Correspondence from Frank Addo Aboagye, Bono Region

A 38-year-old public servant, Asamoah Anthony, complains that his inbox is flooded with unsolicited text messages daily, yet his efforts to stop them have been futile.

Surfing through his message inbox on his phone for the messages he described as “nuisance” as proof, he showed a litany of them numbering over 50, especially from financial institutions, and he has no idea how they got access to his contact data.

One of the messages on his phone reads: “Are you looking for a loan? Alpha Trust is here to give a unique offer at a cool rate. And allowed settlement at any time. Pls call/Whatsaap 0553529390” and another message reads: “Ivest loans for all government workers base on the affordability, call 0249120000 to apply. No upfront charges. We pay off loans” and he insists he has not officially given out his data to receive such messages.

"I don’t know how they got my number. My privacy has been invaded because I get tons of these messages at the least opportunity and they have become a nuisance but there is nothing to be done about it" he shared his frustration.

On the part of Juliana Asantewaa, a teacher, she feels “exposed” when her phone is inundated with these unsolicited messages explaining that the constant stream of unwanted texts leaves her feeling vulnerable, as it suggests her personal information is not as secure as she had hoped.

“It looks like someone is watching you from afar because they have your data and they can send you messages at any time which surprises and alarms me.”

She lamented that important messages are often lost amid the flood of unsolicited texts, making it difficult for her to manage her communication effectively.

Madam Asantewaa also questioned why regulators remain indifferent to this growing issue, despite its implications for data protection and privacy.

“The sheer volume of these texts makes it difficult to sift through and prioritise meaningful communication, leading to frustration and missed opportunities. What makes it even worse is the apparent lack of concern from those responsible for regulating such practices. It feels like no one cares about the impact this has on our daily lives and the invasion of our privacy”, she added, highlighting her disappointment with the inaction of relevant authorities.

Interestingly, political parties have also embraced the practice, with the two leading parties leveraging text messaging which is a direct approach to connect with the electorate as an alternative to traditional campaign platforms in their quest to secure victory in the 2024 election.

While this approach is undoubtedly ingenious, highly convenient, and cost-effective for reaching large audiences, it raises significant ethical and legal concerns because the practice blatantly infringes on individuals' privacy, as these messages are sent indiscriminately without obtaining prior consent from recipients.

Shadrack Opoku, a member of the Jehovah’s Witnesses Church, a nontrinitarian, millenarian, restorationist Christian denomination finds himself increasingly frustrated by the influx of unsolicited messages he receives in sharp contrast with his religious and conscious decision to abstain from political activities but is forced to contend with these messages, which he feels are an unwelcome intrusion on his privacy and beliefs.

Shadrack showed one such message from the NDC’s John Dramani Mahama which read: “Fellow Ghanaian, apart from the 24-hour economy agenda, a Mahama presidency will invest $10 billion dollars in infrastructure to create jobs which includes a $3 billion dollar private sector-led investment in ICT! It's JOBS! JOBS! JOBS! Vote John Mahama for President and the NDC parliamentary candidate in your Constituency for MP on December 7! On the ballot paper look for the umbrella. Forward this message to ten or more people” and question how the party got access to his contact details.

"I am a Witness, and my religious beliefs prohibit me from voting or engaging in political activities. Yet, it’s frustrating that whenever I check my phone, I find messages from political parties urging me to vote for a specific party. It’s really annoying," he said.

For Linda Ofori, despite being politically engaged and having been at the receiving end of these unsolicited messages from both the National Democratic Congress (NDC) and the New Patriotic Party (NPP), the practice is unacceptable.

“I am a politically exposed person but receiving unsolicited messages is a no for me and I think the practice is unacceptable in any civilised community.”

With messages on her phone from the NPP and NDC reading as: “Dear Linda, thank you so much for your massive love and support during my visit. Together, we can shape the next chapter of our great nation with bold solutions” and “Dear Linda, let’s build the Ghana we all want together. Vote John Mahama for President on 7th December for the No Fees Stress policy for tertiary students”, respectively, she wondered how her details got into the hands of the two parties.

Calls for action

The surge in unsolicited Short Message Service (SMS) messages has raised serious concerns about data privacy and security among Ghanaian mobile phone users.

From promotional adverts to political campaign messages, many people report receiving these messages from unknown sources, sparking widespread concerns about how third-party institutions access and misuse personal information without consent.

Financial institutions are among the worst offenders, bombarding public sector workers with text messages urging them to take personal and investment loans. These messages are often sent to workers who receive their salaries through the Controller and Accountant General's Department (CAGD).

