Cloud Computing In Ghana: Data Privacy, Regulatory Framework and Opportunities
2015 © Copyright Goodman AMC Ltd. 2015.
P.O.Box AF 1732, Adenta-Accra, Ghana
www.goodmanamcllc.com [email protected]
Table of Contents
Contents Introduction _________________________________________________________________ 1 What is Cloud Computing? _____________________________________________________ 3 Ghana: The Case for Cloud Computing ___________________________________________ 5 Why Cloud is Gathering Momentum in Ghana and is Here to Stay ______________________ 7 Government Policies Driving Ghana’s Cloud Readiness ______________________________ 9 Data Protection and Privacy Laws in Ghana ______________________________________ 13 Functionality of Data Protection Laws in Ghana ____________________________________ 27 Bridging The Gap Between Data Protection Laws, Citizens and Businesses _____________ 28 Leveraging on OECD’s Expertise _______________________________________________ 30 Data Protection and Privacy Concerns ___________________________________________ 31 The Business Case for Cloud Computing in Ghana _________________________________ 33 Conclusion_________________________________________________________________ 36 References ________________________________________________________________ 37 Contact Information __________________________________________________________ 41
Pg. 01 Since 2000, Ghana has experienced favorable growth in the use of ICT, primarily due to mobile internet penetration. Increasing access to technology has supported innovative ways of doing business, increased competitiveness, introduced creative business models, and inadvertently widened the economy.
Introduction Cloud computing continues to offer creative avenues for businesses across Africa, and can potentially transform the way of doing business in Ghana. Goodman AMC seeks to examine the key facilitators of growth in the cloud computing space in Ghana, and explores the current legal provisions and ICT infrastructure that both support and regulate the country’s cloud computing space. Our analysis have shown that effective, yet practical, government policies and laws will open up the country further and help advance cloud computing in Ghana. The government of Ghana, through the Ministry of Communications, has enacted various laws and promoted policies that support and facilitate the establishment of different service levels for cloud data transmission and storage, based on the nature of data transmitted. These include the ICT4AD Policy; the National Telecom Policy; the Data Protection Act; the Electronic Transaction Act; the Electronic Communications Act; and to some extent, the Intellectual property laws. This paper assesses the various indicators of cloud readiness, and seeks to understand whether, in addition to mobile, internet and broadband penetration, Ghana has the prerequisite policies and laws that translate into cloud readiness. We believe that these provisions are essential in the deployment of cloud computing and the growth opportunities it presents to the economy. We present an overview of the risks, limitations and opportunities for growth in cloud computing, in relation to the regulatory provisions surrounding data privacy, security, and ensuring the free flow of information. Since 2000, Ghana has experienced favorable growth in the use of ICT, primarily due to mobile internet penetration. Increasing access to technology has supported innovative ways of doing business, increased competitiveness, introduced creative business models, and inadvertently widened the economy. As a result, we have seen supporting progress in all aspects of the country’s socio -economic development. According to Ookla’s NetIndex, Ghana ranked number one as the country with the fastest internet speed in Africa in 2012, with an average download speed of 4.78 Mbps. Martin Greenberg, co-founder of Upload App, also noted in The Ghanaian Startup Ecosystem, 2014, that in 2013, Ghana increased cable capacity by an additional 12.36 Tbps, when the undersea cable system, Africa Coast to Europe (“ACE”), was linked to Accra in 2013. The World Economic Forum’s Global Information Technology Report 2015 ranked Ghana as the 101st country (out of 143 countries across different continents in the
Introduction world), and only behind five countries in sub-Saharan Africa (Seychelles, South Africa, Rwanda, Kenya, Cape Verde) in terms of leveraging for social and economic impact. Ghana is gradually improving its competitiveness and allowing its citizens, businesses, economy and communities to take advantage of cloud computing innovations and applications through measured progressions in its ICT sector. Cloud computing represents the epitome of evolving ICT trends and has a strong potential to help government and businesses in Ghana. Cloud computing refers to the access of computing resources across a network. These resources include, but are not limited to, networks, storage, servers and services. This model can provide a number of advantages. Chief among them is the reduction in costs. An organization can utilize cloud computing services from a third party when such resources are required, and scale up and down as required, without the need to invest in costly infrastructure. Another major benefit is that applications and data can be accessible at any time through the internet.
What is Cloud Computing? What is Cloud Computing? The current cloud computing revolution is a step in the right direction to change how businesses, telecommunications and the society coexist. Definitions proposed in April 2013 by the International Telecommunication Union (“ITU”) and the International Organization for Standardization (“ISO”) describe cloud computing as “a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources, with on-demand self-service provisioning and administration”. Cloud services are defined as services that are provided and used by clients on demand at any time, through any access network, using any connected devices that use cloud computing technologies. Armbrust et al. also define cloud computing simply as both the applications delivered as services over the internet and the hardware and systems software in the datacenters that provide those services. Clouds generally have a number of similar characteristics such as being allocated as needed, accessible across different internet-capable devices, and metered and billed based upon resource usage. These services have a number of different labels, but ideally, they can be divided into three categories – Software as a Service, Platform as a Service and Infrastructure as a Service. Software as a Service (“SaaS”) describes a cloud application that is hosted in the cloud and can be used for a wide range of tasks for both individuals and organizations. This is provided to its users through the internet. This model removes the need to install an application on the end user’s system and lowers the software cost through usage pricing. Dropbox, Salesforce, Office 365, Linkedin, Google docs, NetSuite, and Google’s Gmail, are all examples of SaaS, and users are able to access these services via any internet-enabled device. Platform as a Service (“PaaS”) encompasses the entire software development lifecycle. PaaS is a cloud computing model that delivers applications over the internet. This includes the development environment, and the production environment to deploy the application. Common PaaS vendors include Salesforce.com's Force.com, which provides an enterprise customer relationship management (“CRM”) platform. PaaS platforms for software development and management include Microsoft’s Azure, Appear IQ, Mendix, Amazon Web Services (AWS,) Elastic Beanstalk, Google App Engine and Heroku. Infrastructure as a Service (“IaaS”) - This is the foundation or “base layer” of cloud computing, and includes physical infrastructure such as servers, storage disks, and facilities. Businesses benefit from pay-as-you-go on-demand storage and web hosting, which can be easily scaled up or down as the need fluctuates. Costs are again reduced by
What is Cloud Computing? eliminating the need to procure, install and configure infrastructure. Examples of IaaS include Rackspace, GoGrid’s ServePath, and Amazon’s Elastic Compute Cloud (EC2). IaaS is generally used by organizations that have the in-house expertise to manage their IT requirements but don’t have the infrastructure. They then hire the required infrastructure from IaaS providers and load up their libraries, applications, and data, after which they configure it themselves. Cloud services generally follow four types of deployment models: Private Cloud, Public Cloud, Community Cloud and Hybrid Cloud. Private clouds are used by a single organization. Public clouds are services provided to the public by a cloud service provider (“CSP”). Infrastructure costs rest on the CSP. Community clouds are where services are shared amongst multiple organizations, and Hybrid Clouds mix the previous three models. One example of a hybrid cloud would be an organization that relies on both private and public clouds.
