iSA_LOGO_FINAL-new-3 (1)

Tag: Privacy

Categories
Uncategorized

The privacy tussle; can there be a win-win?

Add Your Heading Text Here

Share it:

It was a quarter to the hour of eight when I got home with weary and tired legs, surely I was famished and it was kenkey from my favorite vendor, hot pepper and fried eggs on the menu; just when I stuck my thumb into the kenkey Ga-man-style, a notification came through my phone and honestly I thought it’s payment hitting the account (man is hot); but no, it wasn’t in fact it was just a news item, citinewsroom.com has reported a story captioned “Communications Ministry fights BoG over mobile money data” well I chuckled, in my mind I retorted -what’s wrong with my “Ghana people“ again?

I continued with the supper whilst I read the article in full, it caught my eye because it does contain a subject am passionate about, yes! data protection it is, the article stated in part “The Communications Ministry in a series of letters had asked the Bank of Ghana to release the data to a private contractor, Kelni GVG, which has been tasked to verify the amount of revenue generated by telcos.

The Ministry specifically requested for disclosure of customer balances, transaction amounts, date and time of the transactions.

 However, the Bank of Ghana declined to grant the Communication Ministry’s request, arguing in a letter signed by its Secretary, Frances Van-Hein that disclosing such an information will breach the guidelines of Electronic Money Issuers and Data Protection Act.”

So without wasting much time I decide to make a point or two after the food settles my unintended self-imposed fasting. So here we go, it is true that per section 91 of the Data Protection Act 2012, Act 843, the three (3) organs of State are bound by the provisions of the Act, more so when it comes to disclosure. Let just say quickly before I proceed that this is not meant to be a comprehensive lecture on data protection, on the contrary its just a brief touching on key issue I gathered, which is the outright rejection to disclose.

As a practitioner, I will proceed to ask why the data is needed in the first place. Regulatory activities or? Well let me just presume and move on, having said that, section 63 of Act 843 should suffice for regulatory activities in so long as the reason fall under the exemptions provided, let’s assume again that it is for taxation or related purposes, then Section 61(1)(c) of Act 843 further allows for exemption for the purposes of the assessment or collection of a tax or duty or of an imposition of a similar nature.

Generally, and as a rule of principle, the provisions of the law do not apply to data in so long as the data subjects cannot be identified from the set of attributes, which calls for anonymization or pseudo-anonymization. Well primarily once you properly anonymized data, then data subjects behind the attributes cannot be identified and that means the issues of privacy do not arise. This also means the systems disclosing and receiving the information respectively should envisage this in their technology; either as an added functionality or in-built with something called “privacy-by-design”, but then like I keep saying in various forums; if we build systems that are not resilient to the inherent risk and how to manage same; then due diligence can be construed as negligible if not nonexistent. As I doze off now, and hoping am not missing the point, the exemptions under Act 843 are not blank cheques, it is exemption to disclose the information therefore all other principles under the law applies with full-force, i.e. accountability, lawfulness of processing, specification of purpose, compatibility with further processing, quality of the data, openness, security safeguards and data subject participation.

The provisions of the Act 843 will override the Electronic Money Issuers (2015) Guidelines to the extent that the latter is a substantive law. It can also be a matter of regulator-to-regulator mutual understanding and of course measures of alternative effect under the context of the laws to create a controller-controller or controller-processor relationship and capture the lawful terms of use in a data transfer or exchange agreement as envisioned under the Act 843.

If the truce won’t work, well I will just sleep soundly by recommending that under section 66, of Act 843 one can coerce the other with a court order to do the needful; but rightly so with lawful justification lest the court throws you out for want of lawful justification.

As the night settles into its late hours may we be reminded that data protection however is a fundamental human right, it’s regulations governing data processing is not an outright show-stopper but a business enabler with the potential of appreciating the currency of the digital consumer; this currency is “trust” and therefore further providing competitive business edge, and in as much as one party as a regulator has the right of refusal over the other it is also the case that this refusal cannot be absolute in the face of lawfully justified exemptions. Let the parties re-look their positions.

