<<Print>>

The Korle Bu Teaching Hospital and 176 other institutions have been cited by the Data Protection Commission as having flouted data protection regulations and advised to comply to prevent any legal action.

In a press release, the Data Protection Commission expresses its utmost disappointment at the following institutions who perform functions as data controllers in violation of the requirement to register in accordance with Section 27 (1) of the Data Protection Act, 2012 (Act 843).

The commission indicated that in order to protect the interest of the public, it will have no choice “but to commence the prosecution of the offending institutions and the publication of their names to prevent reckless misapplication, use and abuse of personal data.”

According to the commission, the list released is the first in a series of publications that the commission will be undertaking.

Below is the full statement:

The Data Protection Commission expresses its utmost disappointment at following institutions who perform functions as data controllers in violation of the requirement to register in accordance with Section 27 (1) of the Data Protection Act, 2012 (Act 843).

In order to protect the interest of the public, the Commission has no choice but to commence
the prosecution of the offending institutions and the publication of their names to prevent reckless misapplication, use and abuse of personal data.

This is the first in series of publications that the Commission will be undertaking. We are advising offending institutions to as a matter of urgency to register now to avoid prosecution.

The Data Protection Act mandates all entities (public and private, local and international), consultants and individuals who collect, hold and use personal data in Ghana to register with the Data Protection Commission in accordance with Sections 27(1) and 46(3).

It prohibits the collection, holding and using of personal data by data controllers that have not registered with
the Commission in Section 53 and Section 56 of the Act states that:

A person who fails to register as a data controller but processes personal data commits an offence and is liable on summary conviction to a fine of not more than two hundred and fifty penalty units or a term of imprisonment of not more than two years or to both.

The general public is also cautioned against providing their personal information to such institutions since it increases the dangers associated with the unlawful processing of their personal data which includes sale of their information (such as credit card details, residential address, phone numbers, etc) to third parties for criminal and fraudulent purposes, lack of access or control over their information and identity theft.