Ghana: The Case for Cloud Computing Ghana: The Case for Cloud Computing “People should learn to trust cloud computing and services as it is the now and the future.” Ato Ulzen-Appiah, (renowned Ghanaian IT expert). Cloud computing has the tendency to spur economic growth by helping reduce software and hardware costs. Businesses in Ghana currently spend huge sums of money on information systems technology and operations. According to Ried and Kisker (2011), the global cloud computing market will grow to more than USD 241 billion in 2020.Spending on public and private cloud will create nearly 14 million jobs worldwide between 2011 and 2015, according to a new study by the International Data Corporation. The 2012 report found that IT innovation created by cloud computing could produce $1.1 trillion a year in new business revenues. In addition, the IDC observes that the fastest growth for public cloud services will be in emerging markets, growing collectively at 44% from 2011 through to 2016, and account for almost 30% of net-new public IT cloud services spending growth in 2016. According to a recent survey by Goodman AMC entitled The Ghana Cloud Readiness Survey: Assessing Data Protection and Privacy Laws in Ghana, 105 out of 115 IT experts sampled (representing 95.45% of respondents) believed that cloud computing was the future model for data storage in Ghana. Gartner, 2011 estimated worldwide revenues from PaaS and IaaS at USD 4.1 billion in 2010 and USD 793.0 billion for total IT service revenues. Gartner also estimated worldwide sales of SaaS at USD 4.1 billion in 2010, and total enterprise software revenues of USD 244.0 billion. Gartner forecasts that SaaS will account for 6.1% of global software sales while IaaS and PaaS will account for 2.2% of global IT services sales in 2015. With cloud, leading companies in Ghana can gain a competitive advantage from big data and generate actionable insight to strengthen customer relationships and pursue new markets. A cloud-based model can help Ghanaian businesses capitalize on the power of big data, putting it within easy reach for all decision makers. Large companies, as well as small and medium enterprises in Ghana stand to increase their profits by migrating to cloud services. Multinational firms in Ghana can save the costs involved in housing and maintaining their entire IT systems by moving it offsite to the remote servers that power the cloud.
Ghana: The Case for Cloud Computing Financial institutions and the telecom industries are the two major industries in Ghana that are benefiting from cloud computing. The demand for cloud computing services in Ghana has therefore gradually increased along with service supply. Airtel, MTN and Tigo, make use of a cloud-based mobile content publishing platform called RMCS (Rancard Mobility Content Server), which helps mobile users on these networks to subscribe to SMS services and receive daily updates on specific news items, ranging from entertainment to health issues. In 2013, Ghana’s leading 4G LTE internet service provider, Surfline Communications, selected an IBM cloud solution, consisting of IBM servers, storage and software to help expand its mobile data services in Ghana and across Africa. Several ICT firms in Ghana are moving enterprisingly into cloud services across all three service models (SaaS, PaaS, and IaaS). Rancard Solutions, for instance, is a SaaS provider notable for its early entry into the Ghanaian market. Rancard offers cloudbased mobile software and services to mobile operators in Ghana. Its service, Rendezvous, is a social recommendations engine which helps create an experience for users by generating recommendations from their friends in the social graph. Rendezvous utilizes a cloud-based social graph composed of connected mobile users and their shared interests. It therefore enables advertisers, online merchants, telecom operators and other enterprises to engage more effectively with mobile audiences by serving them relevant recommendations. Organizations in Ghana are also burdened with acquiring expensive infrastructure such as servers, for which their required storage space may be too small, leaving other spaces unused but paid for. Startups in Ghana are also economizing on start-up costs by accessing tailor-made applications provided by service providers. Also, the synergy and communication which can be obtained through cloud has given Ghanaian developers and tech startups an opportunity to be part of the worldwide development and innovations where traditional communication systems have previously limited their participation. For instance, PaySail is a cloud-based payroll processing platform startup which allows Ghanaian and African businesses to run payroll, generate the appropriate tax and social security filings and reports, and pay their employees through their bank accounts or mobile wallet each month by providing an easy method for accounting departments and businesses.
Why Cloud is Gathering Momentum in Ghana and is Here to Stay Why Cloud is Gathering Momentum in Ghana and is Here to Stay Goodman AMC’s research found that 80.91% of respondents surveyed trusted their cloud service providers with the security of their data, even though data privacy issues still remain a substantial concern to most cloud users globally. Cloud computing is currently the smart way to go in Ghana, and is positioning businesses in Ghana to be able to compete globally, mainly due to the fact that one can delve into cloud and big-data and not be bothered by power cuts. Growth challenges such as the intermittent power supply situation in Ghana provides evidence as to why businesses need to shift from the more traditional IT models. According to a report by ISSER, 2014, on average, Ghana is losing about USD 2.2 million per day, the equivalent of USD 686.4 million annually (translates into 2% of annual GDP) on account of its lingering energy crisis alone. In spite of the sporadic electricity power supply, organizations on cloud services need not worry about data loss. The need to get a high-powered plant to keep servers running, as well as other ancillary needs are handled by the cloud. Since all your information is stored and all transactions are done in cloud, and in real-time, all one requires is a laptop with a modem or a smartphone to keep the business going. Cloud providers have high-powered servers and high internet connectivity which is provided as a service, and there is always approximately 99.9% assurance of service availability. Ghanaian firms and organizations can therefore access the cloud outside the inconvenience of power cuts, which are quite pervasive in Ghana, currently. Smaller businesses in developing countries often find it difficult to hire competent personnel in IT and other professional disciplines. The cloud provisioning enables these businesses to outsource some of their IT resource requirements, benefiting from the expertise that cloud service providers can offer in areas such as IT management and security UNCTAD, 2013. This means that, with cloud computing, Ghanaian businesses can make decisions faster; communicate and collaborate better through sharing and receiving information on the cloud; win trust as confidence is built; and increase their chances of competition on the global market. Cloud also eliminates a lot of human inefficiencies, considering the fact that some IT services in Ghana can prove to be unreliable, even untrustworthy at times. The automation of cloud services implies that its users can access the services without having to go through unnecessarily drawn out registration and allocation processes. Ghanaian businesses often have to deal with a lot of bureaucratic red tape when seeking data storage services. Most often, they have to deal with unprofessional, unethical and corrupt IT professionals. According to Transparency International, 2014, Ghana ranks
Why Cloud is Gathering Momentum in Ghana and is Here to Stay at 61 out of 175 countries in the 2014 Corruption Perceptions Index (“CPI”). Hence, cloud computing allows businesses in Ghana to bypass bureaucratic red tape, while circumventing corruption and economic inefficiencies concurrently.
Government Policies Driving Ghana’s Cloud Readiness Government Policies Driving Ghana’s Cloud Readiness Governments are important actors in the cloud economy in several ways (UNCTAD, 2013). The Government of Ghana, through the Ministry of Communications, is currently building a data center, and is planning to act as a cloud service provider to provide private cloud services and third parties as well. In addition to the ICT for Accelerated Development (“ICT4AD”) policy, the Government of Ghana, through its policies and actions, has put in place the legal and regulatory infrastructure that is presently influencing and progressively eliminating all the barriers to successful migration of organizations onto cloud within the Ghanaian jurisdiction. Pillar 14 of Ghana’s ICT4AD policy relates to security agencies using ICT to combat cyber-crime. The pillar, among other things, prioritizes capacity building, international cooperation, and lays the architecture for security agencies, to enable them use ICT to combat crime, and also to ensure that the legal text of the policy is up to date to help security agencies prosecute any cyber-crime offenders. The Electronic Transaction Act (2008) articulates legislation on cloud data transmission and storage, and prescribes punishment for offenders. The Act also addresses issues on the fight against cyber-crime. The Data Protection Act, passed by the Parliament of Ghana, supports the protection of private data of government, citizens and businesses in Ghana. Collectively, these laws and policies, to some extent, show Ghana’s readiness for the advancement of cloud computing. They have been put in place to make cloud computing more accessible and regulated in Ghana. They also create an environment which increases the availability of cloud computing tools. Interestingly, there are less governmental policies which create obstacles for ICT development in Ghana as compared to other countries in sub-Saharan Africa.
ICT for Accelerated Development Prompting Ghana’s Cloud Readiness Ghana’s cloud readiness was examined by comparing the favorable policies that have allowed cloud computing to thrive in Ghana, as well as ICT infrastructure targeted at driving socio-economic development.