Permit me to leave you with some thoughts:

“Privacy – like eating and breathing – is one of life’s basic requirements.” ― Katherine Neville

Desmond Israel

Lead Consultant @ Information Security Architect

Latest Post
Categories
Categories
Privacy

The EU-GDPR and its Impact on the Ghanaian Businesses

Add Your Heading Text Here

Share it:

image courtesyico.org.uk

GDPR data protection legislation comes into effect in the fifth month of this year; it is set to regulate the collection and use of personal information on people living in the 28 countries that make up the European Union.

This EU privacy legislation is a global law regarding data protection, as it covers any organization that has data on individuals living in the EU. In January last year the consultancy firm PwC issued a press release, stating that 92% of companies in the United States said complying to GDPR is their top data protection priority, this is enough proof that the GDPR is set to impact global business.

In the GDPR, the organization that defines what and how data is collected is called the Data Controller, this is no different from what is provided for under the Data Protection Act 2012, Act 843 of Ghana.

Data Controllers are ultimately responsible for all data protection, no matter where the data travels and who else accesses it. The Data Controller must therefore ensure that all subcontractors, outsourcers and cloud service providers have the necessary processes, procedures, technologies and have trained their teams to ensure data is controlled.

The GDPR has 99 articles and covers many forms of data risk. Being compliant takes a mix of knowledge, processes, policies and training, as well as data tracking, controlling, and user and device management, all coming from a “privacy first” IT philosophy.

It is noteworthy to reiterate that no technology on its own can deliver compliance as GDPR requires a whole-company approach including policies, procedures, training, legal agreements with partner companies and should be led by governance, risk and compliance groups.

Notwithstanding for all intents and purposes an European statute, the new General Data Protection Regulation (GDPR), which is applicable come May, 25th of this year, is expected to have copious impact in African countries, as its span will also cover many data controllers and processors established outside of the European Union – namely, all those who process data of individuals located within the EU as part of the selling of goods and services to such individuals.

Those, which especially include e-commerce websites or targeted advertising providers and/or their Africa-based processors, will be directly subject to the new provisions under the GDPR.

The free flow of data between European and African countries will therefore be conditional upon proactive lawmaking and good practices in the latter, oriented towards the offering of an “adequate level” of data protection – that is, a level equivalent to the one set by GDPR.

In July 6, 2017 the International Association of Privacy Professionals stated on its website, that;

Bird & Bird reports on the state of data protection in Africa less than a year before the EU General Data Protection Regulation goes into effect. Some African countries are ahead of the curve in terms of having sufficient data protection authorities in place, with Morocco standing out, having requested an adequacy recognition decision from the European Commission in 2009. 

Other countries in Africa lack comprehensive GDPR-compliant data protection legislation or have no legislation in place at all. Legal frameworks in Cameroon, Rwanda and Congo only focus on certain aspects of electronic communication data, leaving them far short of European data protection authorities’ expectations and little chance of receiving adequacy status, the report states.

It has been further noted that Morocco had made efforts to integrate into the EU Data Protection framework by requesting for this adequacy recognition from the EU; which is basically a mutual recognition procedure set up in order to speed up the EU procedure of recognition for data protection authorities.

Bird & Bird LLP captured this position in a publication by Merav Griguer in 05 July 2017 titled “Data protection in Africa: where do we stand one year before GDPR”, as follows;

Morocco is remarkable for having requested an adequacy recognition decision from the European Commission, as early of 2009. This request is still pending to this day, mostly due to the simultaneous changing of the European framework; Moroccan officials have yet reaffirmed their will to reach compliance as soon as possible.

The [Moroccan case however sheds light on the European Commission’s rationale for the scrutiny of adequacy recognition applications, and thus might serve as an example] for other concerned countries: adequacy, in the views of the Commission, is primarily a matter of effectiveness; African data protection authorities should therefore be provided with the necessary means to enforce relevant legal provisions, so that compliance be thoroughly ensured by companies and public bodies under their jurisdiction. [Emphasis added]

The view is expressed here that such adequacy recognition will be highly successful where the country seeking the recognition has an equivalent high-standard domestic provisions that might very well be the best incentive to ensure compliance with the new GDPR regulation and Ghana finds itself in a better position has its laws are comprehensive and world-class enough to meet GDPR requirements where need be.

However the laws per se do not provide compliance and there is presently a mistaken believe that the Data Protection Act 2012, Act 843 by itself protects personal data, this is erroneous to the extent that Act 843 only guarantees the rights of data subjects and sets obligations for the data controller and/or processor.

