blacklist. In any event, the individual
can show that he is suffering damage due to this processing and that this is substantial as it could continue to prevent him getting
a job. It cannot be argued that the damage was warranted, because the processing was for an improper purpose. The person who
maintains the blacklist would therefore have to comply with the objection. He must cease processing the individual’s personal data
in this way, and must respond to the objection within 21 days confirming that he has done so.
• The Act recognises that organisations may have legitimate reasons for keeping records about
people which may have a “negative” effect on them.
Example 25
An individual writes to his local council asking them to stop using his personal data for administering and collecting Council Tax. Despite his argument
that the processing is financially damaging and very irritating, it is clear that the cost to the individual is not unwarranted and that his annoyance at
having to pay does not constitute substantial distress.
Principle 6:Automated decision taking
• When do the rights arise (what is an automated decision)?
Example 25
An individual applies for a personal loan online. The website uses algorithms and auto
credit searching to provide an immediate yes/no decision on the application.
Example 25
A factory worker’s pay is linked to his productivity, which is monitored automatically. The
decision about how much pay the worker receives for each shift he works is made
automatically by reference to the data collected about his productivity.
• So the rights explained here do not apply to any decision involving human intervention. Many
decisions that are commonly regarded as “automated” actually involve human intervention.
Example 25
An employee is issued with a warning about late attendance at work. The warning was issued because the
employer’s automated clocking-in system flagged the fact that the employee had been late on a defined
number of occasions. However, although the warning was issued on the basis of the data collected by the
automated system, the decision to issue it was taken by the employer’s HR manager following a review of
that data. So the decision was not taken by automated means.
Principle 6: Correcting inaccurate personal data
• What if the inaccurate information was received from the individual concerned or
from a third party?
Example 25
A couple who have a seriously ill baby object to the contents of their child’s hospital records, saying they are inaccurate. Some of the information they
object to came from the baby’s health visitor. Having tried without success to resolve the dispute informally, they go to court to ask for the records to be
amended.
The court could order the hospital to rectify, block, erase, or destroy any inaccurate personal data. To the extent that the inaccurate data was provided
by the health visitor, the court could (as an alternative) order that the data be supplemented by a statement of the true facts.

 What about opinions based on inaccurate personal data?

 This right also applies to personal data that contain an expression of opinion based on inaccurate personal data.

Example 25
In the example above, the child’s parents claim that one of the reasons the hospital’s records are inaccurate is that they include a doctor’s opinion which
is based on the inaccurate information provided by the health visitor. If it agrees, the court may order that the statement of opinion be rectified,
blocked, erased or destroyed. Alternatively, it may order that the statement of opinion be supplemented by a statement recording that it was based on
inaccurate information.
Principle 6: Compensation
• Distress to the Data Subject
• In many cases, a breach of the Act will not cause an individual financial loss,
but it may be distressing to find that personal data has been processed
improperly.
Example 25
An individual’s name is entered onto an employee fraud database without justification. The individual is understandably distressed to discover the
implication that he is a fraudster. However, the information about him is removed from the database before he applies for a new job, and so he suffers
no damage as a result of the error. The employee has no entitlement to compensation for distress alone.