Government Policies Driving Ghana’s Cloud Readiness The Government of Ghana, through the Ministry of Communications, has pursued policies that are currently helping to increase ICT infrastructure. This, in turn, increases the availability of cloud computing tools to the vast majority of Ghanaians. The National Telecommunications Policy for instance aims that every citizen and resident of the Republic of Ghana shall have available, high quality and affordable access to information and communications services to help transform Ghana into a knowledge-based society and technology-driven economy. This policy recognizes the primacy of integrating and growing the wealth of indigenous social and technical knowledge to inform, enhance and sustain the development of Ghana as a distinct and productive player in the global information technology society. The Ghana ICT for Accelerated development policy, which was also created by the Ministry of Communications of the Republic of Ghana, and modeled after the Obama Administration’s National Broadband Plan, has as its primary objective to engineer an ICT-led socio-economic development process with the potential to transform Ghana into a middle-income, information-rich, knowledge-based and technology-driven economy and society. The National Information Technology Agency (“NITA”, the “Policy”), established in 2008, is the Ministry of Communication’s ICT development and implementation arm. As at early 2011, NITA was working to revitalize the ICT4AD policy to better accommodate the country’s current needs. In May 2011, the Policy was reviewed to include four new thematic areas, namely, Broadband Policy, Cyber Security Policy, GeoInformation Policy, as well as the Environment and Climate Change Policy. According to Yeboah-Boateng and Seshie, 2013, ICT development in Ghana is driven by the ICT for Accelerated Development Policy and the National Telecom Policy (“NTP”). The goals of the NTP, aside supporting the realization of the vision of the national ICT4AD policy, are to establish market structures that will be most beneficial to Ghana’s citizens and businesses, and to set in motion, the procedures and incentives that will boost the market’s development. Since the first internet connection was set up in 1989, Ghana has been a regional leader in ICT. Over the past two decades, the government and the private sector have worked together to maintain this lead. The ITU’s “Measuring the Information Society” report for 2012 identified Ghana as one of the most dynamic countries, registering a 23% increase in its ICT Development Index (“IDI”), between 2010 and 2011. Ghana’s 2012 IDI is 2.60, from 1.61 in 2007. This makes Ghana the most dynamic country in terms of rank change in both use and access to ICT. Achampong, 2012 also discussed the government’s on-going ICT4AD program, and how it has resulted in numerous improvements in various sectors and the economy as a whole. Achampong, 2012 further noted that the plan, which was being reevaluated to
Government Policies Driving Ghana’s Cloud Readiness meet the needs of the rapidly changing ICT sector, is expected to play a major role in coming years. The spurt in cloud computing, as a main tool in economic advancement, will eventually go on to create vast opportunities for Ghanaian firms in their attempt to build worldclass yet local operations, as well as induce innovation among Ghana’s newly entrepreneurial youth.
The National Telecommunications Policy Liberalizing ICT Sector in Ghana Ghana has had a strategic approach to promoting and regulating ICT. The Government of Ghana, with the intention of building a strong ICT foundation that will further move Ghana towards the realization of a true and inclusive information society that would enhance economic growth, developed the National Telecoms Policy in 2005. This policy discusses the fair allocation of network development costs and fair access to the network by telecommunications operators, as well as content providers. For instance, the policy mandates that there shall be no limitations on entry and operation in the market to provide internet services; hence liberalizing the market, and facilitating widespread entry into the marketplace. The policy is an archetype of the Government’s vision that every citizen and resident of the Republic of Ghana should have available, high quality, and affordable access to information and communication services that would help transform Ghana into a knowledge-based society and technology-driven economy. The National Telecom Policy defines universal access to telecommunications as the availability, through broad geographic coverage, of community-based broadband information and communication services that include voice, data services, access to the internet, local relevant content, community radio and Government services that are available, affordable, and of high quality for all citizens of Ghana. The policy contained a number of targets and specific goals, including: • Universal access for all communities and population groups in Ghana to telephone, internet, and multimedia services by the year 2010; • National penetration of universal telecommunications service to reach 25% of the population, including at least 10% in rural areas by the year 2010;
Government Policies Driving Ghana’s Cloud Readiness
• Connection of all schools, medical clinics, and government offices and public and community broadcasting stations to advanced telecommunications services; • Fully open, private, and competitive markets for all telecommunications services; • Streamlined, efficient, and effective regulation of the telecommunications industry on a fully transparent, technologically neutral, and competitively balanced basis; • Affordable prices for telecommunications services, particularly for low income citizens; • Profitable investment opportunities for businesses in all segments of the market; • Ghana shall be seen as a first-class hub for international telecommunications and information industry investment, jobs and development, and a leader in the transformation of Africa toward full participation in the Information Society. Alliance for Affordable Internet, 2013, identifies the following as specific policy goals of NTP 2005:
achieving universal access to telephone, internet and multimedia services by 2010; and
national penetration of universal telecommunications services to reach 25% of the population, including at least 10% in rural areas by the year 2010.
In many respects, the growth of Ghana’s ICT sector over the immediate decade has exceeded all expectations, showing that the implementation of NTP 2005 has been a success. For instance, between 2005 and the end of 2012, mobile penetration grew from 13.28% to 100.28%. Mobile telephone and payphone subscription increased by 200% over a decade, while internet usage is growing steadily with increased capacity for the deployment of 4th Generation Applications. Frempong, 2012 noted that significant improvements have been seen in the Ghanaian ICT industry as a result of the implementation of the strategies coming out of the ICT4AD and National Telecom Policy, but notes that there is still a lot to do.
Data Protection and Privacy Laws in Ghana Data Protection and Privacy Laws in Ghana A major area of policy that immensely impacts the provision of cloud services is data privacy. Although cloud computing is still in its infancy stages in Ghana, modern laws for people who are currently using facilities offered by cloud service providers are moderately adequate. Cloud computing has legal protection in Ghana under the country’s Data Protection Act, Electronic Communications Act, Electronic Transaction Act and Copyright Law, which meet “international standards”. Also, a draft cyber-crime policy exists, which would require significant expansion to align Ghana with international models. Cloud service is primarily seen as a data-processing service in Ghana, and with the passing of Ghana’s Data Protection Laws, the privacy of data subjects are strongly protected under Ghana law. One of the main factors enhancing the development and deployment of cloud computing in Ghana is the presence of a dedicated data protection act. Additionally, under the constitution of Ghana, an individual’s right to ownership of information and privacy was set out by parts of the Intellectual Property Law of the country. No clear rights on data protection existed until the Electronic Transaction Act and the Electronic Communications Act were enacted in 2008 by the legislative instrument of Ghana. Ghana’s Data Protection Act was eventually passed by an Act of Parliament in 2012 to protect the privacy of the individual and personal data.
The Data Protection Act, 2012 As stated earlier, Ghana’s Data Protection Act necessitated the establishment of a Data Protection Commission (“Regulator”) whose main objective is to see to the protection of the privacy of individuals and their personal data, by regulating the processing of personal information, and to provide the process to obtain, hold, use or disclose personal information and for related matters. The Data Protection Act is centered on the principles of information handling which enable individuals to have specific rights in connection to their personal information, and place certain obligations on businesses and organizations that are in charge of processing it. The Act covers a wide scope of both the public and private sector and offers a general level of privacy to uphold the data privacy rights of Ghanaians irrespective of where data is transferred and processed. Although the Act has some special provisions, the main principles are in agreement with the Organization for Economic Co-operation and
Data Protection and Privacy Laws in Ghana Development (“OECD”) guidelines on data privacy, and might also be as wide-ranging as the European Union’s Data Protection Directive.
Data Processing and Storage in Ghana The Data Protection Act, 2012 prohibits export of personal data unless the data controller “ensures an adequate level of protection”, as certified by the Act. In terms of an individual’s data privacy, Section 17 of the Data Protection Act, 2012 states emphatically that any person who processes data shall take into account the privacy of the individual by applying the following principles: (a) accountability; (b) lawfulness of processing; (c) specification of purpose; (d) compatibility of further processing with purpose of collection; (e) quality of information; (f) openness; (g) data security safeguards; and (h) data subject participation. This is in line with the eight principles of the OECD’s guidelines governing the protection of privacy and trans-border flow of personal data. The OECD’s guiding principles include collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability. All Ghanaian citizens therefore have the right to personal data privacy, and therefore, based on this provision, an individual can initiate an action against a breach of data privacy by any cloud service provider (“data processor”).
