Disconnecting Trust: A Data Protection Perspective on the NIA-GRA Brouhaha

The recent disconnection of the Ghana Revenue Authority (GRA) from the Identity Verification Service (IVS) platform of the National Identification Authority (NIA) over an alleged debt of GH₵376 million has ignited urgent questions surrounding data governance, accountability, and compliance with the Ghana Data Protection Act, 2012 (Act 843). As a seasoned Data Protection Officer (DPO) and legal practitioner, this development highlights systemic gaps in institutional data protection practices, the legal and operational roles of public entities, and the future of inter-agency data sharing in Ghana. This article provides a legal and compliance-based analysis of the incident, with a particular focus on the roles of the Data Protection Commission (DPC), the contractual frameworks between the two institutions, and the professional responsibilities of DPOs.

The Role of the Data Protection Commission (DPC)

The Data Protection Commission is the independent regulator mandated under Act 843 to ensure that personal data is handled lawfully, fairly, and transparently. The Commission’s role includes registering data controllers and processors, monitoring compliance, and advising government institutions on best practices in data governance.

In this particular case, the DPC’s involvement is critical. The NIA has reportedly written to the Commission, seeking permission to delete its data from GRA systems. However, under Act 843, the DPC is not a judicial authority and cannot grant or enforce data deletion orders, especially when the data is in the custody of another public agency. Rather, the DPC's mandate extends to ensuring that data deletion, if considered, complies with the Act. The DPC can investigate whether the current handling of data between NIA and GRA aligns with their respective obligations as data controllers, but it cannot compel one party to grant access or delete data on behalf of another.

Role of GRA and NIA Management in Data Protection

Data protection governance begins at the top. The management of both GRA and NIA must be held accountable for institutional data protection practices. The alleged debt and resulting disconnection should never have escalated to a point where public services are disrupted, and sensitive personal data becomes the subject of operational brinkmanship.

The fact that the NIA is exploring options to delete its data from GRA’s systems indicates a possible failure in establishing clear operational protocols and safeguards for shared data. Section 24 of Act 843 requires that data controllers (in this case, both GRA and NIA) retain data only for as long as necessary for the lawful purpose for which it was collected. Without a robust data lifecycle management strategy endorsed by leadership, institutions expose themselves to legal, reputational, and operational risks.

Is There an Existing Contract with Data Protection Clauses?

While the public has no access to the specific contractual arrangement between GRA and NIA, any data-sharing relationship of this magnitude must be governed by a formal written contract. Such a contract should explicitly include data protection clauses covering the purpose of data sharing, security protocols, access control, incident response, liability clauses, and breach notification timelines.

The absence of such a contract would be a direct violation of Section 19 of Act 843, which requires data controllers to ensure that any data processing, particularly by third parties, is bound by written contracts that guarantee adequate protection.

Is There a Data Processing Agreement (DPA)?

A Data Processing Agreement is a mandatory legal instrument under Act 843 when a data controller engages a processor to handle personal data on its behalf. If either GRA or NIA was acting as a processor for the other—for example, if GRA accessed NIA data to authenticate taxpayer identities—a DPA would have been essential.

This agreement would define scope, limitations, and obligations on both sides, including the controller’s authority, the processor’s duties, and safeguards for cross-border data transfers, if applicable. Without a DPA, any such processing is unlawful under Act 843, and both parties could face sanctions by the DPC.

Is There a Data Sharing Agreement?
Beyond the DPA, institutions that share data horizontally (controller-to-controller relationships) must have a Data Sharing Agreement (DSA). A DSA outlines the legal basis of the sharing, the categories of data shared, roles of each party, and security measures in place.

Given the nature of the IVS and the fact that NIA data is foundational for verifying identities in the tax system, a DSA between NIA and GRA should have been in place. This agreement would also stipulate terms for access, dispute resolution, termination, and data withdrawal. If no such DSA exists, then both institutions may have been operating in breach of the principles of lawful and transparent processing.

The Way Forward: Prioritizing Data Governance Before Partnerships

The events surrounding this disconnection must serve as a wake-up call to all public and private sector entities in Ghana. Data protection is not a peripheral issue—it is central to any contractual engagement involving personal data.

Before entering into partnerships or service-level agreements, institutions must:

• Conduct Data Protection Impact Assessments (DPIAs)
• Engage their DPOs during the design and negotiation of contracts
• Insist on written contracts with clearly defined data protection clauses
• Develop exit strategies for data portability, retrieval, or deletion
• Establish joint governance committees for oversight of data-sharing arrangements

This proactive approach will prevent future conflicts and ensure continuity of public services without jeopardizing individuals’ personal data.

Data Deletion: DPC Cannot Authorize Deletion or Access Orders

It must be clearly stated that the DPC has no legal mandate to authorize either NIA to access GRA’s servers or GRA to delete NIA’s data. These are operational and legal issues that must be handled internally or through judicial processes. The DPC’s role is to ensure that such actions, if taken, are consistent with Act 843.

The deletion of data, especially data integrated into tax administration systems, must follow an evidence-based audit trail and legal process. Unilateral deletion or denial of access may amount to a data breach or an obstruction of lawful processing.

Role of Data Protection Officers (DPOs) in Both Institutions

This situation also places the spotlight on the DPOs at NIA and GRA. As mandated under Section 58 of Act 843, the DPO is responsible for ensuring that data processing operations are lawful, advising management on data protection obligations, and serving as a point of contact with the DPC.

Had the DPOs been meaningfully involved in the architecture of the NIA-GRA relationship, safeguards would likely have been in place to anticipate and mitigate such a fallout. The current impasse may point to a sidelining of DPOs or gaps in their influence within institutional governance structures.

It is now imperative for all institutions to elevate the role of DPOs, provide them with the necessary resources and authority, and embed their input at every stage of decision-making where personal data is concerned.

Conclusion
The standoff between the NIA and GRA reflects a broader challenge in Ghana's digital ecosystem: a lack of data governance maturity. While financial disputes between entities may be inevitable, personal data should never become collateral damage.

By strengthening contractual frameworks, institutional accountability, and regulatory clarity, Ghana can pave the way for a more resilient, lawful, and citizen-centric data protection culture. Above all, institutions must treat data protection not as a compliance checkbox but as a cornerstone of public trust and operational integrity.

   Comments0