Data Protection: Persons have the right for their data to be erased from a system - Adusei-Poku || The Law

  • last year
Data Protection: Persons have the right for their data to be erased from a system - Adusei-Poku || The Law

#Thelaw
#MyJoyOnline

https://www.myjoyonline.com/ghana-news/

Subscribe for more videos just like this:
https://www.youtube.com/channel/

Facebook: https://www.facebook.com/joy997fm
Twitter: https://twitter.com/Joy997FMInstagram:
https://bit.ly/3J2l57

Click to this for more news:
https://www.myjoyonline.com/
Transcript
00:00 Hello, good afternoon and welcome to The Law. This is your legal light, it is your
00:06 health law and this is where we help you to appreciate the laws of Ghana and in
00:12 fact the laws that you ought to know globally not only of Ghana. And this
00:18 afternoon we'll be dealing with a very important subject matter and it has to
00:24 do with the subject of data. We live in a world where we now live virtually. We do
00:34 almost literally everything virtually on the cyber world and we are interacting
00:42 with data, that's what we do. Ghana passed a data protection act, a law in 2012 to
00:53 make sure that you are protected when your data is being dealt with. Your data
01:01 is circulated among many places, you go to passport office, you go to the
01:09 National Identification Authority, you go to the births and deaths, almost
01:15 everywhere you go and do or transact some business, your data is left there
01:24 somewhat. At the hospital, how must this be treated in the way that protects your
01:32 interests at all times. That's why this afternoon we have none other than the
01:41 head, the executive director and commissioner of the Data Protection
01:50 Authority or Commission to help you to appreciate the law. We'll take a quick
01:58 break, we'll be right back. I'll take you through the Constitution so that we do a
02:04 little exercise before we zoom into the discussion proper. I'm Samson Ladiyanini
02:10 your host. This is the law, it is your legal light, it is your health law.
02:17 You're welcome back and this is the law, it is your legal light, it is your health
02:29 law. Let's first go to the 1992 Constitution which is the supreme law of
02:35 the country and Article 18. Article 18.1 says every person has a right to own
02:42 property either alone or in association with others. That's not what is important
02:48 to us for this afternoon. But 18.2 says no person shall be subjected to
02:54 interference with the privacy of his home, property, correspondence or
03:00 communication. This is very important for our discussion this afternoon. No person
03:08 shall be subjected to interference with the privacy of his home or her home,
03:15 property, correspondence or communication except in accordance with
03:23 law and as may be necessary in a free and democratic society for public safety
03:29 or the economic well-being of the country, for the protection of health or
03:35 morals, for the prevention of disorder or crime, or for the protection of the
03:41 rights or freedoms of others. So the laws of Ghana begin with the Constitution
03:51 which is the mother of all laws. It says no person or individual starting from
04:01 the president to the man on the streets, sweeper, has the right to interfere with
04:17 your privacy. No one has that right to interfere with your privacy. The things
04:25 you do in private that makes you a human being. So your correspondence, your
04:34 communication, nobody has a right to tap and be listening to you whilst you are
04:40 talking and having conversations with other people. No person has that right.
04:47 They cannot do that. The only exception allowed by law in which the privacy of
04:56 your home, your property, correspondence or communication may be interfered with
05:03 will have to be and even so has to be done in accordance with law. But the
05:10 circumstances that provide the exception, the law says public safety, if we must
05:18 interfere with your privacy for public safety, for the economic well-being of
05:25 this country, for the protection of the health or morals of this country, or for
05:31 the prevention of disorder or for the protection of the rights, disorder or
05:38 crime. So if you are engaged in a private conversation, no matter how private and
05:45 secretly you are doing and which is your privacy, if what you are doing is
05:51 towards the commission of a crime, there's no protection for you. That
05:57 protection will be taken away. Then we will deal with you according to the
06:03 law as a criminal suspect. So there is a body, an institution that has been set up
06:13 by Ghana. The authority given to Parliament and the President or the
06:23 Executive is what culminated into the Data Protection Act 2012. Data
06:30 Protection Act 2012 as assented to by the President on May 2012 and he began
06:38 operation on the 18th of May on the President assented on the 10th of May
06:45 and he began operation on the 18th of May 2012. So a body was set up and that
06:53 body has been working for a while now. It is known as the Data Protection
07:00 Commission. The Data Protection Commission. What are its objects? The law
07:05 says the main job of the Data Protection Commission is to protect the privacy of
07:12 the individual. Remember Article 18.2 that your privacy must not be interfered
07:19 with, must not be compromised. The privacy of your home, your property, your
07:23 correspondence, your communication. Nobody has a right to interfere with it
07:28 unless under the exceptions that I read to you. So which entity will provide
07:36 supervision and make sure that this protection given to us by law will
07:42 actually be upheld? That is the Data Protection Commission. So the law says
07:48 its job is to protect the privacy of the individual and personal data, personal
07:55 data by regulating the processing of personal information and to provide the
08:02 process to obtain, hold, use or disclose personal information. That is the Data