Data Protection and Privacy Laws in Ghana The Data Controller and Processor in the Cloud According to Section 96 of Ghana’s Data Protection Act, a “data controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed. In cloud computing, it is mostly the cloud customer who determines the purposes for which and the manner in which any personal data is processed. This further implies that the cloud customer, under Ghana’s Data Protection Act, is most likely to be the data controller and therefore will have overall responsibility for complying with the Data Protection Act. A “data processor”, in relation to personal data, also means any person other than an employee of the data controller who processes the data on behalf of the data controller. The precise role of a cloud service provider needs to be reexamined with respect to whether or not it is processing personal data, since a cloud service provider can sometimes act as a “data processor” on behalf of the data controller, or at times operate as a data controller in its own capacity. Section 96 of the Data Protection Act also defines “processing” as an operation or activity or set of operations by automatic or other means that concerns data or personal data and the (a) collection, organization, adaptation or alteration of the information or data; (b) retrieval, consultation or use of the information or data; (c) disclosure of the information or data by transmission, dissemination or other means available; or the (d) alignment, combination, blocking, erasure or destruction of the information or data Based on this definition, the actions of a cloud service provider, in relation to storing data, can be termed as data processing. Section 18 (1) of the Data Protection Act, therefore further sets out clear guidelines for processing of personal data by highlighting that any person who processes personal data shall ensure that the personal data is processed: (a) without infringing on the privacy rights of the data subject; (b) in a lawful manner; and (c) in a reasonable manner.
Data Protection and Privacy Laws in Ghana
Standards for the Collection of Personal Data in Ghana Ghana’s Data Protection Act establishes benchmarks by which every data controller in Ghana must operate. These benchmarks are applicable anytime someone (either a company or an individual) collects personal data that can be linked to a specific individual in Ghana. Data collection or processing that does not meet the standards is prohibited. The required standard for the collection of personal data, articulated in Section 21 to 23 of the Data Protection Act states that personal data must be collected directly from a data subject and could be collected indirectly only if the data is contained in a public record; subject has deliberately made the data public; subject has consented to the collection of the information from another source; is not likely to prejudice a legitimate interest of the data subject; or is for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law. Other standards for data collection are mentioned in Section 22, which stipulate that a data controller who collects personal data shall collect the data for a purpose which is specific, explicitly defined and lawful and is related to the functions or activity of the person. Finally, section 23 emphasizes that before any data collection is embarked on, the Data subject needs to be made aware of the purpose of collection of the data. Per the provisions and standards for collecting personal data, all foreign firms must comply with this Act whenever they process personal data involving Ghanaian citizens.
Registration of Data Controllers under Law Section 46 of the Data Protection Law provides a directive for the setting up of a Data Protection Register (“the Register”).The Data Protection Commission’s main objective is to keep and maintain the Register as well as register all data controllers who process data with the Commission. Data controllers are expected to renew every 2 years under this Act. The Act also states unequivocally under Section 53 that a data controller who has not been registered under the Act shall not process personal data, therefore rendering their services illegal until the right registration procedures have been followed. Companies in Ghana that store sensitive information with cloud service providers are, as a result, obligated to register with the Data Protection Commission in order to render their actions legal.
Data Protection and Privacy Laws in Ghana
Demand for Written Contracts The Data Protection Act, 2012 stipulates that whenever a data controller discloses personal data to a data processor, there should be a written contract in place rather than a mere data sharing agreement. The data controller is also required to ensure that the data processor abides by the relevant security laws that are in place. Cloud customers in Ghana are required by law to ensure that they enter into a written agreement with cloud providers and it is important for the contract to include service level agreements (“SLA”s) stating specific parameters and minimum levels for each element of the service provided. This written contract needs to outline the obligations and responsibilities of the parties and must conform to Ghana’s data privacy laws.
Cross-Border Transfer of Data in Ghana Section 45(1) of Ghana’s Data Protection Act focuses on explaining who this law applies to in terms of where data originates from and is stored. It states that except as otherwise provided, the Act should be applied to a data controller in respect of data where: (a) the data controller is established in this country and the data is processed in this country; (b) the data controller is not established in this country but uses equipment or a data processor carrying on business in this country to process the data; or (c) processing is in respect of information which originates partly or wholly from this country; Section (4) also goes on to explain that this Act does not apply to data which originates externally and merely transits through this country. Section 30 (4) stipulates that where a data processor is not domiciled in this country, the data controller shall ensure that the data processor complies with the relevant privacy laws of this country. If a data processor is domiciled in Europe or the USA, the data controller needs to make sure that the data processor doesn’t breach any laws, and complies with all security measures of the country by ensuring that the data processor establishes and maintains the confidentiality and security measures necessary to ensure the integrity of the personal data as outlined in Section 30 (3). Any individual who is not in Ghana and finds their data being processed in the country would still have to comply with the data laws of their originating country. That is
Data Protection and Privacy Laws in Ghana according to Section 18 (2), which suggests that a data controller or processor shall, in respect of foreign data subjects, ensure that personal data is processed in compliance with the data protection legislation of the foreign jurisdiction of that subject where personal data originating from that jurisdiction is sent to this country for processing.
Government Threat to Data Security The government of Ghana has the authority to access personal data stored in the cloud even without a warrant or judicial approval. That is, if an individual holds stored data which is deemed to be a threat to national security. Under a more secure and trusted data privacy practice, it would be mandatory for the government to have a warrant before issuing an order to be able to access the processed data of an individual, which is not readily accessible to the public. Section 60 (2) further gives the Minister of Communications the power to order for any processed data to be accessed, even if there has not been any judicial review or court findings that are reasonable grounds to necessitate that action. Notwithstanding this fact, Section 60 (4) allows anybody who is directly affected by the actions of the Minister to order the access of an individual’s personal data to seek redress in court, so as to determine whether the actions of the Minister are lawful or not. In this respect, the Government of Ghana presents a threat to data security. In some countries, the instances in which government bodies such as the police or intelligence agencies may access personal data are not clear to cloud providers or their customers. This remains a challenge for Ghanaian cloud providers who might find it difficult to convince customers in other countries that Section 60, which grants the Ghanaian Government the authority to access data in support of national security or intelligence gathering activities does not mean there is a risk that their right to data privacy would be infringed upon.
Data Privacy Enforcers: Mandates of the Data Protection Commission in Ghana As required by the revised OECD guidelines, there is the need to establish and maintain “privacy enforcement authorities”. The Data Protection Act establishes The Data Protection Commission as the central privacy regulator in Ghana, and is tasked under Section 75 with the enforcement of the privacy Act with the power to conduct investigations or bring proceedings in the context of enforcing. As recommended by the OECD of all privacy enforcement authorities, the Data Protection Commission is endowed with the resources and authority to:
Data Protection and Privacy Laws in Ghana
(a) deter and sanction violations of laws protecting privacy; (b) permit effective investigations, including the ability to obtain access to relevant information, relating to possible violations of laws protecting privacy; and (c) permit corrective action to be taken against data controllers engaged in violations of laws protecting privacy.
The Electronic Communications Act, 2008 The Electronic Communications Act by the parliament of Ghana was passed in 2008. The Act was set up to provide for the regulation of electronic communications, the regulation of broadcasting, the use of the electro-magnetic spectrum and for related matters. Some sections of the electronic communications act also provide some limitations of how personal data should be accessed lawfully. Under confidentiality and disclosure of personal information, Section 79, the Act explicitly states that a person who intentionally (a) discloses communication which that person knows was obtained in contravention of this Act, or (b) uses or discloses personal information in contravention of this Act, commits an offence and is liable on summary conviction to a fine of not more than one thousand five hundred penalty units or to a term of imprisonment of not more than four years or both.
