January 28
every year is celebrated as International Data Privacy Day - an international
effort to create an awareness of the importance of privacy and personal data
protection. With the increase in data breaches and cybercrime internationally,
data protection and cyber security are more important now than ever before.
Countries across the globe, including Ghana, through the laws, regulatory
frameworks among many others, regulate how organizations process the personal
data of their citizens both home and abroad. In Ghana, the Data Protection
Commission is the government institution mandated by law to regulate
organizations to comply with the Data Protection Act 2012 (Act 843).
Using digital
technologies and digitalised data is increasing rapidly in policy areas, as
well as transforming society, transforming how citizens, governments, civil society,
and companies engage with one another. The subsequent attendant challenges are
enormous, with automation, biometrics, ID systems, and other technologies being
adopted swiftly. It is essential to assess the necessity and risks but,
sometimes, these technologies are adopted with insufficient assessment. In
particular, the adoption of new technologies may impose considerable challenges
to data protection and privacy. For instance, ID systems and biometric
databases may allow for certain links to be made between databases, including
enabling interoperability with other government systems or information sharing
across international borders, exacerbating the risks in terms of personal data
protection. Therefore, although technically possible, the linking of different
databases is not automatically justified, but must be balanced against an
assessment of the inherent risks to data protection and privacy.
The right to
privacy is an internationally recognised human right, enshrined in
several international human rights treaties, widely ratified by many countries
and jurisdictions across the globe. One of such treaties is the United Nations’
Universal Declaration of Human Rights and the International Covenant on Civil
and Political Rights), and contained in many conventions at the regional level,
as well as national constitutions and bills of rights.
Privacy and
data protection are different rights, although intrinsically linked. The right
to privacy is broader and includes the right to protecting personal data yet
covers many elements beyond personal information. The right to data
protection safeguards “the fundamental right to privacy by
regulating the processing of personal data: providing the individual with
rights over their data and setting up systems of accountability and clear
obligations for those who control or undertake the processing of the data”
according to the Privacy International. Therefore, data protection is essential
to the exercise of the right to privacy.
Data
protection and privacy work through key ‘principles’ that give individuals
rights over their data. Some international data protection and privacy
principles have formed the foundation or the basis for the enactment of laws,
bills, and regulations by various countries across the globe. Below are some of
them:
- United
Nations Personal Data Protection and Privacy Principles
- Council
of Europe (CoE) Convention for the Protection of Individuals about Automatic
Processing of Personal Data; Convention 108 and later updated to Convention
108+
- Organisation
for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data
referred to as the OECD Privacy Framework.
- General
Data Protection Regulation (EU) of the European Parliament and the Council of Europe (GDPR)
- United
Nations Guidelines for the Regulation of Computerized Personal Data Files, UN
Resolution 45/95
These
instruments have influenced the development of national data protection laws
worldwide, translating some data protection and privacy principles into domestic
legislation that regulates the processing of personal information.
Core Data
Protection and Privacy Principles
The various
data protection regulations across the world set out principles for the lawful
processing of personal data. Processing includes the collection, organisation,
structuring, storage, alteration, consultation, use, communication,
combination, restriction, erasure, or destruction of personal data. The
principles are at the centre of the various enacted regulations; they are the
guiding principles of the regulation and compliant processing.
The core data
protection and privacy principles which are stipulated in most of the
regulations across the globe are:
- Accountability
- Data minimisation or
collection limitation
- Purpose limitation or purpose
specification and use limitation
- Lawfulness, fairness, and
transparency or openness
- Accuracy or data quality
- Storage limitation
- Integrity and confidentiality
or security safeguards
- Individual participation
These
principles are interrelated and overlap. Each one contains several points of
guidance, and it is essential to treat them together as a whole. While they can
receive different names, the basic principles are similar across the different
data protection and privacy frameworks.
The data
protection principles establish the conditions under which processing personal
information is legitimate, limiting the ability of both public authorities and
private actors to collect, publish, disclose, and use individual personal
information without the data subject’s consent. These principles also establish
the rights that data subjects hold, such as the ability to determine who holds
information about them and how that information is used. They entail several
obligations imposed on those processing personal data–the data controller and
processor–in both public and private sectors, forcing them to handle this data
according to local data protection laws. Hence, and as stated by Privacy
International, “A strong data protection framework can empower individuals,
restrain harmful data practices, and limit data exploitation”.
Who is
responsible for data? What happens when things go wrong?
There are two
entities that have control over personal data and/or process personal data:
data controllers and data processors. The data controller is the natural person
or the legal entity (e.g., government institutions, private companies, that
alone or jointly with others, to determine the means of, and purposes for, processing
personal data. That means that the data controller has decision-making power
regarding data processing and is responsible for safeguarding and handling
personal information on computers or structured manual files.
The data processor is the individual or legal entity that processes data on
behalf of data controllers (which is often limited to technical solutions–the
‘methods and means of processing).
According to good international data protection practice, and as seen in most
laws, conventions, and guidelines, there should be several legal
responsibilities and obligations imposed on data controllers and processors.
Institutions that process personal data, in their capacity as either data
controllers or processors, must be able to demonstrate how they are complying
with data protection requirements, including data protection principles,
fulfilling their obligations, and upholding the rights of individuals whose
data they process. This is the accountability principle, under which
controllers and processors must take all appropriate measures to comply with
the obligations under the data protection regime. These obligations entail the
acknowledgement of the data rights of any individual, such as the right to
always access their data, have their data rectified if it is inaccurate and
express objections if data processing leads to disproportionate or unfair
results.
The author
consulted the following materials which readers could refer to for further
reading:
- Data Protection for Social
Protection: Key Issues for Low- And Middle-Income Countries (GIZ Data
Protection for Social Protection)
- General Data Protection
Regulation
- Privacy Guide for
Businesses–Office of the Privacy Commissioner of Canada
- The Bigger Picture: Privacy
and Work in the New Normal (Data Protection World Forum)
Author:
Emmanuel K. Gadasu
(Data Protection Officer, IIPGH, and Data Privacy
Consultant and Practitioner at Information Governance Solutions)
For comments, contact author ekgadasu@gmail.com
or Mobile: +233-243913077
Source: IIPGH.org