08:08 Protection Commission. They are to protect the privacy of the individual
08:14 and the personal data of the individual by regulating the processing of personal
08:22 information and provide the process to obtain, hold, use or disclose personal
08:30 information. So if someone wants to obtain, hold, use or disclose personal
08:42 information, information that belongs to you, information that belongs to someone
08:48 else, it's information perhaps you have given to the hospital because you have
08:54 been to that hospital for care and that hospital have been responsible for
09:00 taking care of you. So they are holding a folder of yours in which your health
09:06 information is contained. If that information, that data has to be obtained,
09:14 has to be held, has to be used or disclosed, what will be the process to
09:21 disclose it, to hold it, to obtain it or to use it? So there are means that have
09:29 been provided by the law that if they are breached, if they are violated in
09:34 that process, then the Data Commission, the Data Protection Commission is the
09:41 body that will come to your protection and ensure that whoever mishandled your
09:47 information, wrongfully disclosed your information, held your information in the
09:53 wrong way or wrongfully obtained your information, would be subject to the
09:59 needed punishment. That's what they are around to do. They are to implement and
10:08 monitor compliance with this particular law that we're speaking about. So we are
10:14 going to have the head of the institution share with us how they are
10:22 ensuring that you and I, our data, personal data is not compromised by
10:28 those who have taken our data and are holding them as holders of our data and
10:36 data subjects, how are they protecting our interests? We'll be right back in a
10:43 minute.
10:45 You're welcome back. I remember where I started from with you, Article 18, you
10:57 know, 2, about the protection of your privacy, talking about your data. The
11:04 Data Protection Commission set up to do so for you. The Executive Director of the
11:12 Data Protection Commission, Patricia Edusepuku, is right here in the studio.
11:18 Good afternoon and welcome to the law. Great. So the Commission is the entity,
11:27 authority, if you like, mandated to regulate the processing of personal data.
11:33 We are interested in knowing how, you know, the Commission has carried out this
11:39 mandate by far, because it's important. We live in a world where we are
11:43 virtually living on the virtual world and so our data is exposed to abuse and
11:51 violation. So how has the Commission carried out its mandate so far? So from
12:01 the beginning of our office, I'll say 2017, when I was appointed, my predecessor
12:06 had commenced the establishment of the office. So even though the law was
12:11 made in 2012, the office began its work in 2015.
12:17 2015 credits my predecessor who had established the office and commenced
12:23 inviting data controllers to come and register with the Commission. Madam
12:27 Falcona, right? Yes, she had commenced the invitation to data
12:33 controllers to come in and register and she had over a thousand twelve two
12:38 hundred on the books registering and had done many enforcement action to
12:47 raise awareness of the existence of the law. So that's far was good and we picked
12:52 up from there and my perspective on the subject is that data protection is a new
12:57 initiative on the global landscape. Many data controllers were not aware of how
13:03 it's impacted their business, their business implications, the actions they
13:08 were meant to take. So we, my management, I mean the management of the
13:13 Data Protection Commission and the Board of Directors, suffered to do a lot on the
13:18 raising awareness front, bringing it to the fore, especially converting the legal
13:25 requirement into business speak for the business people to understand exactly
13:30 what action they were meant to take to be in compliance with the law. Our
13:38 focus is not, as is on the global landscape now, it's not so much on
13:43 compliance, compliance, compliance, but the new focus is on accountability, on data
13:48 controllers proactively wanting to do the right things so that they can
13:53 explain their efforts to the people, you and I, whose data they have collected to
13:58 do their work. So when you've kept saying data controllers, who are these? So data
14:02 control is a good question. Data controllers are, is anyone who on their
14:08 own or jointly with anyone decide to collect and process data. You might go
14:13 and ask me what is processing. And processing is any activity on the data
14:18 which includes creating, saving, sharing, distributing, viewing, having access to,
14:23 even having a login to a database and any activity including sharing, sending
14:31 of on the data, that's processing. I've mentioned passport office, hospitals, where else, who else is
14:37 qualified to be labeled as data controller? So the obvious ones are the
14:43 large public sector entities such as what you just said, the passport office,
14:46 immigration, best and best. They are naturally as part of their business
14:51 collecting our data every day. But in the Ghana under section 90 when it states
14:56 that the law binds the Republic, meaning that every office that has established
15:01 itself or even a club or association that exists that has one member or has
15:08 one employee is collecting data. All right. Because you have the person's
15:12 details. So some people say to our commission that we've just established
15:17 we are not collecting any data, we just exist. So far as you have yourself and
15:21 one employee, you have there. It only takes one. So literally every business, right,
15:26 literally every business is a data controller. That's right. Not only like
15:31 lawyers and which are the accountants. Hospitals, the momo man down the streets.
