Opinions of Tuesday, 2 July 2019

Columnist: Abdul-Kahar Adam

The issue of data protection in Ghana – Management expert advice

File photo File photo

Data Protection is not Data Protection Law! Data Protection is very broad and has different levels and categories in terms of its usages. First of all, is it about national data of citizens that is the problem in Ghana? Or it is about the release of data by government institutions to third party companies for business purposes that is the problem? Or it is about data access given to these third party companies is the chaos?

These latter questions are similar but are all different in terms of Information Technology technical application point of view. Data Protection is simply the technical measures put in place to deter misuse and leaking or passing officially regulated data information to an unauthorised persons or companies. This can also be caused by physical or manual act.

So what then is private policy statement? Whose responsibility is it? Private Protection Policy Statement are official statements of oaths or terms by business organisations or companies that take users or the public information or have access to people data information through an online weblink. These are statements to assure users and the originality of the stored data that it is for business purposes and not for criminal practices, if such occurs or breached then users can complain but users also will have to agree to the use of such information they collect before dealing with the company.

In this case, data protection is more or less an institutional responsibility whereas Private Data Protection or Policy Statement is both institutional and users responsibility in that both have shared care of responsibility when coming to do business or gain access to systems of information. Most at times you will find Privacy Policy Statements under company websites and on software installations from CDs.

My humble knowledge and expertise on the issue of data protection to the government of Ghana and its stakeholders such as Drivers Vehicle and Licence (DVLA), National Health Insurance Authority (NHIA), National Information Authority (NIA), Electoral Election (EC), etc of citizen’s data is that, it is the responsibility of a government to gather details information on its citizens. Currently as it stands now, we don’t have a reliable data source for the nation. It appears we are still developing our technology in the 21st century into the government technological systems.

I must first point out that due to cheap politics, we politicise and polarise everything in the country. As soon as we have change of government many policies and systems are affected in one way or the other. This can only be eradicated if we stop attributing development to individual president and their party since this is the only way. We must see every development as a country performance and not individual president since nothing comes from their personal pocket. We have been acting in politics blindly which affects our intellectuality as a nation.

Hence, for any government to engage in giving full access of data to companies, or is releasing of data to third party companies either as hard or soft copies, or is providing information about its citizens to third party companies in a form of telephone call or any mailing system about its citizens should understand that there are technicalities to consider before engaging in such agreement or enactment of such laws to guide the process of delivery, application, and usage.

First, if a government institution is given data access to any third party company for verification purposes, the question it should answer is what specific information is to be or is been given out? Is it the full names with the pictures, and without date of birth or full data is given out? I must say that it will be suicidal for any institution to give out full data information to third party companies.

Second, is the government releasing data information to third party companies? If so, then that institution must consider its terms since it is their duty to protect the citizen’s information and therefore no release of hard or soft data information, such will be disastrous. This will be abominable to release full data by any government institution.

Third, is the institution providing information to the third party company by providing the online URL or weblink to enable them to carry out such verification search on their online database? This process is highly recommended but in such instance, it is important for the government institution to still indicate what type of the citizen’s information will be made available to the third party only for search verification? It is always not advisable to give full data access to third party companies. It will be dangerous to give full access online. And with this type of access the institution still have the full security control of their master data intact.

Fourth, when a third party company receives any agreement to use citizens data for the purposes of verification, then the company has to produce a private policy statement to cover the usage of such data and should in case they break it then the law will take its cause. This can be included in the agreement they sign or will sign.

In summary, under no circumstance should a government institution give full access or release citizen’s data information hard or soft copy to third party companies. Such is not a global phenomenon since it has data security implications. The only method of agreement that a government institution should and must consider is the provision of the URL or weblink to the specific data file that the third party company can conduct verification of people online. And this agreement must be a business agreement since it involves commercialisation. Hence, charging for such agreements can be classified as internal generated funds to the state institution. Selling some data information to business companies is a normal practice the world over since it is for the betterment of providing good service and countering and prevention of criminality in all forms. Such agreement is to support the true identity of people they do business with globally before serving or committing funds. This type of agreement needs both management expert and Information Technology technical knowledge of advice. The terms should be based on specialization areas.

By and large, the only government institution(s) that can have full access, full release and URL or weblink is the National Security Organisations and Agencies but with data security protection law to effect its use and study. Any third party company that have access to full data of citizens from government institutions will be a crime. At least verification of ID numbers with person’s names and age or date of birth can serve as important access and may be pictures inclusive. What we should all understand is that these third party companies have their own data information on its customers at large, hence, they may already have inbuilt integrated data source within for verification search purpose across their networks and business partners.

What is important with such agreements are that there must be a different file called verification file which will have limited information on citizens for the third party company use. I have listened and watched many people recently talk on a subject that states data protection breached by Electoral Commission (EC). Why should people say Electoral Commission (EC) breached data protection? I think most journalists and some people who appear on panel platforms or media forums talks too much as if they are experts of the subject matter.

Who say that a public organisation cannot give access of the citizen’s data information to private or corporate business companies? Data Protection is not Data Control. Data Protection is simply the legalities or by-laws including the I.T. technicalities that are written to maintain the use of the data collected and what penalties will be charged if breached. It is ultimate and mandatory for government and its public organisations to provide data to third party companies to facilitate businesses for development. But if such usage is breached and there is evidence upon which complain is launched then the law will take its course.

The question I want people talking about EC breaching data protection in Ghana is, who or which citizen have a cause to complain that his or her data have been found wrongly used from the company that got the access from EC? People cannot just be complaining and saying there is data protection breach by EC. If EC or any other public organisation which collects and holds public data of its citizens does not provide access or give data information to third party companies, how will these business companies do business with due diligence. So please Ghanaians, no misconceptions and misinterpretations.

I must say that if actually it is true that the EC gave access of data to a private company without taken money and signed any agreement will be a very bad precedent. They have to make money for the state. Data access is not a crime in itself but the problem comes in when there is abuse of the data by going outside the agreement and purpose of usage when such can be found with evidence. It is not about suspicion but must be based on real evidence of breach or abuse by the third party companies. In fact, in this case, if individuals or groups are affected like this then they should complain if they are victims. People must understand that public organisations are different from private and business corporate companies.

Data Protection and Data Control are technical matters and not the Data Protection Act of the state. I would like to know, what national database does the Data Protection Commission have in their possession that they protect or control? The law or the act is not the data protection or data control or privacy policy statement.

Therefore, institutions and agencies such as EC, NHIS, DVLA, NIA, etc must take note of this management expert advice and if need be one can be engaged to advise further since all cannot be expressed or written here.

Data Protection is not just about the laws but the information technology technicalities to be considered for usage by third party companies with limitations. Hence, such agreements always need Management and Information Technology technical experts to advice before the legalities come in.

Thanks

Abdul-Kahar Adam

akadam_gh@yahoo.co.uk