by Ashnah Kalemera and Edrine Wanyama |
The Financial Inclusion Forum Africa, through an Africa Digital Rights Fund (ADRF) grant, has drafted a Data Protection and Privacy Policy to serve as an internal guide on how digital financial service providers in Ghana should collect, store and process individuals’ data. The ADRF is an initiative of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) which provides flexible and rapid response grants for the advancement of digital rights in Africa.
The policy outlines principles on the management of personal data in compliance with Ghana’s Data Protection Act 2012 and the International Organization for Standardization and International Electrotechnical Commission Standards for Information Security Management – ISO 27001:2013.
The policy outlines data protection principles including accountability by jurisdiction of data subject; lawfulness of processing through consent; disclosure of purpose; compliance with further processing; accuracy and completeness; openness; safeguards; and correction as well as deletion. The principles of privacy outlined are legal compliance; limitations of purpose; adequacy; and retention.
The policy requires mandatory and frequent information security awareness training for staff and the constitution of an Information Security team responsible for implementing the policy and incident response. Roles and responsibilities are also outlined for risk and compliance, heads of departments, and employees. Provisions for the rights of data subjects include the right of access, rectification, cessation of processing and prevention of automated decision making. In the event of violation of the provisions, the policy provides for internal investigations and sanctions under the law.
The policy was previewed at the Data Protection and Privacy Roundtable, which saw leading digital financial service providers such as Appruve, Jumo, Vodaphone Cash, and G Money, alongside industry experts and regulators such as the eCrime Bureau, RegTheory, and CUTS (Consumer Unit and Trust Society) Ghana provide insights into its viability and applicability. Discussions drew on real-life experiences of service providers and key feedback was incorporated into a revised version of the policy.
Commenting on the policy, Dr. William Derban, Chairperson of the Financial Inclusion Forum Africa, stated that data privacy and protection was “critical to financial inclusion”, as data was the cornerstone of innovation in digital financial services delivery. “These guidelines [the policy] serve as a template to enable fintechs who are developing such services to ensure that all our data is being protected,” he added.
With data breaches, including by business entities, a growing concern among users of digital services across the African continent, the policy can go a long way in addressing the live issues in protecting the privacy of data in the financial sector in Ghana, if widely adopted by service providers.
As data becomes increasingly pivotal to the digital economy and digital rights, it is becoming essential to develop sector-specific data protection guidelines. The fintech sector, which is growing exponentially in Africa, is one of these sectors. Such guidelines are essential to buttress existing legislation, which in Ghana’s case includes the Payment Systems and Services Act, 2019, Data Protection Act, 2012, Electronic Communications Amendment Act. 2016, Electronic Transactions Act, 2008 and the Anti-Money Laundering Act, 2008.
While the policy is not binding, it is anticipated that through ongoing data protection and privacy campaigns, it will draw stakeholder buy-in and implementation, as it is in harmony and gives effect to various local laws while also reflecting the General Data Protection Regulation of the European Union and the African Convention on Cyber Security and Personal Data Protection which Ghana has signed and ratified.