| [ |
| "1 DATA HARMONISATION BILL\nARRANGEMENT OF SECTIONS\nPRELIMINARY MATTERS\n1. Application\n2. Objectives\n3. Guiding Principles\nDATA SHARING AND THE NATIONAL DATA EXCHANGE PLATFORM\n4. Establishment of the National Data Exchange Platform\n5. Data Sharing Obligations\n6. Data Providers\n7. Data Exchange Framework\n8. System Integration and API Governance\n9. Data Security\n10. Data Quality Requirements\n11. Audit Trails and Logging\n12. Oversight and Accountability\nGOVERNANCE FRAMEWORK\n13. Oversight Authority\n14. Functions of the Authority\n15. Data Harmonisation Advisory Committee\nACCESS AND USE OF THE NATIONAL DATA EXCHANGE PLATFORM\n16. Data Access\n17. Onboarding and Access Control Protocols\n18. Cross -Border Transfers\nDATA PROTECTION\n19. Data Subject Rights\n20. Obligations of Data Controllers and Data Processo rs\nCOMPLIANCE AND ENFORCEMENT\n21. Compliance Monitoring\n22. Reporting Requirements\n23. Offences and Penalties\n24. Administrative Sanctions\n25. Dispute Resolution\n26. Dispute Resolution Committee\n27. Powers of the Dispute Resolution Committee\n28. Resolution of Referred Disputes\nDATA HARMONISATION TRIBUNAL\n29. Establishment of the Data Harmonisation Tribunal\n30. Composition of the Tribunal\n2 31. Rules of Procedure of the Tribunal\n32. Right of Appeal\n33. Decisions of the Tribunal\nFINANCIAL PROVISIONS\n34. Fees\n35. Sources of Funds\n36. Expenses\n37. Accounts and audits\nTRANSITIONAL AND MISCELLANEOUS PROVISIONS\n38. Implementation and Pilot Scheme\n39. Relationship and Integration with Existing Laws\n40. Repeals and Savings\n41. Regulations\n42. Interpretation\nSCHEDULES\nFIRST SCHEDULE\nPublic Interest Data Classification Framework\nSECOND SCHED ULE\nLocal Participation and Local Content Requirements\n3\nA BILL ENTITLED\nTHE DATA HARMONISATION ACT, 20XX (ACT XXXX)\nAN ACT to promote data harmonisation, standardisation and exchange to enhance data\ngovernance, enable efficient public service delivery, and safeguard data rights and to provide\nfor related matters .\nDATE OF ASSENT :", |
| "3\nA BILL ENTITLED\nTHE DATA HARMONISATION ACT, 20XX (ACT XXXX)\nAN ACT to promote data harmonisation, standardisation and exchange to enhance data\ngovernance, enable efficient public service delivery, and safeguard data rights and to provide\nfor related matters .\nDATE OF ASSENT :\nPASSED by Parliament and assented to by the President:\nPreliminary Matters\nApplication of this Act\n1. (1) This Act applies to all public interest data and all holders of public interest data .\n(2) Without limiting subsection (1), this Act applies to:\n(a) all public sector institutions, including ministries, departments, agencies, and\nstatutory bodies, that collect, generate, process, store or hold public interest\ndata;\n(b) all private sector entities that generate, collect, store, or otherwise control or\nproce ss public interest data in connection with a public function, a regulatory\nobligation, or the provision of goods or services;\n(c) any person or institution granted access to the National Data Exchange\nPlatform under this Act ; and\n(d) any category of persons whom the Minister shall designate .\n(3) This Act shall not compel the mandatory sharing of any information classified as\nrestricted data, or any other information whose disclosure would endanger\nnational security, defen ce, or public safety.\nObjective s of the Act\n2. The purpose of this Act is to establish a legal and institutional framework for the\nharmonisation, sharing and use of public interest data, through a secure data\nexchange infrastructure, to support efficient public administration and national\ndevelopment. The objectives of this Act are to:\n(a) promote coordinated and harmonised data governance across public and\nprivate institutions;\n(b) improve the quality, accessibility, interconnected ness and interoperability of", |
| "exchange infrastructure, to support efficient public administration and national\ndevelopment. The objectives of this Act are to:\n(a) promote coordinated and harmonised data governance across public and\nprivate institutions;\n(b) improve the quality, accessibility, interconnected ness and interoperability of\npublic interest data ;\n(c) provide the legal mandate f or the sharing of public interest data;\n(d) enable the lawful and secure sharing of public interest data across institutional\nand sectoral boundaries;\n(e) support innovation, competition, research, and evidence -based policy making\nby enabling lawful access to publ ic interest data;\n(f) protect the public from fraud, misinformation, and other risks arising from poor\ndata management and fragmented information systems; and\n(g) ensure that public interest data is governed in accordance with national\nvalues, applicable standard s, and international best practices .\n4\nGuiding Principles\n3. The implementation of this Act shall be guided by the following principles:\n(a) data integrity, public interest data must be consistent , accurate and reliable ;\n(b) data standardisation, there must be common formats, definitions and\nclassifications used across databases to enable exchange of information and\ncomparability ;\n(c) data democratisation, public interest data must be accessible and readily\navailable for use across sectors;\n(d) interoperability, systems and institutions must be able to interpret, use, and\nexchange data seamlessly through the appropriate standards and protocols;\n(e) reusability, redundant data collection must be avoided ; where applicable, the\nsame data should be collected once only and re-used appropriately across\ninstitutions ;\n(f) security, access to public interest data should be as open as possible, but as", |