The protection of the information is vested in the implementation of the 8 data protection principles embedded in the law coupled with the regulators enforcement roles, of which without any shred of doubt includes awareness and training on the requirements of the law.

These principles include accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards and data subject participation.

The GDPR however requires a more practical approach to these principles and one can say it’s more granular in its requirements, for example extracts from the legal text of the GDPR provides as follows;

  • Article 5 stipulates principles relating to processing of personal data, where the GDPR requires that the controller shall be able to demonstrate compliance.

  • Article 24: stipulates responsibility of the Controller, and requires that the controller shall implement appropriate technical … measures to ensure and demonstrate that the processing of data is performed in accordance with GDPR.

  • Article 25: stipulates data protection by design and default, requiring …implementation of appropriate technical measures and …necessary safeguards into the processing.

  • Article 28: stipulates obligations of a Processor, GDPR requires the controller shall use only processors providing sufficient guarantees … of this regulation.

  • Article 30: stipulates records of processing activities and provides that each controller … shall maintain a record of processing activities.and provides for transfers of data to a third country or international organisation …identify that organization.and provides that there should be general description of the technical measures [deployed].

  • Article 32: stipulates security of processing which includes; shall implement appropriate measures … confidentiality, integrity, resilience..and appropriate level of security … [against] … accidental, destruction, loss, alteration, unauthorised disclosure of or access to personal data

  •  Article 33: stipulates notification of data breach to authority and provides that the controller shall … not later than 72 hours … notify the … authority.and provides that Describe nature of breach … numbers concerned … consequences.and provides that measures taken to address breach …mitigate breach be stated.

  • Article 34: stipulates communication breach … to data subject and states that shall communicate data breach to subject without delay.and states that shall not be required if … data unintelligible …such as encryption.

  • Article 35: stipulates data protection impact assessment and states that In particular, when using new technologies … carry out risk assessment of the impact … including measures to address the risks.

  • Article 45: stipulates transfers [to a third country] based on adequacy and states that transfers to third country only if commission has decided … ensures an adequate level of protection.

  • Article 46: stipulates transfers subject to appropriate safeguards and states that binding corporate rules, standard data protection clauses or enforceable commitments.

 

In essence the GDPR covers from processing of the data, transfers, security safeguards, impact assessments and breach notifications; all these are provided for under the Data Protection Act 2012, Act 843 of Ghana.

In recent times there has been the argument for safe-harbor rules under the Act 843, its not far-fetched but the it professionally expressed here that as Article 46 provides for under the GDPR, contractual documents, standards and agreements can suffice for this requirements without hurriedly tampering with the current law.

Act 843 is wide in scope and resilient in application; it is a matter of the regulators punch and the corporations/firms due diligence and application that will make it a success and provide companies in Ghana less stress when benchmarked against the GDPR.

Whiles corporations and firms operating in Ghana, from a data protection perspective, should be focused on putting structures in place to ensure compliance with ACT 843, they should not neglect the GDPR when it comes into force on 25 May 2018 with its improved data protection and privacy laws.

What businesses operating in Ghana need to be aware of is that the GDPR applies in EU member states as well as where data is transferred to or from the EU.

This means that businesses operating in Ghana which engage in business with persons in EU member states will fall within the ambit of the GDPR.

Notably, the GDPR will apply where businesses in Ghana, process the data of an EU member state citizen or temporary resident, have employees based in an EU member state, offer goods or services in an EU member state and have a partnership with an EU business.

The obvious is that, businesses in Ghana that have a presence in the EU will therefore need to be aware of the new requirements under the GDPR in order to continue to conduct their businesses in a data protection compliant manner.

Desmond Israel

Privacy/Infosec Practitioner

desmond[at]isa.com.gh 

Latest Post
Categories
iSA_LOGO_FINAL new 2
Information Security Architects (ISA) Ltd is one of the leading Data Privacy and Security Practitioners in Ghana West Africa.
Services
Products
Newsletter

Sign up our newsletter for update information, insight and promotion.

Facebook Instagram Twitter Linkedin
Copyright © 2021, All rights reserved. Powered by Lynt Digital.