The Data Protection Commission (DPC) has, in line with its mandate to ensure that companies in Ghana that process the personal data of individuals are compliant with the Data Protection Act (Act 843), begun picking up non-compliant data controllers (companies that receive personal data of individuals) with the assistance of the Ghana Police Service.
This ongoing process comes after the Commission had served about 250 companies with notices of their breaches and given them a window of opportunity to make amends but had failed to do so.
The Commission picked up staff from Marwako Fast Food, Hisense Group, Quick Credit and Investment Limited, Agyaben Akrasi and Co as well as Bemuah Royal Hospital, all in Accra, as a result of various Data Protection breaches for questioning and further sanctioning arrangements.
Hisense Group was charged with breaching section 46, that is processing personal data without registering with the DPC, and breach of section 82 of the Act. (Marwako) Fast Food on the other hand, was being investigated for breach of privacy of a Data Subject as well as breach of Section 80 and 17 of the Data Protection Act.
Quick Credit and Investment Limited was also charged with publicly naming and shaming their clients by broadcasting their data which was a breach of Section 17 and 80 of the Act as well as a complaint of breach of privacy by a data subject.
Agyabeng Akrasi and Co and Bemuah Royal Hospital were both charged with breach of Sections 80 and 56 of the Data Protection Act.
The Data Protection Act 2012 (Act 843) outlines what constitutes lawful processing, exempt processing, the scope and duties of data controllers, data processors, functions of the Data Protection Commission, and data subjects' rights.
Speaking to the Media, Mr. Quinton Akrobeto, Director of Regulatory and Compliance at the DPC said that they aimed to bring to book data controllers who had been contacted over a period to register and be compliant with their processing of personal data but had refused to do so.
This action, he said, would ensure that data controllers implemented necessary and appropriate measures to protect the data they collected from individuals.
He noted that the subjects after police investigations would be processed for court and the necessary sanctions applied.
Ms Patricia Adusei-Poku, Executive Director at the DPC said that the spot checks were to ascertain why data controllers had not taken their obligation seriously, verify that they were truly compliant, and also pick up defaulters for processing. “We are not just here to register data controllers and keep the register for filing, we are also here to check and validate the information that they receive”, she said.
She also noted that the Commission had trained over 1000 data controllers on processing the personal data of their subjects. She cautioned defaulters saying, ”Come to us and do the needful to avoid the loss of reputation”.