15:37 Someone mentioned in the last place I spoke the mobile phone repairer that
15:42 gets access to your phone every time you send it to repair. They are all data
15:46 controllers under the definition of a contract. Right. And so your mandate is to regulate the
15:54 processing of the personal data. And I just began to read a section of your
16:02 Act. That is section 17, privacy of the individual. And it says a person who
16:12 processes data, no that's not what I actually referred to earlier. I had read
16:18 this particular portion regarding your mandate. That's 2A.
16:27 Regarding your mandate, that's correct. Regarding your mandate. And it says that
16:31 you are to protect the privacy of the individual and personal data by
16:38 regulating the processing of personal information and to provide the process
16:45 to obtain, hold, use or disclose information. How do you do this? So we
16:51 have three spaces in which we do this. We regulate the technology we use. The
16:57 people who use the technology and the processes that we use in our groups.
17:01 There's technology, people and processes. That makes our scope clear for you. And
17:10 in addition to that, the Commission has stated to the Ghanaian public that we
17:14 have three Ts to help you remember even further. Three Ts by which you can hold
17:18 us accountable. Beyond technology, people and is it process? We said we made
17:25 it simple by saying we have three Ts by which you and I can hold the Commission
17:30 accountable. Which is we are focused on transparency, trust for
17:37 transformation. Transparency, trust for transformation. Because the
17:42 Ghana digitization agenda is looking to transform the nation. Our
17:47 contribution to the transformation of the economy is to enable
17:53 transparency through the principles of data protection. So every data controller,
17:57 if you aim to be transparent about what you do, you follow the principles, you
18:01 keep people informed, you publish information, you make information
18:06 accessible the appropriate way and then you build trust between yourself
18:12 and your customers. That's very essential. That's right. And then there's trust
18:15 between the institutions and us, the Commission. And all of that working
18:19 together will lead to the transformation that we are all looking for. So that's
18:23 the three Ts that we have been promoting since 2010. So in this day and age
18:28 where we are doing everything, you know, just by grabbing our phone and we can
18:34 buy, we can subscribe to all sorts of things, we can register and apply for
18:42 passports and that is where the country is going to through the digitalization,
18:48 digitization process. We need to trust that when we give our data, our personal
18:56 data, it will be protected. Those who do that for us is the Data Protection
19:03 Commission. And she's saying that they are running on transparency, trust for
19:10 transformation. Let's try and check them if they are actually doing that now. How
19:15 does the Commission make data subjects aware of their rights? We've spoken about
19:21 data controllers, those that we give our data to. We are the subjects, right? Yes.
19:26 How do you make us aware that these are rights that we can insist on? Okay, apart
19:31 from doing our free drop-in sessions which we do in the Commission's, we used
19:34 to do a lot of face-to-face pre-pandemic. Now it's webinars. Only last week I
19:40 signed off the webinars to be almost every morning in the Commission through
19:46 web links where you can just join and then hear on a data subject what are my
19:52 rights. I'm a data controller, what are my rights. We're doing these free
19:56 courses which will soon be published on our website and you have links everywhere
20:00 to push out to your friends and family and the office is preparing to do that.
20:04 That aside, what you and I are doing now is another channel. Me being on TV and
20:10 on radio, going on and on about transparency, trust, and transformation.
20:16 Remember we have engaged on this platform during COVID,
20:21 particularly at the time when they were going around cracking the whip on the
20:25 data controllers who were not complying with what they needed to do. We'll talk
20:30 about that soon. So the data subjects who are watching and listening to us now,
20:38 including myself, of course yourself, what are our basic rights that we need to
20:43 know? I have first read Article 18, Clause 2 to them, to everybody that
20:49 the privacy of your home, your property, your correspondence, your
20:55 communication is not supposed to be interfered with. What are the rights?