Example 25
In the previous example, the fact that the individual’s name appears on the fraud database prevents him from obtaining a job he has applied for. He
suffers financial damage as a result. He is entitled to claim compensation for this damage and for the distress he has suffered as well.
 Principle 7: Information security
• This is the seventh data protection principle. In practice, it means you must have appropriate security to
prevent the personal data you hold being accidentally or deliberately compromised. In particular, you
will need to:
• design and organise your security to fit the nature of the personal data you hold and the harm that may result
from a security breach;
• be clear about who in your organisation is responsible for ensuring information security;
• make sure you have the right physical and technical security, backed up by robust policies and procedures and
reliable, well-trained staff; and
• be ready to respond to any breach of security swiftly and effectively.
• Why should I worry about information security?
• Information security breaches may cause real harm and distress to the individuals they affect .
• fake credit card transactions;
• witnesses at risk of physical harm or intimidation;
• offenders at risk from vigilantes;
• exposure of the addresses of service personnel, police and prison officers, and women at risk of domestic violence;
• fake applications for tax credits; and
• mortgage fraud.
Example 25
An organisation verifies the identity of its employees when they are recruited by asking to see passports or driving licences before they start work. It also
obtains appropriate references to confirm their reliability. The organisation’s standard contract of employment sets out what staff can and cannot do
with the personal data they have access to.
The conditions for processing
• The conditions for processing are set out in Schedules 2 and 3 to the
Data Protection Act. Unless a relevant exemption applies, at least one
of the following conditions must be met whenever you process
personal data:
• The individual whom the personal data is about has consented to the
processing.
• The processing is necessary:
• in relation to a contract which the individual has entered into; or
• because the individual has asked for something to be done so they can enter
into a contract.
The conditions for processing
• What is the “legitimate interests” condition?
• The Data Protection Act recognises that you may have legitimate reasons for processing
personal data that the other conditions for processing do not specifically deal with
Example 25
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved
house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and
seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to
this disclosure, it is made for the purposes of the finance company’s legitimate interests – ie to recover the debt.

• When is processing “necessary”?

Example 25
An employer processes personal data about its employees on the basis that it is necessary to do so in connection with their individual contracts of
employment and to comply with the employer’s legal obligations. However, the employer decides to outsource its HR functions to an overseas
company and transfers its employees’ data to that company. It is not “necessary” to transfer the data overseas for these purposes, and the
employer would instead have to rely on consent, or on the legitimate interests condition, to be able to process its employees’ personal data in this
way.
Exemptions
• Disclosure and non-disclosure – when do the exemptions apply?
• the prevention or detection of crime;
• the capture or prosecution of offenders; and
• the assessment or collection of tax or duty.
Example 25
The police process an individual’s personal data because they suspect him of involvement in a serious crime. If telling the individual they are processing
his personal data for this purpose would be likely to prejudice the investigation (perhaps because he might abscond or destroy evidence) then the police
do not need to do so.

Example 25
A taxpayer makes a subject access request to HMRC for personal data they hold about him in relation to an ongoing investigation into possible tax
evasion. If disclosing the information which HMRC have collected about the taxpayer would be likely to prejudice their investigation (because it would
make it difficult for them to collect evidence, for example), HMRC could refuse to grant subject access to the extent that doing so would be likely to
prejudice their investigation.
If, however, the taxpayer does not make the subject access request until some years later when the investigation (and any subsequent prosecution) has
been completed, it is unlikely that complying with the request would prejudice the crime and taxation purposes – in which case HMRC would need to
comply with it.

Example 25
The police ask an employer for the home address of one of its employees as they wish to find him urgently in connection with a criminal investigation.
The employee is absent from work at the time. The employer had collected the employee’s personal data for its HR purposes, and disclosing it for
another purpose would ordinarily breach the first and second data protection principles.
 CYBER SECURITY ACT

ACT 1038

04/06/2024 47
 DEFINITION
Cybersecurity can be defined as the protection of internet-
connected systems such as hardware, software and data
from cyberthreats.

The Cyber security act was assented by the president of

Ghana on 29th December 2020.
 WHAT MAY HAVE NECESSITATED THE
ENACTMENT OF THE ACT(Section 3)
• To regulate cybersecurity activities in the country- Ghana

• To promote the development of cybersecurity in the country and to provide for related
matters

• Establish a platform for cross-sector engagement on matters of cybersecurity for effective

coordination and co-operation between key public institutions and the private sector

• Create awareness of cyber security matters

• Regulate owners of critical information infrastructure in respect of cybersecurity

activities, cybersecurity service providers and practitioners in Ghana.
 KEY SECTIONS OF THE ACT AND HOW THEY
RELATE TO SPECIFIC CRIMES
• Protection of Children Online and Sexual Offences which aids in curbing crimes like
cyber bullying.
• Licensing of cybersecurity service providers. All cyber security service providers must
have license from the Authority. Modalities for obtaining the license must be followed.
License obtained cannot be transferred to another person. License valid for only two
years.