Electronic Transaction Act, 2008 The Electronic Transactions Act, 2008 was set up by the legislative instrument of Ghana to provide for the regulation of electronic communications and related transactions, and to provide for connected purposes. As noted by OECD, 2000, an electronic transaction is the sale or purchase of goods or services, whether between businesses, households, individuals, governments, and other public or private organizations, conducted over computer-mediated networks. The goods and services are ordered over those networks, but the payment and the ultimate delivery of the good or service may be conducted on or off-line.
Data Protection and Privacy Laws in Ghana Definition of “Electronic Record” Electronic Transaction Act, 2008
The Electronic Transaction Act defines “electronic record” as data generated, sent, received or stored by electronic means (a) voice, where voice is used in an automated transaction; and (b) a stored record. As cloud computing also involves the storage of data, any aspects of the Electronic Transaction Act in respect to electronic record legally applies to the transmission and storage of data in the cloud.
Law Governing Digital Signatures in Ghana “Digital signature”, under Section 144, is interpreted as data attached to, incorporated in, or logically associated with other data, and which is intended by the user to serve as a signature. Digital signatures are often offered as part of cloud services and enables customers and partners to sign their documents online quickly and securely, improving performance while significantly expediting process times. Digital signatures are ideal for cloud applications since they can be easily integrated into existing business processes, whether installed alongside the cloud offering or hosted online. A digital signature engine is usually hosted in a location which could be outside so that users can sign through a web interface without having to install software. Digital Signatures have been given a clear legal weight under Section 10 of the Electronic Transaction Act Section 10 of the Act surmises that: (1) Where a law requires the signature of a person, that requirement is deemed to be satisfied in relation to an electronic record if a digital signature is used (2) A digital signature is deemed to be authentic if: (a) the means of creating the digital signature is, within the context in which it is used, linked to the signatory and not to another person; (b) the means of creating the digital signature was, at the time of signing, under the control of the signatory and not another person without duress or undue influence; and
Data Protection and Privacy Laws in Ghana
(c) an alteration to the digital signature, made after the time of signing, is detectable (3) Subsection (2) does not limit the right of a person: (a) to prove the authenticity of a digital signature in any other way; or (b) to adduce evidence in respect of the non-authenticity of a digital signature. The Act also defines the conduct of any person relying on a digital signature under Section 13 as follows: A person who relies on a digital signature shall bear the legal consequences of failure to: (a) take reasonable steps to verify the authenticity of a digital signature; or (b) take reasonable steps where a digital signature is supported by a certificate, to: (i) verify the validity of the certificate; or (ii) observe any limitation with respect to the certificate.
Law Governing Data Encryption in Ghana Encryption is a critical requirement for securing data files, and helps to protect data breach incidents and threats. Cloud encryption services are currently being offered by cloud storage providers where data or text is transformed using encryption algorithms for storage in the cloud. The Electronic Transaction Act provides laws that guide data encryption. Section 28 prohibits any person from selling or providing encryption or authentication services contrary to the provisions of this Act. According to Section 29, an encryption or authentication service or product is deemed to have been provided in the country if it is made available: (a) from a premises within the country; (b) from a body incorporated in the country; (c) to a person who is present or operating from any system in the country, when that person makes use of the service or product; or
Data Protection and Privacy Laws in Ghana (d) from a Ghanaian-associated or -related domain name or website
Certifying Agency: Data Encryption Regulating The Certifying Agency was established by National Information Technology Agency. Established under the National Information Technology Agency Act 2008 (Ac 771), the body has been tasked under Section 31 of the Electronic Transaction Act to: (a) issue licenses for encryption and authentication service; (b) monitor the conduct, system and operation of encryption and authentication service providers to ensure compliance with conditions of the license, and the provisions of this Act; (c) suspend the license of a license holder; (d) revoke the license of a license holder; and (e) appoint an independent auditing firm to conduct periodic audits of a license holder to ensure compliance with conditions of the license and this Act. This therefore implies that all cloud service providers offering cloud encryption services are mandated to acquire a license from the Certifying Agency in order for their operations to be termed legal.
Law Governing Data Hosting in Ghana The Electronic Transaction Act also provides enforceable laws which contain general security requirements for digital data hosting and cloud service providers. Section 92 (1) explains that an intermediary or service provider who provides a service that consists of the storage of electronic records provided to a user of the service, is not liable for damages arising from information stored at the request of the recipient of the service, as long as the service provider; (a) does not have actual knowledge that the information or an activity relating to the information is infringing on the rights of a third party; (b) is not aware of facts or circumstances from which the infringing activity or the infringing nature of the information is apparent or can be reasonably inferred; and
Data Protection and Privacy Laws in Ghana (c) upon receipt of a take-down notification under this Act, takes action expeditiously to remove or to disable access to the information. (2) The limitations on liability established by this section do not apply to a service provider, unless; (a) it has provided an address to receive notifications of infringement; or (b) it has an agent for receipt of notification of infringement;
The Issue with Critical Database A critical database, under the Electronic Transaction Act, means a crucial set of data in an electronic record related to national security or the economic well-being of the public, as determined by the Minister. Under this Act (Section 56 a), the Minister has the right to declare certain classes of information which are of importance to the protection of the national security of the Republic or the economic and social well-being of its citizens to be critical electronic records for the purpose of this Act. This means that any cloud service provider or individual, who holds information in the cloud pertaining to the national security or the economic well-being of Ghanaians, as determined by the Minister, needs to be registered as sensitive or classified data. The Minister of Communications therefore has the power to declare any stored data in the cloud as sensitive information and to require any such data to be registered with the NITA using laid down requirements determined by the Minister under Section 58 of the Act Under Section 59, the Minister of Communications shall prescribe minimum standards for prohibitions in respect of: (a) the general management of a critical database; (b) access to, transfer and control of a critical database; (c) infrastructural or procedural rules and requirements to secure the integrity and authenticity of a critical electronic record; (d) procedures and technological methods to be used in the storage or archiving of a critical database; (e) accident recovery plans in the event of loss of critical data bases or parts of the database; (f) the security of the databases;
Data Protection and Privacy Laws in Ghana
(g) the physical safety of a person in control of the critical database; and (h) any other matter required for the adequate protection, management and control of a critical database
Data Security Breach in Ghana With regard to unauthorized access or interception of data, Section 124 states that a person who intentionally accesses or intercepts an electronic record without authority or permission commits an offence, and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both. In the case of unauthorized interference with data, Section 125 prescribes that a person who intentionally and without authority interferes with an electronic record in a way which causes the electronic record to be modified, destroyed or otherwise rendered ineffective, commits an offence, and is liable on summary conviction to a fine of not more than two thousand five hundred penalty units or to a term of imprisonment of not more than five years or to both. Section 129 further goes on to give more illegality to the access of stored data unlawfully; it states that whoever, without lawful authority, intentionally accesses a facility through which an electronic communication service is provided, commits an offence and is liable on summary conviction to a fine of not more than five thousand penalty units or to a term of imprisonment of not more than ten years or to both. Subsection (2) takes it further by making it illegal for anybody to exceed an authorization to access a facility or to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage in a system. According to Section 132, a person who knowingly and without authority discloses a password, access code or any other means of gaining access to a program or electronic record held in a computer commits an offence, and is liable, on summary conviction, to a fine of not more than ten thousand penalty units or a term of imprisonment of not more than twenty years or to both.
