The issue of data protection is very critical in this era of mass data breaches, especially with the ubiquitous nature of technology advancement. How do credit bureaus, health facilities, financial institutions, hospitality industries, educational institutions, insurance companies, legal firms, telecommunication companies, government institutions, professional services firms, professional bodies etc., use, protect and dispose our sensitive personal data (SPD)? Are there enough and stringent measures to ensure they provide optimum security and privacy for our data? Any entity that handles SPD has the responsibility to use it fairly, legally and only for the intended purpose, taking into cognisance privacy and security of the data.

Data protection helps to shield SPD from disclosure or misuse. Personal data in this context includes date of birth, home address, email address, phone number, financial information, gender, religion, political affiliations, ethnic identity, medical information, educational records, passport details, Social Security details, employment records, marital status etc.

Data breach occurs when SPD is transmitted, viewed or used by an unauthorized entity. There have been several mass data breaches globally in recent times. In 2017, Equifax’s data breach affected about 143 million consumer records, whilst the Paradise Papers revealed 13.4 million confidential electronic documents relating to offshore investments of over 120,000 prominent individuals and organizations. In 2018, we witnessed the revelation of the Facebook–Cambridge Analytica data scandal, which involved the collection of personal data of about 87 million Facebook users for political gains, whilst the Saks Fifth Avenue / Lord & Taylor data breach witnessed the compromise of about 5 million credit card holders’ data in stores in North America.

In Ghana, we do hear of leakage of medical records, financial records and other sensitive data of people. We almost always receive unsolicited emails, text messages and phone calls from entities we have never shared our data with. Why do you think these happen? It is because someone is either not providing enough security for our data or trading our data for financial or other gains either than the intended purpose for which the data was obtained.

The Data Protection Commission

It has become a common practise for countries to establish bodies to protect personal data from unauthorized disclosure. In Ghana, the Data Protection Commission (DPC) was established under the Data Protection Act (DPA), 2012 (Act 843) with the objective of protecting the privacy of personal data by regulating the processing of personal data, and providing the process to obtain, hold, use or disclose personal information. The Act makes it mandatory for all entities who collect, keep and use personal data in computer systems or in manual files to register with the DPC.

One of the functions of the DPC as stipulated in section 3 of the DPA, 2012- “The Commission shall (a) implement and monitor compliance with the provisions of this Act”. DPC has not been able to carry out its functions fully. There is no appropriate monitoring system to ensure compliance by Data Controllers and Data Processors (DC/DP). It has rather misconstrued or “misconfigured” its function to mainly keeping and maintaining the Data Protection Register by registering DC/DP. My interview with a few entities who have registered with DPC confirms this fact. Once the DC/DP get registered, nothing happens between them and DPC; there is not even a visit or any mechanism to ensure whether they are working per the provisions of the Act or otherwise. Data Subjects (Individuals whose personal data are collected) are left at the mercy of DC/DP.

The Way Forward

Although a legal requirement, the DPC and DPA, 2012 should not be seen as the only body or framework to ensure privacy of our personal data. There are international best practises and standards to ensure the privacy of same. For instance, the ISO 27001 standard describes best practices to ensure privacy of personal data. It looks at all legislation and regulatory requirements applicable to the organisation. The control A.18.1.4 of the standard, guides organizations through the implementation of data policy and protection of sensitive personal information. The standard offers a set of policies, procedures, technical and physical controls to protect the privacy, availability and integrity of information in all forms (Electronic or hard copy).

The DPC must conscientiously implement and monitor compliance with the DPA, 2012. If under resourced, the commission should be adequately equipped to undertake its functions to safeguard data subjects. Since majority of data breaches are due to poor information security practices, the commission should encourage organizations to get ISO 27001 certified, just like how the Bank of Ghana has enjoined all financial institutions and payment systems operators to obtain ISO 27001 certification.

Individuals should ensure that, they deal with trustworthy organizations. Since ISO 27001 certification ensures that an entity is independently audited by experts to prove that their data are secure and meet local and global security laws, dealing with an ISO 27001 certified organization provides you with the assurance that your SPD are in safe hands, devoid of breaches.

Author: Sheriff Issah – Consultant, Digital Jewels Ltd, and Member: Institute of ICT Professionals, Ghana.

For comments, contact author sherrifi@digitaljewels.net