21:01 The very first rights that you have is the right to be informed at the point of
21:05 collection, at the point where a form is shoved in front of you, signed here,
21:10 pressed here, especially when you're in hospital or at a school or you're about to
21:15 get on board to any service, especially in public sector, you can ask to
21:20 be informed properly about who, what, where, how, when of the data, meaning that who
21:27 will get access to the data, how long are they keeping the data, why are they
21:31 collecting so much data, beyond your name and your address, every single
21:35 attribute in what we call the data set, which is all the information that you
21:39 usually put on the form, should be justified. You have a right to ask to
21:44 know why this set of data is being taken from you, who is taking it, how
21:51 long it's going to be kept, who it might be disclosed to. Yes, all the
21:56 details about the information that is being collected, you have the right to be
22:01 informed about it, so that you, the individual, can begin to make a decision
22:06 as to whether you are happy about it or not, or you object, and then your other
22:10 rights come into play following that right to be informed. Alright, please, I'm
22:16 sure you're paying particular attention, because these are your basic rights and
22:21 you need to know them. We know that the data controllers will also have some
22:27 rights, but we'll get to their rights first, and you are interested because
22:31 you are a data controller. Almost all of you watching and listening now, somehow
22:35 you are in some office, you're working, you are controlling data. So, beyond this
22:41 first basic rights that you speak about, what are the other rights that data
22:47 subjects must know, are our rights that we must guard? So, data subjects, rights
22:55 to be informed, right to object, right to erasure, right to participate in how the
23:01 data is used, meaning that even after you've consented, you can also
23:06 have the additional right to give further authority for when institutions want to
23:13 do other things with the data beyond the original purpose. You have the right to,
23:20 so many rights. You said right to erasure. I've given you my information and I
23:28 want it erased, is that what you mean? That's right. And I can have a right to
23:31 erase? That's right, if you want your rights to the data to be
23:36 cleared from a system, you can ask for that to happen. Did you hear that? That's
23:43 really interesting, really interesting. We'll get to some more details about. You can
23:48 ask for amendment, right to rectification or amendment of the data, especially if
23:53 your name is spelled wrong, for example, you have a right to demand it to be
23:57 corrected. Great. Now, the data controllers, do they have any rights? They have duties.
24:07 Duties, not rights. Okay, what are some of their duties? So, of course, data
24:13 controllers also are data subjects when they go to use services, but if you
24:17 collect the data, you have duties under the law. The duty is for you to explain
24:23 the legitimate grounds. So, some data controllers, such as the public sector,
24:28 have some legal backing to collect data, but they need to, in addressing the right
24:34 to be informed, explain what the law says they should be doing. That's a duty for
24:38 them. They have the duty to also ensure they have consent before they
24:44 process the data. When they want to repurpose the data, meaning that you've
24:48 collected for one purpose, but now you want to use it for something else, you
24:52 need to go back to the data subject and get further consent. Or, if you
24:59 think it's a difficult thing for you to consult your data subject, if you have
25:04 millions or thousands, you can approach the Commission for clearance. And we are
25:08 working with our peer regulators in the, because about 74 regulators are
25:13 demanding data protection now as an eligibility criteria for the people
25:18 they serve. For example, the Bank of Ghana is insisting that banks come to us to get
25:23 clearance for projects that they want to do, new projects, or when they are
25:27 onboarding them. So, many regulators are doing this and sending data controllers
25:31 back to us for clearance on behalf of you, the Ghanaian public. So, what do you do?
25:35 You give them a certain certification? Yes, so we give them a letter to go back
25:40 to their main regulator to progress with what they want to do or to stop it.
25:46 And that is, we checking on your behalf that they have done the necessary risk
25:52 assessment, identified the risks in the project, mitigated the risks to our
25:58 satisfaction, and we stand in your step to make sure that they are being
26:04 conscious, that we are the conscious of their projects, to make
26:09 sure that they are thinking through what your rights are, that the impact on the
26:13 individual, the risks to harm and distress is minimized, or that they
26:19 have considered the negative implications of the project or
26:26 whatever they're doing with the data, and we will sign it off or decline or ask
26:31 them to accept the risk, which means that they should buy the necessary insurance
26:35 that will give you your compensation when things go wrong. Thank you very much
26:39 and Patricia Edusepuku is the Executive Director of the Data Protection
26:44 Commission, helping us to understand what they do, particularly in how they protect
26:51 our data, our interests. Their name is Data Protection Commission. Now, I'm going
27:00 to run by you a few things that are relevant, very important from their
27:07 law, it's not their law, it's for all of us. These are the principles that are
27:13 supposed to be applied in dealing with people's data. So it says a person who
27:17 processes data as a data controller shall take into account the privacy of
27:24 the individual by applying the following principles. A) accountability, B) lawfulness
27:32 of processing, specification of purpose, compatibility of further processing with
27:39 purpose of collection, quality of information, openness, data security
27:45 safeguards and data subject participation. This is almost what you
27:52 have taken us through in this first phase. Accountability, lawfulness of the
27:58 processing, specification of the purpose. You say we are entitled to ask.