Combination of the Criminal Offence Act and the Electronic Transactions Act to fight cyber-crimes With regards to theft, Section 124 of the Criminal Offences Act 1960 (Act 29) on stealing has been modified under the Electronic Transaction Act to include anything done using an electronic processing or procuring procedure system, whether or not the appropriation was by use of an electronic processing procedure, and also to anything ,
Data Protection and Privacy Laws in Ghana whether or not the medium used in the receiving in whole or in part was an electronic record. Section 122(2) of the Criminal Offences Act, 1960 (Act 29) on acts which amount to appropriation applies to the necessary modification to anything whether or not the moving, taking, obtaining, carrying away or dealing is by means of electronic processing or procuring procedure in part or in whole. Section 108 subsection (2) of the Electronic Transaction Act interprets “thing” to include any cyber offence which is electronic-related and results in the loss of property, identity, electronic payment medium, information, electronic record and any related matter whether tangible or intangible wherever located on any network if the accused is subject to prosecution under this Act.
Cyber-crime Laws Cyber-crime is covered by some aspects of the Electronic Transaction Act, 2008. The Act gives powers to law enforcement officers in Section 98. The right gives the police powers to also act as cyber inspectors and to arrest and prosecute anybody who is believed to have committed an offence in relation to cyber-crimes. Section 98 (1) clearly outlines the additional powers of arrest, search and seizure of law enforcement agencies. Section 98 (2) further goes on to say that a law enforcement agent may seize any computer, electronic record, program, information, document, or thing in executing a warrant under this Act if the law enforcement officer has reasonable grounds to believe that an offence under this Act has been or is about to be committed. Law enforcers, after the issuing of a search warrant, are mandated to have access to stored data for investigation.
Copyright Act, 2005 Protecting Cloud Consumers in Ghana Aside the acts discussed above, Ghana offers protection for data in storage through a combination of comprehensive IP laws. Civil sanctions, criminal sanctions, and the necessary courses of action are available for the unauthorized access of copyright holders’ works on the Internet. A copyright holder in this case can be any person who has data stored in the cloud. Section 42 (1) under the Copyright Act and related rights offences states that: A person who manufactures, imports, distributes, exports, sells, rents, possesses for commercial purposes, offers to the public, advertises, communicates or otherwise provides any device, product or component that is designed or adapted to remove, alter or add
Data Protection and Privacy Laws in Ghana electronic rights management information, or circumvents any technological protection measure applied by the right holder to the protected work; where the person performing the act knew or had reasonable grounds to know that the action induces, enables, facilitates or conceals an infringement of any copyright or related right protected under this Act without the license or authorization of the person whose rights are protected under this Act or the agent of that person whose rights are protected, infringes the protected rights and commits an offence punishable under section 43 of this Act. Internet service providers (“ISPs”) may be held liable if they were either aware of the infringement or were aware of the information and should have known of the infringement and could technically prevent the transmission of the information. Based on Section 43 of the Copyright Law, ISPs can be held liable for content that infringes copyright found on their sites or systems. Any person whose right is allegedly infringed on by the transmission of information via the internet can take legal action. Section 43 states that a person who infringes on a right protected under this Act commits an offence and is liable on summary conviction to a fine of not more than one thousand penalty units and not less than five hundred penalty units or to a term of imprisonment of not more than three years or to both; and in the case of a continuing offence, to a further fine of not less than twenty-five penalty units and not more than one hundred penalty units for each day during which the offence continues.
Functionality of Data Protection Laws in Ghana Functionality of Data Protection Laws in Ghana Interesting revelations came out of the 2015 Ghana Cloud Readiness Survey by Goodman AMC. One actionable outcome of the survey was that few Ghanaians and IT experts in Ghana are aware of their rights to data privacy and the existence of privacy laws which safeguard their personal data under the laws of Ghana. The Goodman AMC survey also noted that the awareness of privacy notices was extremely low in Ghana. 66 out of the 115 respondents (representing 57%) were not aware of their right to seek legal redress, should their personal data be infringed upon in Ghana, whilst 92.7% (i.e. 102 out of 115 people) were not aware of the Act of Parliament of the Republic of Ghana which protects their personal data privacy in Ghana. A majority of IT experts interviewed in the survey, who have been operating in Ghana for many years, are not registered with the Data Commission and are oblivious to their right to data privacy as cloud customers and citizens of Ghana- 80% of interviewees who participated in the Goodman AMC survey were not registered with the Data Protection Commission in Ghana.
Bridging The Gap Between Data Protection Laws, Citizens and Businesses Bridging The Gap Between Data Protection Laws, Citizens and Businesses “The government needs to look at taking personnel abroad to learn and acquire firsthand knowledge on cloud computing in order to increase government’s know-how in improving on existing cloud related policies.” Richard Hyiaman Fofie, (Ghanaian IT Analyst). The Data Protection Commission is a critical player in this space, and should focus its PR efforts towards increasing awareness of its existence, and develop a policy framework that will put functional structures in place to help educate and empower Ghanaians to better understand their rights, how to use them, and what they should expect from the Data Protection Commission. Additionally, the commission must ensure that organizations are aware of their obligations, and enforce punitive measures where necessary to ensure compliance, acting as a wider deterrent. The Data Protection Commission has a major function to play, both as an educator and enforcer of data protection law. The Data Protection Commission also needs to take action when data protection laws are seriously contravened, and take proactive steps to ensure organizations comply, using a transparent and well-publicized approach, since the commission’s critical objectives will not be met if its activities are shrouded away from public view. It therefore makes sense for the Data Protection Commission to increasingly showcase its existence, and make its activities more visible as cloud use continues, and also increase in its efforts to demystify the Data Protection Act of Ghana to the wider cloudusing public. We are of the opinion that the Data Protection Commission needs to re-evaluate the 2012 Data Protection Act in order to ensure that all stakeholders conform to and are ready for the information. This can be achieved by partnering with the OECD (Ghana being its newest member) to find possible ways of creating a National Cloud Strategy that will be used to recommend policy reforms and drive growth in the public and private sectors, so as to promote the socio-economic growth of Ghana. The Data Protection Commission also needs to make a detailed assessment of the privacy policies of cloud service providers, with the aim of checking whether they meet the requirements of the Data Protection Act of Ghana. In this regard, the commission’s findings could be used to analyze and issue enforcement notices to caution cloud service providers to comply with their recommendations or face a fine as mandated by the law. The 2015 Goodman AMC Ghana Cloud Readiness Survey observed that 22.72% of respondents had their cloud service providers based in Europe whiles 77.28% had theirs
Bridging The Gap Between Data Protection Laws, Citizens and Businesses based in the USA. Ghana’s Data Protection Commission therefore needs to ensure that the laws and regulations governing data protection in the USA and Europe does not conflict with Ghana’s laws and are compatible and transparent enough in order to promote efficient data management and encourage international trade with both the USA and European countries.
Leveraging on OECD’s Expertise Leveraging on OECD’s Expertise There have been a number of international efforts through multilateral organizations to develop a common framework for cloud-related policy. The two most notable of these are the efforts of the Organization for Economic Cooperation and Development (“OECD”) and the Asia-Pacific Economic Cooperation (“APEC”) forum. Both organizations have focused primarily on developing a shared set of principles for data privacy (Berry and Reisman, 2012). On October 6, 2015, Ghana joined 49 other countries to become the 50th member (and 9th African member) of the OECD Development Centre. Ghana needs to leverage this opportunity and tap into the OECD’s ability to provide policy solutions that will stimulate growth and actively improve data privacy and cloud computing in Ghana. The OECD guidelines governing the protection of privacy and trans-border flow of personal data (the “Guidelines”) was adopted in 1980, making it the first multilateral effort to address privacy issues related to cross-border data flow. The Guidelines, which were reviewed and amended on 11th July, 2013, establish several rights of the individual pertaining to his or her personal data and lays out framework principles which national governments should follow in protecting these rights. As new members of the OECD, Ghana needs to review its data privacy policies in order to demonstrate leadership and commitment to the protection of privacy and free flow of information at the highest levels of government as stated by the OECD. Regarding the national implementation of the Guidelines in member countries, paragraph 19 of the OECD Guidelines recommends the following: Paragraph 19(a) of the Guidelines recommends that member countries develop national privacy strategies that reflect a coordinated approach across governmental bodies. Elevating the importance of privacy protection to the highest levels within government helps improve the effectiveness of privacy protection. Paragraph 19(g) outlines measures to foster the development and deployment of privacy-respecting and privacy-enhancing technologies (“PET”s). For example, member countries may choose to support the development of technical standards which advance privacy principles. Privacy professionals play an increasingly important role in the implementation and administration of privacy management programs. Several member countries have already undertaken initiatives to define the competencies of privacy professionals. Credential programs in data protection and privacy, as well as specialized education and professional development services may contribute to the development of the necessary skills. Paragraph 19(g) explicitly encourages member countries to consider the adoption of measures to support such skills development.
