Register by May ending or face prosecution: Data Protection Commission directs controllers
The Data Protection Commission has given officials of institutions responsible for processing personal information (data controllers) of the public up to May 31, 2016 to register with the commission or face prosecution.
Advertisement
“We wish also to emphasise that the commission would not hesitate to prosecute any organisation or person who fails to comply with the provisions of the Act,” the commission said in a statement.
Who must register
The category of organisations and individuals being referred to as data controllers includes the Judiciary, Parliament, ministries, departments and agencies and the security services.
Others are financial institutions, telecommunications companies, educational institutions, the Ghana Education Service (GES), the West African Examinations Council (WAEC), health institutions, private professional practitioners, religious organisations, corporate and civil society organisations.
The commission commenced the registration of data controllers on May 1, 2015. During the period of the registration, notices were published in the Daily Graphic on Wednesday, July 15, 2015, Wednesday, July 22, 2015 and Wednesday August 5, 2015.
The publications informed potential data controllers of their obligation to register with the commission. In the said publications, it was stated that an institution or individual existing prior to commencement of Act 843 had three months to comply with the requirement to register.
Date extended
The three-month period, however, expired on July 31, 2015 and was subsequently extended by another three months on the request of Data Controllers.
But many institutions the commission expected to comply with the directive had failed to do so.
Other Trending Stories
“Regrettably, many organisations which exercise functions as data controllers have failed to comply with this directive. Consequently, these organisations and individuals are not only breaching the law by failing to register with the DPC, the sole regulator of data protection, but also in many cases fail to adhere to the provisions of the act,” the statement said.
It noted with grave concern the apathy and failure by many who process personal information to register with the commission, in accordance with Section 27 (1) of the Data Protection Act, 2012 (Act 843), which states: “A data controller who intends to process personal data shall register with the commission.”
Who is a data controller
The act defines a “data controller” as “a person who, either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed”.
Penalties
Section 56 of the act states: “A person who fails to register as a data controller but processes personal data commits an offence and is liable to summary conviction to a fine of not more than 250 penalty units or a term of imprisonment of not more than two years or both.”
Registration is available online on the commission’s website: www.dataprotection.org.gh
“It is our expectation that individuals and organisations concerned, would, as a matter of urgency and with priority, respond favourably and promptly to the notice, as we seek to establish cordial, effective and sustainable working relations with all our stakeholders, particularly data controllers,” the statement said.