28:02 Yes. Good. Okay, then in processing personal data, they are to ensure that
28:14 the personal data is processed without infringing the privacy rights of the
28:19 data subject in a lawful manner and in a reasonable manner. A data controller or
28:27 processor shall in respect of foreign data subjects ensure that personal data
28:31 is processed in compliance with data protection legislation of the foreign
28:36 jurisdiction of that subject where personal data originating from that
28:40 jurisdiction is sent to this country for processing. How do you ensure that they
28:47 comply with section 18? Making sure that when they are processing the data, they
28:53 do not infringe our privacy rights of our data. They are acting in a lawful
29:00 manner and they are acting in a reasonable manner. How do you ensure that
29:04 that is done? So, in answering this question, I will look at one right that I
29:10 didn't express and one duty that is key. One of the rights is the rights from the
29:16 processing using automated processing technology. In this era of AI, there's a
29:24 lot of aggregation of data and automatic processing of personal data from
29:28 different, different databases. We have a right when we feel that the use of
29:33 advanced technologies such as AI is impacting us. That is a right. On the
29:39 side of the data controller, they have the duty when they want to repurpose
29:44 data and I know these days the repurposes is usually through data
29:48 analytics and going for advanced technology, AI, cloud use. All these are
29:54 not original purposes that we knew of when certain bits of our data was
29:59 collected, especially in large public sector institutions who have had our
30:03 data for since we were babies. Now, the data controllers have a duty to
30:08 proactively publish or inform you. You mentioned earlier that we have, we
30:14 can ask. We don't expect the data subject to have that burden of asking.
30:20 The all news is on the data controller to evidence to the Commission on request
30:26 how or what effort or what process they have used to inform you. So, when they
30:33 come on our radar, we don't ask their customers or the public, did you ask? We
30:38 ask them how they made, how they dealt with their rights being formed or how
30:45 they, what effort they put in to inform you. So, this is how we, both the rights
30:50 and the duties work together. We expect data controllers to proactively position
30:56 themselves to address your rights. So, that's how we do it. Okay, so I'm
31:02 going to come to, because we are dealing with that already, I'm going to come to
31:06 the question as to how, what is required for a data controller to be defined as
31:11 compliant, so that we all know the data controller we are dealing with, if they
31:18 are not compliant, then we'll be careful, then we'll be cautious. What is required?
31:23 If you have listened so far, she has given so much already about that, but
31:29 sections 19 and 20. 19 is about minimality. It says personal data may only
31:36 be processed if the purpose for which it is to be processed is necessary, relevant
31:42 and not excessive. What does that mean? So, the principle of minimality, data
31:48 minimization, is to make sure that even when you have, you have addressed your
31:55 duty to explain your legal basis, that all you have the consent of the
32:00 individual, you have already received the full data set, we expect you to
32:05 prove on request that you have used the minimum necessary to address the purpose.
32:11 So, if you collected our national ID, for example, just using that, because it's one
32:16 of the biggest data sets in the country. If you have that, and you want to serve us,
32:21 that you have used the minimum attributes in that data set in order to
32:27 serve us, without going into all the detail that we give you, because, because
32:32 it's there. We call that just in case collecting, collecting just in case you
32:36 might need it. You only collect what you need to address the purpose for which
32:41 you are. So, we expect, for example, the data controller of that database to
32:47 give you access to only what you need to be able to serve us, not the full data
32:51 set. I'm reading again section 20 to you, she has addressed all of this for our
32:57 benefit. A person shall not process personal data without the prior consent,
33:02 remember that one, it must be done with your consent, without the prior consent
33:07 of the data subject, unless the purpose for which the personal data is processed
33:13 is necessary for the purpose of a contract to which the data subject is a
33:17 party, authorized or required by law to protect the legitimate interest of the
33:22 data subject necessary for the proper performance of a statutory duty or
33:27 necessary to pursue the legitimate interest of the data controller or a
33:32 third party to whom the data is supplied. Unless otherwise provided by law, a data
33:38 subject may object, remember she spoke to that already, may object to the
33:44 processing of personal data. Where a data subject objects to the processing
33:49 of personal data, the person who processes the personal data shall stop
33:54 the processing of the personal data. Interesting, you are still here on the
34:00 law, this is your legal right, it is your health law and we are dealing with the
34:06 subject matter of data protection, obligations and sanctions. My guest is
34:12 Patricia Eduseye-Puku who is the executive director of the Data Protection
34:17 Commission. We will be right back where she will now tell us who is complying so
34:25 that you and I are careful who we deal with. We'll be right back.
34:31 You're welcome back, this is the law, it's your legal right, it's your health law and
34:40 Patricia Eduseye-Puku, executive director of the Data Protection Commission is
34:45 helping us to understand how exactly our rights are, how they are making sure
34:51 that our rights are being protected, the obligations of controllers and then as
34:57 you know we are discussing obligations and sanctions. We'll get to the
35:01 sanctions very shortly. So we are now at the point where we are looking at what
35:07 is required for a data controller to be defined as being compliant but before
35:12 that I had read a portion of the law that is in section 20 where I spoke
35:19 about where data is being taken for purposes of contract or legitimate
35:26 interest. What does this mean particularly for employees for example?
