Many countries including Ghana are fast adapting to digitization initiatives to leverage the benefits that come with an effective and efficient digital public infrastructure.
Digital identity systems, digital and instant payment systems and data exchange setups are becoming essential. These initiatives are key to making life easier for ordinary citizens, but they come with associated risks. The potential to have people’s personal data breached and compromised frightens many who are slow to welcome digitization initiatives.
Deborah Mensah, a banker is bombarded with unsolicited text messages from online vendors and politicians.
“I’ve lost count of the number of messages I get from advertisers. I keep wondering how they got my number because more often than not, I’ve never heard of them before. I remember prior to the elections I got messages from some of the candidates telling me to vote for them. It was very annoying,” Ms. Mensah explained.
She suspects her contact details were given out by her telco company having registered her SIM. That registration was done with her Ghana card, produced by the National Identification Authority.
Ghana’s Data Protection Act, 2012 (Act 843) states that “no person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.”
Other regulations including the Electronic Communications Regulations, 2011 (L.I. 1991) and the Cybersecurity Act, 2020 (Act 1038) also make provisions for the regulation of cybersecurity activities, data sharing and the maintenance of the privacy of other users, customers and third parties.
But for some Ghanaians, they doubt the effectiveness of these laws. The increasing spate of cyber scams, and mobile money fraud, all associated with digital payment systems managed by the central bank worries many and undermines the desire to accept and adapt to digitization.
Security and Safety Expert Dr Adam Bonaa says Ghana has no excuse to put in place an efficient system that assures people of how safe their digital data is.
“It’s very appalling, if you ask me. Data security, and then protection, and all security and all that, Ghana seems to be probably 50 years behind. And they are either intentional, because we have the platform to ensure that our data is, you know, comprehensively protected, and they’ve compromised the system themselves,” he narrated to TV3’s Laud Adu-Asare.
“It looks like the laws are there, but the enforcement of the laws is what leaves a lot to be desired. As and when they want the law to abide, it will abide. If they want the law to abide, it will abide. As far as I’m concerned, I mean, we seem to be dancing around these things every now and then,” he added.
Lackluster implementation of privacy protection
CEO of Data Protection Commission, Patricia Adusei Poku, although confirming that the law is in force, admittedly noted the glaring gaps in there.
According to her, technological evolution has made it such that some parts of the law are currently not abreast with the country’s digital ecosystem. She however noted that the Data Protection Commission is currently working with the necessary institutions including the Communications Ministry to ensure that these areas are amended.
“You don’t often hear that Ghana has sanctioned the companies, not because of the lack of action from the Commission, but the fact that the procedures laid in the law for doing it is quite weak. When we find a defaulting institution, we have to actually prosecute that institution through the normal prosecuting channels, meaning that we have to report them to the police, put a statement out, make a case and get the police to prepare a document. The document has to go to the Attorney- General, and then they have to find a court case and it takes forever.
“By the time we get to that point, it has gone lame, for the lack of a better word. So, it takes too long to prosecute a defaulter. We want direct sanctioning powers so that the Commission can see a default and act on it immediately to be more effective,” Patricia Adusei Poku said.
“Another aspect is some aspects of our revenue generation that is not allowing us to work as effectively as we want to work. And we need to let the Act reflect our mandate around emerging technologies, artificial intelligence,” she added.
According to the 2024 State of Inclusive Instant Payment System in Africa, resource mechanisms to address fraud and privacy concerns remain critical gaps, particularly for vulnerable groups such as women, who continue to report feeling unsafe using digital payment platforms.
Deputy Chief Executive Officer of AfricaNenda Foundation, Akinwale Goodluck highlighted ways through which individuals inadvertently share their data and called for more vigilance.
“A lot of us are enjoying instant payment systems and other areas but we also share a lot of data inadvertently or sometimes deliberately. There are a lot of people who are happy to harvest data so when you attend a conference, at the gate you’re asked to fill in your name, phone number, email, work etc.
“Sometimes it’s not everybody that protects that data with the amount of diligence. There are people who may pick it up from the dustbin and they have a lot of data.”
Per the Data Commission Act, all companies that harvest and share information should be operating under the permission of the Data Protection Commission but as it is, there are very few methods to find that out.
“Data has so much value, it’s so marketable now, it’s so valuable that people may harvest in an unauthorized manner and may sell to unauthorized people, to malicious actors. That’s why we have so much fraud and fraudsters in the ecosystem,” Patricia Adusei Poku posited.
“We are working with our peer regulators that are aligned to address these issues, like the NCA [National Communication Authority], in terms of the telecoms, like cyber security, in terms of safeguarding the national ecosystem and critical national infrastructure, working with them and identifying ways and means that we will enhance the safeguarding of data.
“It’s a difficult fight, but we are already doing several actions and also educating individuals who have the will and the power to put their data in certain spaces where we can’t control or restrict, to ensure that people are savvy about how to deal with these issues and also to contribute to the fight against the fraud,” the Data Protection Commission CEO explained.
What are the solutions?
According to the Data Protection Commission Head, individuals must also educate themselves about cyber security and data privacy issues.
“You have to be cyber aware; you have to understand what rights you have, how you are empowered as your digital person and your physical person to share data. Physically, you can ask questions. Digitally, you have to be careful when you’re clicking links when you are downloading stuff when you’re saying okay and accepting agreements online.
“It is building your digital profile and your digital self, maybe allowing access to your data when you’re not careful with reading agreements or agreeing or clicking online. Physically, you can ask leading questions that will assure you that this is from a legit source, that the person that is speaking to you is the correct person. I think many people are waking up to that fact that once they’ve been touched, they’ve been hacked before, next time they’re more careful. But it’s good to ask questions,” she told Laud Adu-Asare.
Security Expert Adam Bonaa also highlighted the importance of training by the relevant institutions to well-equip personnel and the general public on how to protect themselves.
“Organizations should employ people who have the technical know-how, people who can train trainers and can train ordinary people to be aware of how to protect themselves and also probably go home and be able to teach their children and people around them. It’s just a way of doing it.
“The advocacy must continue. People must be engaged, professionals must be engaged and given KPIs to be able to perform.”
He added that banks must invest in expert cyber auditing to ensure their systems are protected and their client’s data as well.
“You can only protect yourself when you are ready to invest in, you know, more protection and ensure that it’s good. If audit is good, you don’t have to deploy the most sophisticated, you know, protection system. But because of your audit, you’ll be able to protect yourself 99% of the time.
Deputy Chief Executive Officer of AfricaNenda Foundation, Akinwale Goodluck reaffirmed the need for more caution.
“So, we all have to be careful. Sometimes when you’re clicking forms, you click and give permission for people to share your data.
“Given the level of sophistication on our continent, I know that’s why the consumer protection councils are spending a lot of time and resources moving the burden of sensitisation from the user to the organisations.
“A lot of the data that a lot of the open-source systems are supporting they only see by and large a lot of anonymity. The first thing starts with the consumer,” he added.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
The post Ghana’s Digital Public Infrastructure drive and the lackluster data privacy and security system first appeared on 3News.
Read Full Story
Facebook
Twitter
Pinterest
Instagram
Google+
YouTube
LinkedIn
RSS