Data Protection and Privacy Concerns Data Protection and Privacy Concerns We assessed the potential risks to data protection by evaluating the shortcomings of more advanced data transfer, processing and management models. We were particularly interested in the Ghanaian data subject’s right to data privacy, where effective & functional personal data management is concerned.
Maximillian Schrems v. Data Protection Commissioner The European Court of Justice recently passed a ruling on Maximillian Schrems v Data Protection Commissioner of Ireland to invalidate the Safe Harbour pact (a major datasharing agreement that allows American companies to move data between the European Union and the U.S).
Europe v. Facebook Taking in view allegations made in 2013 by Edward Snowden that US security agencies had the legal obligation, without any judicial warrant or the consent of an individual, to access one’s private data on national security grounds as far as it's located on US soil, the case alleges that Facebook participates in the NSA spy program PRISM, and Facebook Ireland, which provides services outside the USA and Canada, has been and was violating the Irish Data Protection Act and the European Data Protection Directive by transferring users’ data to the United States for processing by Facebook Inc. The class action lists various areas where it believes that Facebook has been violating EU Data protection laws. These include, among other things, voided privacy policies; illegal collection and transfer of data; spying on the browsing behavior of users. The legal reasoning here is that the extent to which non-US data subjects enjoy effective data rights is unclear where generalized and mass state surveillance and interception of communication by the NSA is concerned. Therefore, the data privacy rights of non-US subjects can be potentially violated when Facebook Ireland transfers data to its parent company in the United States for processing. Interestingly, Ghana's privacy laws also follow a similar trajectory by granting the Government the authority to access an individual's personal data on the basis of national security concerns as stated in Section 60 (2) of the Data Protection Act. These observations present two key challenges for open debate where cloud computing and foreign cloud service providers are concerned: Does the Ghanaian consumer of cloud computing enjoy effective data protection and rights to privacy:
Data Protection and Privacy Concerns
internally, seeing as government has jurisdiction over every processed data as far as it originates (partly or wholly) or is stored in Ghana as stated under section 45 (1) of the Data Protection Act; and
from the jurisdiction where the cloud service originates, seeing as service providers have to comply with the data protection laws of their countries of origin as well as that of the country of operation (please see section on Cross-Border Transfer of Data Jurisdiction)
In conclusion, Ghana’s cloud computing industry faces data privacy risks since the guidelines are not completely transparent on the protection of personal data transferred, where the elimination or reduction of the powers available to the national supervisory authorities of the countries where the data of Ghanaian subjects is being held or processed is concerned.
The Business Case for Cloud Computing in Ghana The Business Case for Cloud Computing in Ghana Ghana’s ICT has undergone significant transformation over the past decade, with substantial investments in broadband infrastructure by mobile operators. Among African countries, Ghana’s telecommunications sector had the highest investment-torevenue ratio between 2009 and 2010, as operators invested relatively heavily in fixed assets in order to maintain and enhance networks. The staggered investments into ICT infrastructure, across the past few years, have translated into increasing mobile telephone and data subscriptions. According to a recent report by the International Telecommunications Union (“ITU”), the UN’s ICT development agency, Ghana has the highest mobile broadband penetration in Africa. As at October 2014, the country’s total telephone subscriptions stood at 29 million; nearly 111.2% teledensity, which correlates strongly with the increasing purchasing power of Ghana’s burgeoning middle class. NCA data from May 2015 shows a mobile voice subscriber base of 31.96 million; 1.2 times the country’s population of 26.33 million. Mobile data subscription figures for the same period are upwards of 17 million, while the mobile voice subscriber base came in at 31.96 million. Fixed broadband penetration, however, has remained marginally low. According to the ITU’s Measuring Information Society Report released in the last quarter of 2012, mobile broadband penetration surged from 7% in 2010 to 23% in 2011. The study observed that 14% of Ghanaians were internet users (up from 10% in 2010).
Pricing Ghana’s mobile broadband prices are also relatively low. At 14% of Gross National Income (“GNI”) per person, this is 4.5 times lower than the African average, which stands at 64% of GNI per person.
Internet Usage The relatively low prices have spurred on internet usage. According to Internet World Statistics (“IWS”), there were 5.17 million internet users as at December 2014 (approximately 19.6% of the population). According to the ITU, Ghana had 1.3 million internet users as at June 2010, which translates to a penetration rate of 5.3%, up from 4.2% in 2009, 3.8% in 2008, 1.8% in 2006 and just 0.2% in 2000 (30,000 users). The 2010 penetration rate is among the highest in the sub-Saharan region.
The Business Case for Cloud Computing in Ghana
Policy This study has discussed extensively, the various regulations, legal provisions and public agencies that serve to promote the growth of the segment, as well as protect the rights of the Ghanaian citizen from privacy violation.
Government Constructing a Data Center Massive improvements in storage, processing and transmission capacity have paved the way for Ghana’s cloud economy. As part of Ghana’s national policy to make information resources widely available and accessible to all, the Government of Ghana, through the Ministry of Communication is constructing the National Data Centre infrastructure to facilitate the consolidation and aggregation of all key computing infrastructure in secure, highly available and resilient facilities. The data centre would comprise a primary data center in Accra with over 500 rack space, which is expected to be the largest in West Africa, and will provide services such as web hosting, cloud infrastructure as a service solutions, and dedicated servers to all interested stakeholders. The USD 138 million National Data Centre infrastructure will consist of a primary data centre in Accra and a secondary, fully replicated facility in the interior of the country. These facilities will be supported by a Network Operating Centre to provide monitoring and control over all applications and network services originating in the data centre infrastructure, a security operating centre to serve as the nucleus of the MDA’s intranet and internet security, operations, and several storage area networks which will provide for the storage needs of all the MDAs that will be hosted in the data centre. The secondary data center is located on the Kwame Nkrumah University of Science and Technology campus in Kumasi, has been completed (according to Ghana’s Minister of Communications in a recent press release), and will provide services such as web hosting and cloud infrastructure as a service solution.
Bandwidth Ghana’s access to international bandwidth has also increased significantly since the start of the decade due largely to liberalization and increased competition. Between 2010 and 2013, four fiber optic submarine cables were landed in Ghana, increasing the amount of international bandwidth from 320 Gigabytes to over 12 Terabytes. The arrival of the Main One, Glo-1, WACS and ACE cables unleashed significant competition for
The Business Case for Cloud Computing in Ghana international bandwidth and a dramatic fall in the wholesale cost of capacity. Today, the cost of an E1 connection in Ghana is around USD 1,200, down from as much as USD 12,000 in 2006.
Increasing Broadband Penetration The recent inauguration of the Eastern Corridor Fibre Optic Backbone Infrastructure project has the potential to improve connectivity in Ghana, leading to an increase in broadband penetration. The USD 38 million project, funded by the government of Denmark, is expected to bridge the digital divide between urban and rural communities and promote information and communication technology (“ICT”) applications to support education, health delivery, e-government business development, agriculture development, national security, among others. The project, which stretches nearly 800 kilometers from Ho in the Volta Region to Bawku in the Upper East Region, is linked to the existing network in other parts of the country and facilitates network access to 20 district and municipal assemblies and 120 communities. Designed and implemented by Alcatel-Lucent, the project included the construction of a data centre and a managed service component to ensure the security of data on the entire network.