35:35 So you get a job and you sign your job contract and the sheer fact that
35:41 you've signed your contract is telling your employee that they can collect and
35:45 use your information in the HR department to have you as an employee.
35:49 That doesn't override your rights as a data subject. Institutions,
35:56 organizations that have employees also have a duty to their staff as a data
36:02 controller. So some will come to us and say that we are not collecting any data
36:06 so we don't register. Your staff are your data subjects too and they have the full
36:12 rights and support of the Data Protection Act and we have staff who
36:16 have come to us to speak on their behalf because their employers have simply
36:21 ignored their requests and that they when they've tried to assert themselves
36:25 under the law. So this is a good opportunity to tell all employers who
36:29 are data controllers as well that your employee database and the employees you
36:34 have constitute as a data subject to your organization and you must give them
36:40 the full obligation of the law. You cannot misuse the data they give you.
36:46 That's right. Okay so there will be sanctions if you do so we'll deal with
36:50 them. So who is compliant when we are talking about a data controller? So a
36:57 data controller will never in any points receive a letter or clearance from the
37:02 committee's commission to say you are compliant because there's never a
37:06 hundred percent compliance. Compliance is a continuous improvement situation. When
37:12 we talk about that as a matter it's at a point in time especially when there's
37:18 been a breach or there's a complaint against your company or there's a
37:22 problem with your technology we would then look at your state of compliance at
37:28 a point in time. So it's a rolling situation. If we use employees as I've
37:34 just mentioned as an example today you've trained all your staff they've
37:39 all understood the use of your technology then some leave, new staff
37:45 come on board they haven't yet been trained so then you can't claim to be
37:48 fully compliant in that state anymore. So you're continuously doing the
37:54 requirements of the Act to ensure that you are able to explain at a point in
38:00 time your state of accountability, your accountability to the public
38:04 will be explaining your efforts towards compliance at any point in time. This is
38:09 why we say there's no... So by this law every data controller by section 46(3)
38:20 is required to register with the Data Protection Commission. That's right. So
38:27 that I will get the assurance that the person, the controller who is dealing
38:31 with my data is under supervision to make sure that my data is not abused.
38:38 Yes, beyond section 46(3) there's section 97 that says that three weeks after the law
38:45 becomes, the law came into force if you already existed you had you had three
38:51 months to be compliant. If you are newly registered with the say the Registrar
38:57 General or you put yourself together as an association you have three weeks to
39:01 be compliant by registering. And the law came into effect on the 18th of May 2020
39:08 That's right. Okay. So those who were in existence at that time have
39:15 defaulted over three or four times. If they have not registered. If they never
39:19 registered with the Commission because you should have registered in that 2015
39:23 and every two years renewed to date. Every two years that's according to
39:28 section 46... Section 50. Section 50. You need to renew. Okay, right. Okay, thank you
39:35 very much about that. I'm reading a section that is section is it 50? 50 says
39:45 that registration with the Commission shall be renewed every two years and
39:49 then I think sub 11 there says registration with the Commission does
39:53 not end there. Okay, you are required to appoint and train a data protection
40:00 supervisor to monitor compliance with the Act. Okay, so the fact that you have
40:09 registered is not enough. You are supposed to do certain things. To implement, to commence
40:14 the implementation of your internal privacy program. The privacy program
40:19 means that like I said in my previous statement that is a continuous
40:23 improvement action. Privacy management is not something you do once and
40:28 forget about it. It's part of the business system. So you need to run it
40:33 alongside your business as usual. What we do according to section 58 is certify
40:39 and qualify someone for you who will be responsible for implementing the program.
40:44 Who will have all the hand-holding they need from the Commission and be guided
40:49 by us to implement the requirements. That person will be our go-to person to
40:54 feedback information in terms of reporting the state of maturity etc.
40:58 or to tell us when that organization is failing. The ultimate decision maker of
41:05 the organization is to appoint a senior responsible person for risk. That
41:11 risk manager should work with our privacy supervisor, data protection
41:16 supervisor to ensure that the organization is continuously looking at
41:20 how their business as usual impacts the people they serve, their data subjects.
41:26 And 56 actually says if you fail to register you are committing an offense
41:36 that can lead you to be prosecuted. That's right. If you don't register. Yes.
41:42 And you could be looking to a fine of about 3,000 Ghana CEDs or you could go
41:48 to jail for not more than two years or to both the fine and the imprisonment.
41:56 Many institutions in the country in the last month or so have already received
42:01 our section 56 letters. Oh I see. Yes. Right. So I was going to that
42:07 question about you know the notice that you have served about enforcement to the
42:14 public. What is warranting that? So we feel that after two, three, almost seven
42:22 years now educating the Ghanaian public and data controllers, hand-holding, we've
42:28 trained almost a thousand professionals for the ecosystem and placed them in the
42:32 large public sector and some private sector institutions to implement the
42:37 privacy program. We have done a lot of public awareness and roadshows and now
42:43 this year we are focusing on enforcing the law. Meaning that we are going to do
42:50 some spot checks and some visits and audits to check that those who are doing
42:57 the work are doing what they have registered with us to do. And those who
43:01 have totally ignored the law and defaulted are also brought on our radar
43:08 by, through prosecution and made to comply with the requirements of this act.