• Cybersecurity and investigatory powers. Gives guidelines on how to get someone's cyber
information to aid in investigations. Handles the guide on the issuance of interception
warrant for traffic data. Gives guidelines for the interception of content data

• Critical information infrastructure. critical Computer systems need to the determined and
guidelines published to that effect. All critical systems shall be registered. All cyber
security providers must register with the authority.
WHAT SPECIFIC CRIMES DOES THE
ACT TACKLE?(Section 61)
• Internet hacking which is an attempt to exploit a computer
system or a private network inside a computer
• Cyber fraud
• Cyber bullying
• Cyber stalking
• Sexual extortion
• Nonconsensual sharing of intimate images
• Indecent image or photography of a child
• Sexual abuse and threat to distribute prohibited intimate
image or visual recording.
 WHO ARE THE KEY ACTORS
MENTIONED IN THE ACT?(Section 5)

• The Minister responsible for communications, the interior,

national security and defense.

• The Director General of the authority

• Three persons from the industry forum nominated by the
industry forum, and other persons nominated by the
president on the advice of the minister at least two are
women
 WHAT ARE THE SOCIAL AND LEGAL
IMPLICATIONS OF THE ACT IN GHANA?
• It is an offence for a person to release or put indecent images of
children online.

• It is an offence for even merely keeping or having a possession of

indecent images of children.

• It is an offence to publish an indecent photograph, image, visual

recording of a child.

• The act protects children against cyber seductions, solicitations,

grooming and enticement.

• Internet service providers, operators of online services, weblogs, etc.

risk being charged for aiding and abetting persons who seduce, solicit,
lure, groom children, or attempt to do so.
 WHAT ARE THE SOCIAL AND LEGAL
IMPLICATIONS OF THE ACT IN GHANA?
• A person who, without lawful authority retrieves subscriber information or
intercepts traffic data or content data, commits an offence and is liable on
summary conviction to a fine of not less than two thousand five hundred
penalty units and not more than fifteen thousand penalty units or to a term of
imprisonment of not less than two years and not more than five years or, to
both.

• A person who contravenes a section of this Act for which a penalty is not
provided commits an offence and is liable on summary conviction to a fine of
not less than two thousand, five hundred penalty units and not more than
twenty thousand penalty units or to a term of imprisonment of not less than
two years and not more than five years or to both.
 ELECTRONIC
COMMUNICATION ACT,
ACT 775

04/06/2024 55
What necessitated the enactment of the Act

ELECTRONIC COMMUNICATIONS ACT, 2008

An Act to provide for the regulation of electronic communications, the regulation of

broadcasting, the use of the electro-magnetic spectrum and for related matters.

Application and Scope

(a) electronic communications and broadcasting service providers, and

(b) electronic communications and broadcasting networks.
04/06/2024 56
legal implications of the Act in Ghana?

• IMPLICATIONS

• A service provider is obliged to provide rates that are fair and reasonable and shall not discriminate
among similarly situated persons, including the service provider and anybody corporate with which it
is affiliated except as otherwise provided in the law in accordance with section 25 (2) and (4) of the
Electronic Communications Act, 2008 (Act 775)20.

04/06/2024 57
 Relevant portions in the act
In article 28, the Authority is to “prepare a Consumer
Code on its own or in conjunction with the Industry
Forum which shall include procedures for reasonably
meeting consumer requirements, the handling of
customer complaints and disputes and for the
compensation of customers in case of a breach of the
Consumer Code, and the protection of consumer
information.”
The Consumer Code may provide for the provision
of information to customers on services, rates and
performance, the provision of technical support to
customers and repair of faults, advertisement of
services, and customer charging, billing, collection
and credit practices.
04/06/2024 58
Key sections of the Act

• Application
• Broadcasting service
• Licenses and frequency Authorization
• Interconnection

04/06/2024 59
Service providers

• Have service providers evolved?

