SSNIT has become the first Data Controller in the nation to request for Data Protection Awareness for its entire Executive Body in recognition of the close alignment of Data Protection and Privacy in business management today. The training is part of the public education and awareness campaigns on the rights of data subjects and the obligations of Data Controllers under the Data Protection Act, 2012, (Act 843).
The Executive Director of the Data Protection Commission (DPC), Ms. Patricia Adusei-Poku commended the Management team of SSNIT for the initiative. “This is a mark of excellent leadership on the part of the SSNIT Executive and I am impressed by your desire to reinforce the principles of accountability and responsibility in your institution”, she said.
The Executive Director of DPC stressed that currently, Personal Data is the new gold as the wealth of organizations is assessed based on the value placed on the Personal Data processed.
All entities are vulnerable to intentional, unlawful or accidental sharing of Personal Data. The risk of cyber-attacks to access Personal Data illegally particularly from large volume Data Processors such as SSNIT is real and it is only a matter of time ‘when’ NOT ‘if’ it happens. Hence, responsible and accountable institutions such as SSNIT need to adopt a top-down approach to enabling appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, or unauthorized and unlawful access to Personal Data they hold.
The Executive Director of the Data Protection Commission emphasized the need for organisations to adhere to the eight (8) principles of data protection - accountability, lawfulness of processing, specification of purpose, compatibility of further processing with purpose of collection, quality of information, openness, data security safeguards and data subject participation- in the processing of Personal Data. This required undertaking appropriate Personal Data impact risk assessment prior to undertaking projects involving Personal Data.
She outlined some of the benefits of being responsible and accountable about the privacy of individuals by improving client confidence in the organization’s safeguarding efforts. “Being compliant with Act 843 will prove to clients that your organization is a good custodian of data. Accountability also ensures improved data security, reduced data maintenance costs, increased alignment with evolving technology, defense against claims for data breaches and presence in public register of compliant Data Controllers”, she explained. She added that SSNIT had shown the way and she was optimistic that other organisations will follow SSNIT’s lead to train their staff.
Noncompliance with the provisions of the Act may also result in negative media attention, fines and/or expenses responding to the Commission’s inquiries, loss of business due to inability to meet customer and partner privacy/security standards, loss of goodwill and brand damage and a halt in business operations based on Commission’s directive to stop data processing. She added that with the coming into force of the EU General Data Protection Regulation (EU-GDPR), institutions processing data of European Data Subject stand the risk of being sanctioned to pay stiff fines up to €20 million, or 4% of the worldwide annual revenue, whichever is higher. Hence the need for institutions to take Personal Data regulations seriously.
The Executive Director of Data Protection Commission emphasized that protecting individual privacy in line with the requirements of Act 843 underpins the national transformation and ‘beyond AID’ agenda as Ghana embarks on a mass digitisation effort as part of its Information and Communications for Development strategy (ICT4Devt); The DPC is the Institution mandated by law to ensure accountability of all stakeholders through the regulation of Technology, Processes and People.
This calls for a concerted and integrated Public Education Campaign that will impact the nation at the policy level, civil society groups, businesses, key decision makers, media and the general public; yielding a good return on investment (ROI) in national knowledge and awareness
Speaking on the benefits of the exercise to the Trust, the Director – General of SSNIT, Dr. John Ofori – Tenkorang said SSNIT was committed to ensuring that the data of members was protected. “We may not be able to totally eliminate the risk of data breaches, but as a business we will do everything humanly possible to ensure the security of the data we control, and this training is a key step in that process”, he said. He added that the training will be extended to cover all the relevant departments and officers who handle member data within SSNIT.
A knowledgeable and aware public will commence the cultural shift and a changed mind-set required in this digitised environment and along the global landscape. The Commission is ready to assist accountable institutions to implement their privacy programs to align with global best practices and in compliance with the Act. All institutions that process Personal Data should be compliant with the law and register with the Data Protection Commission on https://www.dataprotection.org.gh to benefit from the training sessions of the Commission and privacy program support.