Five business operators within the Greater Accra Region have been picked up by officers of the Ghana Police Service for failing to comply with the Data Protection Act 843 in a second round of enforcement action by the Data Protection Commission.
The five were picked up from Careflight Clinic, Morning Star School, Kab-fam Ghana, Embassy Gardens, and Grace Homeopathic Clinic, all in Accra.
Careflight Clinic was charged with failing to appoint a data protection supervisor as stipulated under Section 58 of the Data Protection Act. They also had no data protection license to show accountability to clients and data subjects, which was in breach of Section 17 of the Act.
Embassy Gardens was also charged with operating without a data protection license, a breach of sections 17 and 56 of the Act. They also ignored formal notices from the Commission to register, breaching Section 80 of the Act.
At Morning Star School, it came to light that they were operating without a data protection license, breaching sections 17 and 56 of the Act. They also ignored formal notices to register, breaching Section 80 of the Act.
Despite the fact that they had registered with the commission, Kab-fam Ghana had failed to comply with Section 58 of the Act and was found to be in breach of Section 82 of the Act as well.
Grace Homeopathic Clinic had also not registered with the commission and failed to demonstrate accountability, breaching Section 17 of the Act.
The Data Protection Act 2012 (Act 843) outlines what constitutes lawful processing, exempt processing, the scope and duties of data controllers and processors, the functions of the Data Protection Commission, and data subjects' rights.
Speaking to the media, Mr. Quinton Akrobeto, Director of Regulatory and Compliance at the DPC, said that companies that received and processed personal data of individuals were mandated to register with the commission. He, however, emphasised that it was not enough to register with the commission, but that companies were expected to bring their processes under their radar for supervision.
“Some are breaching Section 82, which prohibits conditional requests of personal data for other business purposes,” he said, adding that the exercise would be done monthly and would expand to cover registrations, renewals, and addressing complaints from data subjects.
He disclosed that in August 2023, five people who were picked up in the first round of the enforcement exercise had been processed, and their case was before the Attorney General’s office awaiting prosecution. Those who had also been picked up would be processed, and the necessary sanctions would be applied.
“Failure to comply with the provisions of the Act is criminal, which makes you liable for prosecution. So do the needful now before the law catches up with you,” he said.
Mr Akrobotu noted that the commission had created avenues to educate the public about data protection such as free webinars to improve compliance.