8TH OCTOBER 2020
Chairman and Members of the Board of DPC,
Heads of Agencies
Friends from the Media
Ladies and Gentlemen
Ghana like many nations globally, has adopted the use of Information and Communication Technology (ICT) for accelerated national development. This process is backed by our Information and Communication Technology for Accelerated Development Policy (ICT4AD) which emphasizes the importance of safeguarding data by ensuring that “the development, deployment and exploitation of ICTs within the economy and society and related legal and regulatory provisions will balance and protect community and individual interests, including privacy and data protection issues”. The increasing use of ICT tools and virtual platforms and services in all sectors of daily life was amplified by the COVID 19 pandemic which has introduced the new normal and made social and physical distancing an imperative. As more of our interactions move online, it is vital that we safeguard the data that is generated, that we put out there, and handle it in a secure manner.
The Data Protection Commission (DPC) was established by Act 843 in 2012 to train and upskill data protection professionals, educate the public to reduce the skills and knowledge deficit, support entities in the public and private sector with good governance of digitised data, and keep abreast with international best practices for protecting data and the privacy of individuals.
In our emerging borderless, digitised economy, international cooperation, safe transborder processing of data and digital identification of people using appropriate tools and technology is critical. Ghana is currently one of the few countries to pass the Data Protection Law and establish a Supervisory Authority in Africa and was amongst the first three countries to ratify the African Union Convention on Cyber Security and Personal Data Protection, the Malabo convention.
Last year we hosted the first African Regional Data Protection Conference bringing together the global privacy community including the UN Special Rapporteur and representatives from the US FTC, UK Commission, European Union, Council of Europe and international organisations such as the GSMA, ECOWAS and the African Union. By all accounts, it was a very successful conference which we hope to institutionalize probably on a biennial basis.
The work of the Ghana Data Protection Commission has been recognised globally and it has been invited to participate in several international fora as the regional thought leader and trailblazer for the African Region and developing countries. We co-chair the Common Thread Network (CTN) of Commonwealth Data Protection Commissioners with the Information Commissioner of the United Kingdom. The UN has also selected Ghana as a casestudy nation to research and monitor the Ethics of Artifical Intelligence in the processing of personal data for the region. The knowledge gained will be used to set best practice standards for the region. Ghana is also piloting the implementation of requirements for a harmonised Data Protection Law for Africa. The benefit of this will be a standardised and consistent approach to handling data across the region and as we gear up to implement the AfCFTA, African Interstate and International Trade will not only benefit from this harmonised DP regime, but cross-border processing of data should also be smoother.
The DPC has, since July 2017, addressed several inherited challenges with the support of the Ministry of Communications to improve its state of maturity as a newly established government institution; such as enhancing the capacity of its personnel and the acquisition of a state-of-the-art Registration Software for a more effective and efficient delivery of its mandate.
The New Registration Software is interactive.
Applicant Data Controllers now have a login to a profile area, that provides them visibility into their registration record. You can login whenever, to review, amend or update your information held.
The system automatically assesses your institution’s state of compliance as you complete your form online and presents you with a percentage score against a 100% weighted state of compliance.
You receive a roadmap of milestones to achieve as the next steps following registration. The systems allows the upload of photos, videos and other documents as evidence of your accountability to your data subjects and the DPC.
The Commission is able to share letters and messages with you in your profile space.
These enhanced features fulfill DPC’s trifold objective of increased Transparency, Building Trust between the Commission, Data Controllers and Data Subjects; all in the effort towards National Transformation.
THE 6 MONTHS AMNESTY ANNOUNCEMENT
Ladies and Gentlemen
The Commission solely relies on Internally Generated Funds (IGF) and donor funds and so it expects all affected by the Act 843 (which is every entity in the country), to duly register and pay the required fees but unfortunately, several qualifying entities have failed to register with the commission since 2012. Though they should have been sanctioned under the law, the commission has refrained from doing so while it steps up public education. However, with the support of the Ministry of Communications, Arrears Invoice generation is now possible for every incorporated business and established entities that process personal data , with this software.
What this means practically is that the New Registration Software has the functionality to calculate all payments due to the Commission since 2012 when the law became effective. This is in compliance with the transitional provisions in section 97 of the Act 843, which stipulate that if your entity existed before May 2012, you should have registered within 3 months (from August 2012) and renewed your licence every 2 years. i.e. 2014, 2016, 2018 and this year 2020. Newly incorporated entities should register within 20 days of the business commencement.
The DPC now has the capability to determine the total areas owed from May 2012 when you submit an application to register.
Considering the impact of the Covid-19 Pandemic on businesses, and in accordance with the regulations of section 94 of Act 843 empowering the Minster to extend the transitional period for Data Controllers, I have directed the Commission to grant an Amnesty for six months from the 1st of October 2020 to 31st March 2021 to allow defaulting Data Controllers to register with the Commission, and pay just the current years amount due; waiving any applicable arrears.
Data Controllers, I would like to take this opportunity to encourage you to take advantage of the Amnesty Period to be in good standing with the Commission. All entities which fail to regularize their operations with the DPC during this amnesty period will face the full brunt of the law after 31st March 2021. Please be advised and act accordingly.
Beyond, the improved interaction and collection of registration revenue with the New Registration Software, I have directed the Commission to engage with NITA, GIFEC and the Cyber Security Secretariat and other critical stakeholders in a collaborative effort to step up public education on the need to protect personal data, how to do so and monitor the compliance status of Data Controllers. Punitive enforcement of the law will only affect Data Controllers who continue to default despite our best efforts.
DPC will continue to collaborate with other government agencies and institutions such as NCA, GIFEC and NITA with the necessary expertise to achieve their mandate. The Ministry of Communication through NITA, has led the national effort in digitising the public sector with the “SmartWorkplace Office suite which ensures the automation of our internal processes; resulting in the achievement of paperless work and virtual office solutions. In compliance with Section 28 of Act 843, all entities are to ensure that they have “Appropriate Technology and Organisational Measures”. Over 300 MDA’s are currently using SWP.
The provision of the SmartWorkplace Office system will help the public sector develop the necessary organisational measures needed to protect the privacy of people as a fundamental human right; such as the centralised filing of business critical documents for online collaboration on ‘OneDrive’; eliminating the need to share personal data to private email addresses whilst providing an easily accessible, current version to all stakeholders. Now an up-to-date version of policies, procedures and other standard operating documents can and should be made accessible to staff without having to print numerous copies.
The Internal Audit Agency and the DPC will also sign an MOU today in a collaborative effort to train all Internal Auditors nationwide (approx. 2000 in number) to expand the scope of audit to include the requirements of the Act 843.
After the training, Internal Auditors will ensure that our institutions have the appropriate technology and adequate organisational measures such as the relevant training records, policies and critical documents related to the processing of personal data. Collaboration with NITA – (As the Technical Experts) and Cyber Security whose focus is on safeguarding critical infrastructure, will be enhanced to monitor compliance from institutions
Ladies and Gentlemen, the dynamics of data management nationwide has changed.
The Ministry of Communications, with the cross-functional delivery of its agencies, is systematically closing the digital gap with various interventions, weaving together the strands of achievement to ensure that we are progressively delivering transparency and promoting efficiency and trust in public and private institutions for a transformed Ghana.
We hope that in the post pandemic period ahead, the impact of these key achievements will be felt across the nation.
I declare the New Registration Software called the ‘DP-RegSys’ duly launched with a six-month Amnesty Period from 1st October 2020 to 31st March 2021.