Is your personal information really protected?
I want to open a bank account with the money I found on the floor. So I head to the nearest
bank and they ask me to fill a very long form which I obediently comply to do. Later that afternoon I decided to purchase a sim-card from one of the TELCOs’, my BioData was required before the telecommunications agency gave me the sim-card. I go to the hospital and fill a form for consultation as a new patient, my bio-data was required as well.
So let’s assume during the week I did all that plus others, now, do you think the information I gave to these institutions is being used for the purpose of which it was required or am I skeptical of what the information I have provided will be used for or even if I really do not care about what they use the information for, can I be certain that all that information I have provided to these institutions being protected? One may wonder, what exactly do these organisations, corporations and various governmental institutions who collect personal information do with the data that they collect.
Is it just a routine procedure, a basic requirement or an invasion of my privacy? Data protection is commonly defined as the law designed to protect personal information, which is collected, processed and stored by “automated” means or intended to be part of a filing system.
So there is a law that protects the privacy of my personal information. However, according to international standards, any country where a comprehensive data protection law exists, organisations, public or private, that collect and use personal information have the obligation to handle this data according to the data protection law.
But how does the law technically protect the data of Ghanaian citizens? The passage of the Data Protection Act, 2012 (Act 843) tends to curb any illegalities to the use or misuse of personal information.
The Data Protection Commission (DPC) is an independent statutory body established under the Data Protection Act, 2012 (Act 843) to protect the privacy of the individual and personal data by regulating the processing of personal information. The National Data Protection Commission was created out of Article 18 (2) of the 1992 Constitution of Ghana.
Article 1 (1) of Act 843 established the Data Protection Commission to operationalize Article 18 (2). It says that there shall be established Data Protection Commission to protect the privacy of the individual and personal data by regulating the processing of personal information, to provide the process to obtain, hold, use or disclose personal information and for related matters.
Furtherance to the formation of the commission, are there any fundamental principles that tend to guide its operations as a commission? My research pulled out a number of basic principles from Privacy International (an international organization which is building a global network of advocates to fight for privacy, uncovering surveillance practices around the world, and advocating for strong privacy protections on the domestic and regional level) which tends to layout fundamental principles to the laws of data protection around the world.
- There should be limits to what is collected: there should be limits on the collection of personal information, and it should be obtained by lawful and fair means, with knowledge or consent of the individual.
- The information should be correct: personal information should be relevant to the purpose for which it is used, should be accurate, complete and up to date.
- No secret organisations, sources, or processing: we must be made aware of the collection and use of our information, we should know the purpose for its use, and we must know about the organisation that is the data controller.
- Organisations must be held to account: the organisation that collects and manages your information must be accountable for providing the above principles and rights. As citizens, the question that comes knocking at our door is do we know anything about our privacy rights? The privacy of rights refers to the concept that one’s personal information is protected from public scrutiny. The Data Protection Commission of Ghana states the various data protection rights as individuals and how best you can exercise these rights as follows;
- Access to personal information once you provide proof of identity, you may request for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. You have a right to also know how the information is being processed, by whom and who has accessed it.
- Right to amend your personal information you have the right to request an amendment (correction and deletion) of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal data or information that is under the control of a data controller/ processor. And on the receipt of the request, the data controller must comply or provide you with valid reasons why he can’t comply.
- Right to prevent the processing of your personal information. You can at any time by notice ask the data controller or processor to cease processing of your personal information.
- Rights to freedom from automated decision making An individual is entitled at any time by notice in writing to a data controller to require the data controller to ensure that any decision taken by or on behalf of the data controller which significantly affects that individual that is not based solely on the processing by automatic means of the personal data in which that individual is a data subject. Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated, unless you agree to this. For example, such decisions may be about your work performance, reliability, mental health condition, etc.
- Right to prevent the processing of personal data for direct marketing purpose a data controller or processor shall not provide, use, obtain, or provide information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject. Individuals are entitled at any time by notice in writing to a data controller to require the data controller not to process personal data of that subject for the purposes of direct marketing and to obtain compensation where such process caused any damage to them.
- Right to seek compensation through the court's Individuals who suffer damage and distress through the contravention by a data controller or processor is entitled to compensation from the data controller or processor and can seek such compensation through the Courts.
- Right to complain to the Data Protection Commission: where you are having difficulty in exercising your rights or if you feel that any person or organization is not complying with their responsibilities, you may complain to the Data Protection Commission that can investigate the issue and ensure that your rights are upheld. The Data Protection Commission also outlines some practical measures that can be used in protecting your personal information;
- Using different passwords for different purposes: The use of a common password for several accounts (especially online) can leave you particularly vulnerable to fraud. Use a varied password for different purposes
- Properly dispose of personal information: Dispose of personal information with care by making personal information impossible to read or decipher. E.g. Receipts, banking documents, letters with your name, etc. should be shredded or torn and disposed of safely.
- Avoid allowing computers to keep your passwords: Allowing a web site to store your password offers no protection should someone hack into that account or have access to your computer.
- Bluetooth services: Put your Bluetooth off by default on all your mobile devices. Only switch it on when you need to use it.
- Keep security tools up to date: Keep your computer security tools up to date. Good computer security includes installing reputable anti-spyware, anti-virus scanners and firewall software.
- Avoid the use of debit cards for online purchases: VULNERABILITY is very high if debit cards are used for online trades. Debit cards give an attacker immediate access to a bank account and all the available funds.
- Use stronger passwords: Avoid using names of people or date of events like birth dates as passwords. They are very easy to decipher. Always try a mixture of both upper case and lower case alphabets and some numbers for stronger passwords.
- Visit secured websites: At the very minimum, make sure that any site you interact with uses HTTPS rather than unencrypted HTTP connections. Use of an unencrypted connection means that anyone can hack into the system and see what you doing.
- Social networking: Do well to avoid social networking of any kind and if you must use any, don’t put some very personal information about yourself on your profile. Why give identity thieves an even break? And remember that, no matter what your privacy settings, you don’t have control over information about you that is posted by your “friends”. Avoid using services that require location information. Does all this really matter? The simple answer is yes. It is the time we as citizens become more concerned about some of these realities. The current information technology era we live in requires that we become conscious of dealings with data. Data theft is increasingly becoming a problem for individuals and computer users as well as corporate firms around the world. It is a lucrative business for the perpetrators and very damaging to affected persons or organisations. Collectively, we need to understand the need to protect our personal information and ensure that information that we give out especially personal information is used for the purpose of which it is required for. The mandated institutions should also be seen sensitizing the citizenry on some of this goings-on and also to be seen to have practical solutions to some of the issues that rear their head occasionally. Data protection should not be for a selected few, it should be a benefit for every citizen in Ghana.