It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again?
I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos.
The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions.
However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.”
So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act 843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose.
As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature.
Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.
The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.
If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.
As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it’s regulations governing data processing is not an outright show-stopper but a business enabler with the potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.
Permit me to leave you with some thoughts:
“Privacy – like eating and breathing – is one of life’s basic requirements.” ― Katherine Neville
Desmond Israel
Lead Consultant @ Information Security Architect