Pg. 36 Conclusion
This study has explored the various opportunities and well-balanced strategic elements that imply that Ghana has the necessary legal and technological infrastructure to support cloud computing in a truly African yet world-class sense. The industry is gearing up for growth, and our survey showed a wide acceptance that is growing steadily. However, with increasing acceptance comes the need to re-evaluate, assess all probable risks, and tighten the seams while the segment is still young and malleable. We have assessed the strategic initiatives that have set the industry in motion and have applied lessons from more advanced models where data privacy rights are concerned. This exploratory report not only highlights and researches the security laws, but also seeks to assist policy makers, as they identify opportunities to expand and review existing policies, as well as develop new ones. Reforms should be based on a thorough examination of current security policies, standards and guidelines, and the failings of more advanced models, and should ultimately provide smart strategic guidelines that will encourage organizations in Ghana to invest in cloud computing as well as boost confidence in digital business creation by minimizing the barriers to growth.
Pg. 37 References
Achampong, E. K. (2012). The State of Information and Communication Technology and Health Informatics in Ghana. Online Journal of Public Health Informatics [Online] 4(2):e6 Advance Information Technology Institute-Kofi Annan Centre of Excellence (2012): Ghana’s Internet speed ranked highest in Africa. [Online]. Available from: http://www.aiti-kace.com.gh/?q=node/21 [Accessed 26 October 2015]. Alliance for Affordable Internet (2014) Affordable Internet in Ghana: The Status Quo and the Path Ahead. Washington DC: A4ai. Armbrust, M., A. Fox, R. Griffith, A.D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson,A. Rabkin, I. Stoica, and M. Zaharia (2009), Above the Clouds: A Berkeley View of Cloud Computing. University of California, Berkeley, Technical Report No. UCB/EECS-2009-28.2009. Berry, R. and Reisman, M. (2012) Policy Challenges of Cross-Border Cloud Computing. United States International Trade Commission Journal of International Commerce and Economics. Copyright Act (2005). The Six Hundred and Ninetieth Act of the Parliament of the Republic of Ghana. Corruption Perceptions Index (2014) Corruption Perceptions Index Results (Ghana). [Online]. Available from: https://www.transparency.org/cpi2014/results [Accessed 14 September 2015] Court of Justice of the European Union (2015) The Court of Justice Declares that the Commissions US Safe Harbour Decision is Invalid. Maximillan Schrems v. Data Protection Commissioner, Judgment in Case C-362/14, Press Release No 117/15. Data Protection Act (2012). The Eight Hundred And Forty-Third Act of the Parliament of the Republic Of Ghana. Electronic Communications Act (2008). The Seven Hundred and Seventy Fifth Act of the Parliament of the Republic of Ghana. Electronic Transaction Act (2008). The Seven Hundred and Seventy Second Act of the Parliament of the Republic of Ghana. Frempong, G. (2010) Ghana ICT Sector Performance Review 2009/2010. Towards Evidence-based ICT Policy and Regulation. Volume 2, Policy Paper 8.
Gartner (2011) Gartner Says Worldwide Enterprise Software Revenue to Grow 9.5 Percent in 2011. [Online]. News release, June 21, 2011. Available from: http://www.gartner.com/it/page.jsp?id=1728615 [Accessed 26 October 2015]. Ghana Gets National Data Center by 2015 (2014). Modern Ghana [Online]. Available from: www.modernghana.com/nws/586102/1/ghana-gets-national-data-center-by2015.html [Accessed 13 September]. Greenberg, M. (2014) The Ghanaian Startup Ecosystem. [Online]. Available from: http://mestghana.wpengine.com/wpcontent/uploads/2014/09/Ghanaian_Startup_Ecosystem_Report.pdf [Accessed 14 September 2015]. IBM (2013) Surfline Communications Selects IBM Cloud to Expand across West Africa. IBM [Online]. Available from: https://www03.ibm.com/press/us/en/pressrelease/42148.wss [Accessed 26 October 2015]. IDC (2013) Successful Cloud Partners: Higher, Faster and Stronger. [Online]. Available from https://news.microsoft.com/download/presskits/partnernetwork/docs/idcmicrosoftcl oudinfodoc.pdf [Accessed 26 October 2015]. International Telecommunications Union (2012) Measuring the Information Society. Geneva: ITU. International Telecommunications Union (2013) Measuring the Information Society. Geneva: ITU. Internet World Stats (2014) Internet Users on December 31 2014, Ghana. [Online]. Available from: www.internetworldstats.com/africa.htm [Accessed 24 September 2015]. ISSER (2015) Electricity Insecurity and its Impact on Micro and Small Businesses in Ghana. Workshop on Electricity Insecurity and its impact on the economy of Ghana, Accra 14th May 2015. Lunden, I. (2015) Setback for European Facebook Privacy Class Action, As Austrian Court Rules Lawsuit Inadmissible. Tech Crunch [Online]. Available from: http://techcrunch.com/2015/07/01/setback-for-european-facebook-privacyclass-action-as-austrian-court-rules-suit-inadmissible/ [Accessed 6 November 2015]. Ministry of Communications. (2003) The Ghana ICT for Accelerated Development (ICT4AD) Policy. Ghana: MoC.
References Ministry of Communications. (2005) National Telecommunications Policy. Ghana: MoC. Ministry of Communications. (2011) Medium-Term National Development Policy Framework: Ghana Shared Growth and Development Agenda (GSGDA), 2010-2013, Policy Framework, Final Draft. Ghana: MoC. Ministry of Communications. (2014) Ghana National Cyber Security Policy & Strategy, Final Draft. Ghana: MoC. National Communication Authority, Ghana (2015) Telecom Data Subscription Trends, 2015. [Online]. Available from: http://www.nca.org.gh/downloads/Mobile_Broadband_Market_Share_JUNE_2015 %20JUNE%202015.pdf [Accessed 13 September 2015]. National Communication Authority, Ghana (2015). Telecom Voice Subscription Trends, 2015. [Online]. Available from: http://www.nca.org.gh/downloads/Voice_Market_Share_JUNE_2015.pdf [Accessed 13 September 2015]. OECD (2000) Expert Group on Defining and Measuring E-commerce. Paris: OECD. [Online]. Available from: https://stats.oecd.org/glossary/detail.asp?ID=758 [Accessed 23 October 2015]. OECD (2013) Supplementary Explanatory Memorandum to the Revised OECD Privacy Guidelines. Paris: OECD. OECD (2015) Ghana becomes the 50th Member of the OECD Development Center. Press Release 6th October 2015, Paris: OECD. [Online]. Available from: www.oecd.org/dev/ghana-joins-oecd-development-centre.htm [Accessed 24 October 2015]. Omane-Boamah, E. (2014) PP-14 Policy Statements. ITU Plenipotentiary Conference, Busan 22 October 2014. [Online]. Available from: http://www.itu.int/en/plenipotentiary/2014/statements/file/Pages/ghana.aspx [Accessed 6 November 2015]. Ried, S. and Kisker, H. (2011) Sizing the Cloud – A BT Futures Report. Technical Report, Forrester Research, Inc. UNCTAD (2013) Information Economy Report 2013: The Cloud Economy and Developing Countries. Switzerland: UNCTAD. World Economic Forum and INSEAD (2015) The Global Information Technology Report 2015: ICTs for Inclusive Growth. Geneva: WEF and INSEAD.
Yeboah-Boateng, O. E. and Cudjoe-Seshie, S. (2013) Cloud Computing: The Emergence of Application Service Providers (ASPs) in Developing Economies. International Journal of Emerging Technology and Advanced Engineering, 3 (5), 708.
Contact Information Authors Bernard Boachie-Danquah Founding Partner [email protected]
Isma-il Sulaiman Managing Partner [email protected]
The authors would like to thank Portia Kuffuor for her significant contribution to this report. Goodman AMC LLC P.O.Box AF 1732, Adenta-Accra, Ghana www.goodmanamcllc.com