Have you ever wondered how random strangers are able to add you to lottery WhatsApp groups, or receive text messages from sports betting companies or even receiving phone calls from strangers in respect of mobile money fraud? This article seeks to discuss personal data and how it may be breached.
What is Personal Data
Personal data means data about an individual or data subject who can be identified from the data or other information in the possession of or likely to come into the possession of a data controller[i]. Essentially, this means that personal data is information about a person that identifies or can identify them.
Once data or information can distinguish you from other individuals, it becomes your personal data. Personal data includes a myriad of things that can be used to identify a person, such as a name, date of birth, email address, phone number, ID numbers and physical traits, among others.
A data controller is thus a person who determines the purpose for and the manner of processing of personal data, either alone, jointly with others, or as a statutory duty[ii].
Personal Data Breach
A breach of personal data is more than just the exposure of your personal data to unauthorised persons; it is a breach of security that leads to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to your personal data[iii]. Personal data can be breached by those to whom it is entrusted.
There are several situations in which we willingly give out our personal data to people who may owe us a duty of care in how they handle the data. For example, when you go to an office or even the hospital and you are asked to leave your name and telephone number to show you came in and left at a particular time. Also a first timer in church may be asked to leave his or her phone number in order to be contacted for church activities among others. Another example is with regard to scanning and printing several copies of your forms or IDs at business centres.
Some individuals knowingly or recklessly may disclose personal data, and some go to the extent of selling or offering to sell a person’s personal data to a third party without the consent of the data subject. All of the examples of how we give out our data willingly can be very easily exploited by those we trust with it. All the scanned copies of documents or ID cards with personal information are at times sold for profit and for the wrong reasons for those who are to protect and properly dispose of that data.
Fortunately, the Data Protection Act has a provision that states the penalty given to a person when they knowingly or recklessly disclose personal data. That person is liable on summary conviction to a fine of not more than 5,000 penalty units which is GHS60,000 or to a term of imprisonment of not more than 10 years or to both a fine and a term of imprisonment[iv]. Also, a person who sells or offers to sell data is liable to a fine of not more than 250 penalty units, which is GHS3,000, or a term of imprisonment of not more than 5 years or both a fine and term of imprisonment[v].
The careless breach of personal data is much closer to home than we think. With the transition to digital data and information collection and storage, many persons, institutions, and organizations are not properly destroying the personal data they have collected from individuals after use. For example, investment firms, banks, and most financial institutions require the customers to complete forms with personal information on these forms. After the data has been taken from the forms, the forms may, if not properly destroyed, end up in the hands of street vendors. Your favourite kelewele vendor is probably wrapping your GHC 5 kelewele in the form filled out by Kofi Baabone some years back AAP Bank Ltd. This gives an individual looking to unlawfully use that personal data unauthorized access to that data.
Another example of how personal data may be breached is when information is sent to the wrong address because of some error that could have been fixed if the right checks were put in place. Sometimes, all it takes is a typographical error with a postal address, phone number, or email address for some health record or sensitive information to go to an unauthorized person. If the person is not lawful or does not have good intentions, that information can be used in the wrong way.
The Data Protection Act makes provision for remedies in the event of a breach of personal data. Individuals who suffer damage and distress through contravention by a data controller or processor are entitled to compensation from the controller or processor and can seek such compensation through the Courts. Additionally, an individual has the right to complain to the Data Protection Commission if they feel a person or organization is not complying with their responsibilities. The Data Protection Commission may investigate the issue and ensure that your rights are upheld.
Data has become the new gold and mining that wealth of knowledge is now a dire security risk that needs more attention in Ghana, and on the continent.
Article written by Prince Addoquaye Acquaye & Sedinam Naki Anyasor
[i] Data Protection Act, 2012 (Act 843)
[iii] Information Commissioner, O. (n.d.). Guide to Data Protection: Guide to LE Processing: Personal Data Breaches. Retrieved from A ICO Website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-le-processing/personal-data-breaches/
[iv] Data Protection Act, 2012 (Act 843)