• Example: Kelvin Taylor, Twene TV, Kofi TV etc

• Is the Act still relevant?

• Is it adequate?

04/06/2024 60
Key sections of the Act

• Access to facilities and international transmission capacity

• Universal service, universal access and tariffs

• Consumer protection

• Industry Forum

• Ghana Investment Fund for Electronic Communications

• Rural communications services

04/06/2024 61
What specific crimes does the Act tackle?

Sections
• Broadcasting service
• Interconnection
• Consumer protection
• Spectrum management
• Enforcement powers of the Authority
• Offences
• Resolution of disputes
• Testing and inspection
04/06/2024 62
What specific crimes does the Act tackle?

OFFENCES

Broadcasting service (Section 19).

• (4) A service provider or network operator or a person holding a frequency authorization that
fails, within the period specified, to make a return or furnish documentation to the Authority in
accordance with directions issued under subsection.

• (1) commits an offence and is liable on summary conviction to a fine of not more than two
thousand penalty units.

04/06/2024 63
What specific crimes does the Act tackle?

Spectrum Management
• (4) A service provider or network operator or a person holding a
frequency authorization that fails, within the period specified, to make
a return or furnish documentation to the Authority in accordance with
directions issued under subsection (1) commits an offence and is
liable on summary conviction to a fine of not more than two thousand
penalty units.

04/06/2024 64
What specific crimes does the Act tackle?

The Act tackles crimes by a person who:

knowingly fails to comply with prescribed standards and requirements for the use of radio
spectrum,

provides electronic communications service without a license where a license is required for that
service,

knowingly uses equipment in a manner that causes harmful interference,

knowingly obstructs or interferes with the sending, transmission, delivery or reception of

communication
04/06/2024 65
What specific crimes does the Act tackle?

An offence is committed by a person who :

 knowingly fails to comply with or acts in contravention of this Act,
 knowingly fails to comply with prescribed standards and requirements for the use of radio spectrum,
 provides electronic communications service without a license where a license is required for that service,
 knowingly uses equipment in a manner that causes harmful interference,
 knowingly obstructs or interferes with the sending, transmission, delivery or reception of communication,

 intercepts or procures another person to intercept, without the authorization of the provider or user, or a
court order, or otherwise obtains or procures another person to obtain, unlawful access to communication
transmitted over electronic communications network,

04/06/2024 66
What specific crimes does the Act tackle?

Offences are stated in Section 73

• An offence is committed by a person who :

(g) uses, or attempts to use, the content of any communication, knowing or having reason to believe that the content
was obtained through unlawful interception or access under paragraph (e),
(h) is not the sender or intended recipient of a transmitted message or data but who interferes with, alters or modifies,
diverts, unlawfully discloses or decodes the transmitted message or data, or facilitates the commission of these act,
(i) steals a transmitted message or data,
(j) sells,
(i) or manufactures any system, equipment, card, plate or other device, or
(ii) offers for sale, produces, distributes electronic communication service, without licence, or
(k) wilfully obstructs, hinders, molests or assaults personnel of the Authority duly engaged in the exercise of power
conferred on the Authority under this Act or the
04/06/2024 67
What specific crimes does the Act tackle?

Example
A person who sends false or fake news on the COVID-19
pandemic through electronic means such as social media
especially WhatsApp, to the extent that it endangers the safety
of any person or prejudices the efficiency of life saving services
such as the steps being taken by the Government to halt and
contain the virus, commits an offence and may be liable to a fine
or a jail term not exceeding 5 years.

04/06/2024 68
Who are the key actors mentioned in the Act?

 National Communications Authority

 Ministry of Foreign Affairs Ghana

 Investment Fund for Electronic Communications

 Electronic Communications Tribunal

 Operators of electronic communications networks and communication service

 Broadcasting services

 Auditor-General, Parliament, President

 Consumers
04/06/2024 69
Who are they key actors mentioned in the Act?

