Before the Registrar arrives. Before the Finance Officer unlocks her drawer. Before the first email of the day is opened, someone has already had access to that office.
They arrived at dawn, long before the rest of the institution stirs, carrying a mop and a bin bag. They move through the space efficiently, doing what they were hired to do, and leave before the workday officially begins.
This is not a story about cleaners doing anything wrong. It is a data protection story about institutions that have not fully considered what happens to personal data during the hours when offices are occupied but not actively supervised.
What personal data is exposed during the early morning cleaning window, and what measures exist to protect it?
In many institutions, that question may not receive the attention it deserves.
The Access Nobody Plans For
Cleaning staff occupy a unique position within institutional environments. In universities, hospitals, government offices, and corporate workplaces, they routinely enter spaces containing some of the most sensitive information an organisation holds. Human resource offices, finance departments, medical units, registries, and executive offices all fall within their normal cleaning responsibilities.
The issue is not their access. The issue is what is often left exposed when they arrive.
Documents remain on desks overnight. Filing cabinets are left open. Computer screens remain unlocked. Salary schedules, personnel files, student records, medical referrals, and confidential correspondence may be visible in offices that would otherwise be considered secure.
These are not extraordinary circumstances. They are often the result of routine workplace habits that fail to account for what happens outside normal working hours.
Under Ghana's Data Protection Act, 2012 (Act 843), organisations that process personal data are expected to implement appropriate technical and organisational measures to protect it from unauthorised access, disclosure, loss, or misuse. That responsibility does not begin when staff arrive and end when they leave. It applies at all times.
A Vulnerability Hidden in Plain Sight
The concern is not that cleaning staff are inherently untrustworthy. Rather, it is that personal data left exposed creates opportunities for misuse.
Where sensitive information is visible, an individual with improper motives may seek to obtain it through someone who has legitimate access to the environment. In such circumstances, even a well-intentioned person can become an unintended conduit for a data breach.
The risk therefore lies not in the cleaner, but in the unnecessary exposure of personal data within the workspace itself.
Data protection is often viewed as a technological challenge, yet many breaches originate from ordinary operational practices. A personnel file left on a desk, an unlocked filing cabinet, or a confidential document visible to unauthorised persons can expose personal data just as effectively as a cyber incident.
The Gap Institutions Must Address
Many organisations have invested heavily in cybersecurity controls while paying far less attention to physical data security. Yet some of the most sensitive personal information remains in paper files, printed reports, handwritten notes, and physical records.
Medical offices contain patient information. Human resource units maintain personnel records and disciplinary files. Finance departments hold payroll information. Registries and administrative offices manage extensive student and staff data.
These are not ordinary spaces, and the information they contain deserves appropriate protection beyond working hours.
Among the most effective safeguards is a properly enforced clear desk and clear screen policy. Before leaving an office, staff should secure documents, lock storage units, and ensure that sensitive information is not left visible.
Institutions should also conduct periodic physical data security audits of offices that handle sensitive information and implement safeguards such as secure storage, controlled access procedures, and documented end-of-day security checks.
Where cleaning services are outsourced, confidentiality obligations and basic data protection awareness should form part of contractual and onboarding requirements. These measures are consistent with the responsibilities imposed on data controllers under Act 843.
The Breach That Leaves No Trace
The most significant data breaches are often the ones that leave no obvious evidence behind. No system is hacked. No alarm sounds. Nothing appears to be missing.
Personal data was simply visible when it should not have been.
By the time a consequence emerges, a staff member's information misused, a student's confidential record disclosed, or sensitive medical information reaching the wrong hands, the moment of exposure may be impossible to reconstruct.
This challenge extends beyond universities. Hospitals, schools, financial institutions, government agencies, and private organisations all face similar risks wherever personal data remains exposed outside normal working hours.
The absence of a reported breach should not be mistaken for the presence of effective protection. In many cases, it may simply mean that a vulnerability has not yet produced a visible consequence.
Personal data protection is not only achieved through firewalls and passwords. It also depends on how information is managed within the physical workplace.
That discipline must extend to every office, every access point, and every hour of the day, including the quiet hours of dawn, when the earliest visitor enters the workplace and the security of personal data depends not on who is present, but on whether the institution prepared for their arrival.
About the Author
Jeremiah Salia is a Certified Data Protection Officer, Security Professional, and registered member of the Ghana Association of Privacy Professionals (GAPP), with hands-on experience in data governance and institutional security within higher education. He writes on data protection and the everyday administrative practices that shape how institutions handle personal information.
Turmoil in NPP as Ken Agyepong supporters blast executives over alleged dismissa...
June 27: Cedi sells at GHS12.30 on forex market, GHS11.30 on BoG interbank
Odaw River dredging to be completed by December 2027 — Works Minister
Appointees must stay in Ghana for one year after office — Kofi Bentil proposes
2026 World Cup: Africa sets new record with seven teams reaching knockout stage
2026 World Cup: Black Stars secure Round of 32 qualification ahead of Croatia cl...
I’ve put Uri Gellar in a bottle for challenging his spiritual powers – Kwaku Bon...
GCB Board Chairman Prof. Joshua Alabi promises $100,000 winning bonus for Black ...
President Mahama cuts sod for 24-hour economy market at Assin Bereku
Govt to introduce new rent law to strengthen tenant protection