43:15 So like we said literally every business or entity is in data collection and will
43:25 be a controller. But of course there are exceptions. I think for people who do the
43:30 work on this kind of platform for journalism, taking data for the purposes
43:35 of journalism is exempt, correct? So it's good that you raised the the martial
43:40 exemption because if you saw our publication we did say that even exempt,
43:44 even exempt institutions need to register with the Commission. What you'll
43:50 be doing there is telling us that you exist, this is the kinds of data you
43:54 collect, this is the kind of information that you use for journalism since you
43:58 use that as an example. And then you agree the circumstances in which we will
44:04 exempt you with us in advance because you know your business, you are the
44:08 subject matter expect in journalism, you know the circumstances that causes you
44:12 to look for data, you know what you use it for, you know why you collect it. So
44:16 you file that with us and we agree with you that when these situations arise and
44:21 you use the data in this manner you are exempt before you go ahead and do it.
44:25 Right, so I was asking what warrants the notice you have served and what does
44:32 that mean? What you know our data controllers to expect during this period?
44:39 I'm sure there are those who are already aware, they don't like the memory of what
44:43 happened the last, the previous year. So tell us. So we gave this notice because
44:48 we don't want like what happened last time that we just, our intention is not
44:52 to reach hands or to just show up in your office, to give you the opportunity
44:59 to get online, it's an online process and register yourself. Okay. And to get as
45:04 many of you on our registration, register as possible. But what this notice goes on
45:13 to explain is that those institutions that decide that they are exempt, they
45:18 are not exempt from complying with the requirements of this notice. That's right.
45:22 They also need to come and make themselves known, otherwise any Tom, Dick
45:25 and Harry can decide they are exempt and then start applying the law, collecting
45:30 data and think that they are exempt. You need to get us to agree with you. When the
45:34 Commission agrees with you that you fall within this sector, you fall within the
45:37 category that can be exempt, yes we agree that the data you collect is for, for
45:42 example journalism and so yes you can be exempt when you're doing journalism. But
45:47 what about your staff? What about the staff that is employed in the media
45:51 house? Don't they have rights? So far as the staff and your HR business is
45:57 concerned, their rights still exist and your duties still exist. But when
46:01 they are doing journalism, we can agree that in those circumstances. So it's a period you
46:06 have opened. Yes. What is the timeline? What are the expectations from who and
46:12 what is likely to happen to defaulters? We believe that the trigger time is the
46:18 most important time to notice, notify you, which we have done from 14th August
46:22 onwards. Until when we feel that we have done enough of that, that people are
46:29 proactively registering and that sensitization has been effective, then we
46:36 can come, come back to normal working with data controller. But until then we
46:44 will be doing these spot checks and we will actually scale up the work to the
46:49 rest of the nation, not just in Accra. We are working nationwide to do these spot
46:55 checks. And what do you normally do to defaulting entities? So currently in this
47:02 act we have to prosecute before we can apply sanctions. So whilst we are using
47:06 the current, the act in its current state, we will prosecute and then the court
47:12 will apply the sanction. Very soon, as we're working with this, we're also working
47:16 on amending the act so that we are aligned with what is happening on the
47:20 international landscape where the data protection commissions are empowered to
47:23 sanction directly. Administrative fines. Administrative fines and ask you to pay.
47:29 In the global landscape the standard is 2 to 4 percent of your gross annual
47:35 turnover worldwide. So we are able to take up to 4 percent of your annual
47:40 worldwide turnover, which for some institutions is quite a sum of money.
47:44 Which is what we'll be looking for Ghana to also apply. Many of my peer regulators
47:50 across the African region, I happen to be the president of the commissioners in
47:55 the African region. And I'm leading this effort. I know many of the West
47:59 African countries and other regional are going to amend to ensure that in the
48:04 African region we are applying the internationally accepted 2 to 4 percent
48:08 sanction directly from the commission. So this registration you spoke about
48:13 initially having had, is it a thousand two hundred, you know, persons, data
48:20 controllers on your register. Is that the number you still have? No, it's grown
48:25 significantly but it's still not enough in terms of percentages. We are less than
48:31 57 percent of the active taxpaying institution. When we talk about
48:36 actual established institutions that pay taxes to GRE, we are less than 10
48:41 percent of that number. So it's still very low. Because you are not cracking the whip. So here we go, we are
48:47 trying to crack the whip now. And we will set examples in some of these larger situations.