The Committee consists of

(a) the Director-General of the Authority,

(b) the representative of the National Security Council on the Board of the Authority,
(c) one representative of (i) the Civil Aviation Authority,
(ii) the Centre for Scientific and Industrial Research,
(iii) the public universities,
(iv) the National Maritime Authority, and
(v) the National Media Commission.

04/06/2024 70
Social and legal implications of the Act in Ghana?

• IMPLICATIONS

• A service provider should endeavour to provide commensurate tariffs for the services rendered to the
public in order that ordinary Ghanaians can afford them unless otherwise in a circumstance addressed
by the law in section 25 (2) and (4) of the Act for a price regulation regime and cost ceiling for the
services provided by telecom companies to their subscribers.

04/06/2024 71
Social and legal implications of the Act in Ghana?

• IMPLICATIONS

• The Consumer Code may provide for the provision of information to customers on services, rates
and performance, the provision of technical support to customers and repair of faults,
advertisement of services, and customer charging, billing, collection and credit practices.

• The NCA is obliged to even publish the ‘Consumer Code’ on its website. A detail of this
obligation is treated in Chapter three where the issue of consumer right, responsibilities and
advocacy were discussed.

04/06/2024 72
Social and legal implications of the Act in Ghana?

• IMPLICATIONS

• Rights and Responsibilities on Products and Services Considering the above subject and it
associated legal implications, it can simply be deduced that the useful universal emergency
numbers, for instance, as displayed on the SIM packs or Starter packs seek to comply with article
23 of the Electronic Communications Act, 2008 (Act 775).

04/06/2024 73
Social and legal implications of the Act in Ghana?

IMPLICATIONS

Responsibilities

• 4. Compare price, quality standard and features make informed decisions before making or
entering into a contract,

• 5. Provide proof of purchases or receipts and documents invariably obtained and kept safely.

• 6. Pay bills promptly to avoid disconnection.

• 7. Inform Service Provider about lost or stolen SIM Card.

04/06/2024 74
Social and legal implications of the Act in Ghana?

IMPLICATIONS

• Responsibilities

• 8. Inform Service Provider about changes in personal circumstances such as change in name or
address.

• 9. Keep receipts, cancelled contracts, bills and instruction. They will be useful in problem
solving.

• 10. Desist from sending messages that are obscene, threatening or otherwise contrary to
applicable laws or regulation.
04/06/2024 75
 ELECTRONIC
TRANSACTIONS ACT, 2008
ACT 772

04/06/2024 76
 INTRODUCTION

• The Electronic Transactions Act, 2008 Act 772 is the seven hundred and seventy-

second act of the parliament of the republic of Ghana.

• The aim of this legislation was to provide for the regulation of electronic

communications and related transactions. The Act was accented on the 18 th of

December, 2008.

• This Act applies to electronic transactions and electronic records of every type.
 OBJECTIVE OF THE ACT
The object of this Act is to provide for and facilitate electronic communications and related transactions in the
public interest, and to

(a) remove and prevent barriers to electronic communications and transactions;

(b) promote legal certainty and confidence in electronic communications and transactions;

(c) promote e-government services and electronic communications and transactions with public and private bodies,
institutions and citizens;

(d) develop a safe, secure and effective environment for the consumer, business and the Government to conduct and
use electronic transactions;

(e) promote the development of electronic transaction services

responsive to the needs of consumers;

 KEY SECTIONS OF THE ACT

The key sections in the Act include;

Electronic Transactions

Electronic Government Services

Consumer Protection

Certifying Agency

Domain name registry

Protected Computers and Critical database

Appeal Tribunal

Industry Forums

Cyber Inspectors

Cyber Offences
ELECTRONIC TRANSACTIONS

• This section of the Act aids in governing electronic messages among

parties and other pertinent issues. Sections 5 – 23 of the Electronic

Transactions Act, 2008 only apply if the parties involved in generating,

sending, receiving, storing or otherwise processing electronic records

have not agreed on the issues provided for by these sections.

