4 minute read
The new Galamsey: Breach of personal data
Have you ever wondered how random strangers are able to add you to lottery WhatsApp groups, or receive text messages from sports betting companies or even receiving phone calls from strangers in respect of mobile money fraud? This article seeks to discuss personal data and how it may be breached.
What is Personal Data
Advertisement
Personal data means data about an individual or data subject who can be identi ed from the data or other information in the possession of or likely to come into the possession of a data controller[ Data Protection Act, 2012 (Act 843)]. Essentially, this means that personal data is information about a person that identi es or can identify them.
Once data or information can distinguish you from other individuals, it becomes your personal data. Personal data includes a myriad of things that can be used to identify a person, such as a name, date of birth, email address, phone number, ID numbers and physical traits, among others.
A data controller is thus a person who determines the purpose for and the manner of processing of personal data, either alone, jointly with others, or as a statutory duty[
Ibid ].
Personal Data Breach
A breach of personal data is more than just the exposure of your personal data to unauthorised persons; it is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to your personal data[ Information
Commissioner, O. (n.d.). Guide to
Data Protection: Guide to LE Processing: Personal Data Breaches. Retrieved from A ICO Website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-le-processing/perso nal-data-breaches/]. Personal data can be breached by those to whom it is entrusted. There are several situations in which we willingly give out our personal data to people who may owe us a duty of care in how they handle the data. For example, when you go to an o ce or even the hospital and you are asked to leave your name and telephone number to show you came in and left at a particular time. Also, a rst timer in church may be asked to leave his or her phone number in order to be contacted for church activities among others. Another example is with regard to scanning and printing several copies of your forms or IDs at business centres.
Some individuals knowingly or recklessly may disclose personal data, and some go to the extent of selling or o ering to sell a person’s personal data to a third party without the consent of the data subject. All of the examples of how we give out our data willingly can be very easily exploited by those we trust with it. All the scanned copies of documents or ID cards with personal information are at times sold for pro t and for the wrong reasons for those who are to protect and properly dispose of that data.
Fortunately, the Data Protection Act has a provision that states the penalty given to a person when they knowingly or recklessly disclose personal data. That person is liable on summary conviction to a ne of not more than 5,000 penalty units which is GHS60,000 or to a term of imprisonment of not more than 10 years or to both a ne and a term of imprisonment[ Data Protection Act, 2012 (Act 843)]. Also, a person who sells or o ers to sell data is liable to a ne of not more than 250 penalty units, which is GHS3,000, or a term of imprisonment of not more than 5 years or both a ne and term of imprisonment[ Ibid ]. The careless breach of personal data is much closer to home than we think. With the transition to digital data and information collection and storage, many persons, institutions, and organizations are not properly destroying the personal data they have collected from individuals after use.
For example, investment rms, banks, and most nancial institutions require the customers to complete forms with personal information on these forms. After the data has been taken from the forms, the forms may, if not properly destroyed, end up in the hands of street vendors. Your favourite kelewele vendor is probably wrapping your GHC 5 kelewele in the form lled out by Ko Baabone some years back AAP Bank Ltd. This gives an individual looking to unlawfully use that personal data unauthorized access to that data.
Another example of how personal data may be breached is when information is sent to the wrong address because of some error that could have been xed if the right checks were put in place. Sometimes, all it takes is a typographical error with a postal address, phone number, or email address for some health record or sensitive information to go to an unauthorized person. If the person is not lawful or does not have good intentions, that information can be used in the wrong way. The Data Protection Act makes provision for remedies in the event of a breach of personal data. Individuals who su er damage and distress through contravention by a data controller or processor are entitled to compensation from the controller or processor and can seek such compensation through the Courts. Additionally, an individual has the right to complain to the Data Protection Commission if they feel a person or organization is not complying with their responsibilities. The Data Protection Commission may investigate the issue and ensure that your rights are upheld. Data has become the new gold and mining that wealth of knowl edge is now a dire security risk that needs more attention in Ghana, and on the continent.Article writ ten by Prince Addoquaye Acquaye & Sedinam Naki Anyasor
About the Authors
Prince A. Acquaye is the Managing Partner at Corporate and Allied At torneys, a dynamic law rm in Ghana. He specializes in corporate governance, intellectual property, immigration, general corporate commercial, data protection and M&A.
Sedinam N.A. Anyasor is senior at Ashesi University and is majoring in Management Information Sys tems with a concentration on Infor mation Systems. She developed an interest in law and wants to pursue it as a career.