48:51 And how are you making it easier for them to register? Our system has been easy from the beginning.
48:56 It's a web-based application. You don't have to come to our office. You go online
49:01 www.dataprotection.org.ch and click register. Fill the form and our
49:08 officers pick up the details, review it, give you a contact you and then before
49:14 you know you're picking up your license. How much does it cost? It depends on the
49:18 size of your organization and the form that you complete automatically weights
49:22 your application and to categorize you as a large institution, medium or
49:28 small institution. Large institutions pay 1800 for two years. Medium-sized
49:35 institutions are paying 900 for two years. Small institutions are paying 120 for
49:41 two years. And this is the parliamentary cleared fees and charges for the Commission.
49:45 So we should be doing this, shouldn't we? And we the data subjects, when we feel
49:51 that somebody is breaching our data, violating our personal data, how can we
49:56 reach you? What do we do? Use all possible channels. Our social media handles are
50:02 open. Info ads by email to Data Protection Commission. We have many hotlines
50:08 published on our website and in the public notice that's going in the
50:12 newspapers. You can walk in and do a face-to-face personal complaint. You can
50:18 write to us. The Data Protection Commission on Popol Street is legal.
50:23 Or by our postal address which is also visible on our website. And just
50:29 share the information with us and we'll take action straight away. Thank you very
50:33 much. Patricia Eduseye-Puku is the Executive Director of the Data Protection
50:39 Commission. She's been helping us understand our rights as data subjects
50:43 and obligations as well, particularly also of the data controllers and the
50:49 sanctions that apply when they do breach them. So your very last word in a minute
50:57 then we are done for today. Thank you very much for coming.
51:03 Yes, I thought you're going to look in the camera and say comply or we'll deal with you.
51:08 I would like to take this opportunity to wish my corporate affairs manager
51:14 Ana Maria Bismark a very happy birthday today. Happy birthday to you Ana Maria.
51:21 All right, thank you very much. I'm Samson Ladi-Anyanini.
51:27 you
51:29 you
51:31 you
51:33 you
51:35 you
51:37 you
51:39 you
51:41 you
51:43 (upbeat music)
51:46 (upbeat music)

Recommended

1:31
I
Up next
River Murray tourism operators call for action as houseboats get stuck
ABC NEWS (Australia)
1:21
Future of Sydney's Star Entertainment Casino uncertain after damning report finds a culture of unethical conduct
ABC NEWS (Australia)
2:15
Investigation launched into maternity staff shortages at Royal Hobart Hospital
ABC NEWS (Australia)
1:00
Judge in Brazil suspends X after chief Elon Musk fails to name legal representative
euronews (in English)
4:54
Latest news bulletin | August 31st – Midday
euronews (in English)
4:54
Latest news bulletin | August 31st – Morning
euronews (in English)
0:46
This Ukrainian Veteran Is Competing at the Paralympic Games
Buzz60
1:15
Taste Food on Your Travel Adventure Like Top Executive Chefs Do!
Buzz60
1:09
Retirees Are Living Lives Their Younger Selves Would Be Envious Of
Buzz60
9:08
Kennedy Digital Satellite - Badwam Afisem with Maame Kyeraa Diamond on Adom TV (7-2-22)
The Multimedia group
11:24
Nsoroma Herbal Clinic- Badwam Afisem on Adom TV (7-01-22)
The Multimedia group
1:11:49
The Use of Ice Cubes Before, During and After Sex - Odo Ahomaso on Adom TV (11-10-21)
The Multimedia group
31:55
Adom TV News (13-3-24)
The Multimedia group
18:59
Electricity Supply Cuts: Can 91 hospitals pencilled by ECG for exercise be saved last-minute? - The Big Agenda on Adom TV (13-3-24)
The Multimedia group
22:08
The Great Queens
The Multimedia group
18:44
Hassan Ayariga's Third Attempt at the Presidency: What's New? - The Big Agenda on Adom TV (13-3-24)
The Multimedia group
30:18
Adom TV News (11-3-24)
The Multimedia group
28:13
The Great Queens Chat Room on Adom TV (11-3-24)
The Multimedia group
20:12
Chaos in Parliament: Was majority leader justified in Naana Agyemang critique that caused furore? - The Big Agenda on Adom TV (11-3-24)
The Multimedia group
46:07
Obra on Adom TV (11-3-24)
The Multimedia group
46:53
Adom TV News (9-3-24)
The Multimedia group
1:36:44
Nnawotwi Yi on Adom TV (9-3-24)
The Multimedia group
34:08
Adom TV News (8-3-24)
The Multimedia group
36:31
Otan Nni Aduro Chatroom on Adom TV (8-3-24)
The Multimedia group
46:14
Obra on Adom TV (8-3-24)
The Multimedia group