 CONSUMER PROTECTION
• Consumer protection policies are put in place to prevent consumers from fraud and other unfair practices. These ensure that consumers
can make better choice during their transactions and also get help with complaints.

• Sections 47 to 54 of the Electronic Transactions Act, 2008 Act 772 deals with consumer protection.

• Suppliers will have to provide all necessary information pertaining to their businesses to ensure that consumers are able to verify their
authenticity. Some of these information include full name and legal status;

 physical address and telephone number;

 website address and e-mail address;

 membership of any self-regulatory or related bodies and the contact details of the body;

 a code of conduct to which that supplier subscribes and how that code of conduct may be accessed electronically by the consumer;

 the registration number, the names of office bearers and the place of registration of a legal person;
PROTECTED COMPUTERS AND CRITCAL
DATABASES

• Sections 55 to 59 of the Electronic Transactions Act, 2008 Act 772 looks at

the protection of IT systems such as computers and databases.

• Issues pertaining to protected computers, Identification of critical electronic

record and critical databases, Scope of critical database protection,

Registration of critical databases and Management of critical databases.

 CYBER INSPECTORS
• Sections 98 to 106 of the Act looks at the operations of Cyber inspectors. A Cyber inspector is a staff of the National

Information Technology Agency with power to monitor, investigate, prosecute any offence under this Act and any

other law enforcement agency acting under any provision of this Act;

• Section 98 sub section (1)and (2) of the Electronic Transactions Act states that “This provision is in addition to the

powers of arrest, search and seizure of a law enforcement agency provided by law.” (2) “A law enforcement agent

may seize any computer, electronic record, program, information, document, or thing in executing a warrant under

this Act if the law enforcement officer has reasonable grounds to believe that an offence under this Act has been or is

about to be committed.”
SPECIFIC CRIMES TACKLED BY THE ACT

• Sections 107 to 140 of the Electronics Transactions Act look at the specific crimes that is being tackled by
the Act. Some include;
• Stealing
• Conspiracy
• Forgery
• Aiding and Abetting
• Unauthorized Access to Protected Computers
• Possession of electronic counterfeit-making equipment
• General offence for fraudulent electronic fund transfer
• Child Pornography
• Unauthorized modification of computer programme or electronic record
• Unlawful access to stored communications
• Obtaining electronic payment medium falsely
• Unauthorized disclosure of access codes
 KEY ACTORS
• The Government
• Consumers
• Suppliers
• The Parliament of the Republic of Ghana
 IMPLICATIONS OF THE ACT

• To say that an electronic transaction complies with legal requirements is one thing. To have a
sufficient degree of trust in an electronic transaction such that one is willing to ship product,
transfer funds, or enter into a binding contractual commitment in real time is something else.
Clicking on an “I Agree” button, for example, can create a legally valid electronic signature,
but if it becomes necessary to enforce that transaction in court, how do you prove “who”
clicked? Trust, of course, plays a role in virtually all commercial transactions.

• Regardless of whether the deal is struck in cyberspace or in the more traditional paper-based
world, each of the transacting parties must have some level of trust before they will be willing
to proceed with the transaction.
 LEGAL IMPLICATIONS OF THE ACT

• The existence of this act is imperative in the day-to-day governance and overall operations of transactions in the Ghanaian

digital space.

• The COVID-19 pandemic has seen a massive number of organizations move a large part of their operations on the web space.

• According to (Bank of Ghana, 2021), there has been a steady increase in mobile money transactions since the COVID-19

outbreak.

• This act has made it possible for the smooth sail of understanding and legal frameworks within the Ghanaian space. However, a

lot of work must be done to increase the confidence citizens and consumers have in the Act to ensure efficient and swift justice

when perpetrators are caught.

PAYMENT SYSTEM DATA