This has brought to light potential gaps in the enforcement of data protection regulations, with Linda Ofori for instance suspecting that telecom operators, third-party marketers, or other entities may be sharing users’ information without authorisation in a clear breach of the data protection laws arguing that enforcement has been lax, allowing such privacy violations to persist with impunity.

She is in the face of these breaches on data protection demanding accountability from telecom operators and advertisers and the relevant agencies to investigate these practices and enforce stricter regulations to protect personal data highlighting the vital aspects of safeguarding personal data in an increasingly digital world.

She fears this trend could have far-reaching implications because, besides breaching privacy, the misuse of personal data could expose individuals to phishing scams and other cyber threats.

What the Data Protection Commission had to say

Speaking on the issue, Madam Patricia Adusei-Poku, the Executive Director and Commissioner of the Data Protection Commission (DPC), the body mandated to protect the privacy of individual and personal data by regulating the processing of personal information disputed claims that authorities are doing nothing indicating that her outfit has been up to the task when there is evidence of data breach.

“The Data Protection Commission as an independent statutory body was established to protect the privacy of the individual and personal data by regulating the processing of personal information. We have not been sleeping on the job because over the years we have shown strong commitment to protecting the data of people.”

Citing the unsolicited messages from loan sharks targeting workers on CAGD’s payroll, she acknowledged the issue and revealed that her outfit has already audited the Controller system and recommended changes.

However, she noted that these changes are yet to be implemented but assured that, once they are, such unsolicited messages will soon become a thing of the past.

“Controller has its own problem with their system so we conducted an audit of their system and identified the source of the problem and made recommendations but there were some problems before implementation but there is the assurance that in the coming months, they will roll out the changes we made to them and I can assure you that those messages very soon will be a thing of the past.”

Madam Patricia Adusei-Poku added that, as part of a broader strategy, the Commission has been collaborating with telecom operators and the National Communications Authority (NCA) to address these practices.

She assured that these efforts would eventually result in a more effective data protection system.

“We have a close collaboration with the telcos and the NCA to deal with all these issues to ensure that we have a robust data system so the people should be rest assured that we are not sleeping on the job because we have made some gains already.”

The Data Protection Law

In response to concerns over the misuse of personal information in an increasingly digital world marked by data breaches, the Ghana Data Protection Act 843 was enacted in 2012. This legislation aligns with global efforts to safeguard personal data, recognising its importance within the broader framework of human rights and civil liberties amidst rapid technological advancements.

The Act also established the Data Protection Commission (DPC), a statutory body responsible for ensuring compliance with the Data Protection Act. Its role is to help citizens navigate the digital landscape without fearing privacy infringements, especially as the rise of social media, online transactions, and data-driven marketing has increased the vulnerability of personal information.

Section 27 (1) of the data protection law provides for the registration of Data Controllers who intend to process and handle personal data with Section 28 placing greater responsibility on the Data Controllers for the processing and handling of personal data.

According to the Executive Director and Commissioner of DPC, these obligations as enshrined in the Act primarily revolve around ensuring that any processing of personal data is conducted lawfully, transparently, and in a manner that respects the rights of data subjects.

“The law allows for the registration of data controllers who are expected to work with utmost professionalism because data privacy is a fundamental human right and individuals must have the backing of the Data Protection Law about how their data is being used.”

She added that the cornerstone of these responsibilities is the necessity of obtaining valid consent from individuals before their personal data can be processed and consent must be provided freely and Data Controllers.
“Data Controllers are specifically and unequivocally responsible for ensuring that data subjects are fully aware of how their information will be used and so we enforce the law when a controller acts otherwise.”

Seeking redress for data breach

Patricia Adusei-Poku pointed to the fact that there are remedies under the Data Protection Law for individuals whose personal data is breached to make a request to the commission for an assessment of the breach and to make a determination of the case.

“Under the Data Protection Law, a person who is affected by the processing of any personal data may on that person’s own behalf or on behalf of another person request the Commission to make an assessment as to whether the processing is in compliance with the provisions of this Act and based on the findings the commission will make a determination on the matter.”

She added that “On receiving a request, the Commission may make an assessment in the manner that the Commission considers appropriate” but bemoaned that most people fail to report these breaches to the Commission for appropriate redress and determination.

“Once the commission receives a complaint from an individual, we have to assess to determine its merit but the sad reality is that many people do not report these breaches so it makes it difficult to seek redress for them.”

This report is produced by Frank Addo Aboagye under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.