| "(e) reusability, redundant data collection must be avoided ; where applicable, the\nsame data should be collected once only and re-used appropriately across\ninstitutions ;\n(f) security, access to public interest data should be as open as possible, but as\nclosed as necessary; the right to access data must be balanced with the\nprivacy and safety of citizens and the security of the Republ ic;\n(g) optimisation, data sharing and system integration should support the delivery\nof timely, efficient and citizen -centred public services; and\n(h) transparency, the collection, access and use of public interest data should be\nforthright and promote accountabi lity and public trust .\nData Sharing and the National Data Exchange Platform\nEstablishment of the National Data Exchange Platform\n4. (1) There is established by this Act the National Data Exchange Platform , a public\ndigital infrastructure for the secure, standardised and interoperable exchange of public\ninterest data .\n(2) The National Data Exchange Platform shall operate as the central national\ninfrastructure for the provision and exchange of public interest data held by public\ninstitutions and eligible private entities, specifically comprising open data and\nshareable data.\n(3) The National Data Exchange Platform shall:\n(a) facilitate the lawful sharing , exchange and re -use of public interest data in\naccordance with this Act;\n(b) support machine -readable access to public interest data through standardised\nAPIs and related technologies;\n(c) support accessi bility to public intere st data and the interoperability of\ndatabases;\n(d) facilitate the onboarding of data providers and data consumers; and\n(e) promote transparency in the access and management of public interest data .", |
| "APIs and related technologies;\n(c) support accessi bility to public intere st data and the interoperability of\ndatabases;\n(d) facilitate the onboarding of data providers and data consumers; and\n(e) promote transparency in the access and management of public interest data .\n(4) The National Data Exchange Platform shall be held by the Republic through the\nMinistry.\n(5) The technical operation, configuration, administration and maintenance of the\nNational Data Exchange Platform shall be managed and supervised by the\nAuthority in accordance with the policy direction and objectives prescribed by the\nMinister .\n(6) The i nstallation and day -to-day operations of the National Data Exchange Platform\nshall at all times be managed by an ent ity registered under the laws of Ghana and\n5 subject to the local content and local participation requirements prescribed by the\nAuthority.\n(7) The Minister may prescribe requirements and procedures for the administration of\nthe National Data Exchange Platform .\nData Sharing Obligation s\n5. (1) All holders of public interest data shall identify and classify the public interest data\nthey hold as either open data, shareable data or restricted data in accordance with\nSchedule 1 of this Act .\n(2) The Minister may from time to time prescribe additional classifications of public\ninterest data.\n(3) All open data holders shall provide access to such open data via the National\nData Exchange Platform in accordance with this Act and any directives issued\nunder it.\n(4) Shareable data holders shall provide access to sharea ble data via the National\nData Exchange Platform upon the fulfilment of the relevant conditions required to\naccess that shareable data.\n(5) Shareable data holders shall clearly define and make transparent any conditions,", |
| "under it.\n(4) Shareable data holders shall provide access to sharea ble data via the National\nData Exchange Platform upon the fulfilment of the relevant conditions required to\naccess that shareable data.\n(5) Shareable data holders shall clearly define and make transparent any conditions,\nprocedures or terms which need to be met to access the shareable data.\n(6) Nothing in this section shall be construed to require the sharing of data classified\nas restricted, except as may be authoris ed under this Act or any other applicable\nlaw.\n(7) A holder of public interest data who fails to provide access in contravention of this\nsection commits an offence and shall be liable upon summary conviction to a fine\nof not less than two hundred penalty unit s and not more than ten thousand penalty\nunits .\nData Providers\n6. (1) A holder of public interest data may be designated as a data provider under this Act\nand shall be onboarded onto the National Data Exchange Platform .\n(2) A person shall qualify as a data provider if that person:\n(a) is a public body or private entity or institution that holds public interest data;\nor\n(b) performs a statutory, regulatory, or public service function involving the\ngeneration or management of public interest data; and\n(c) meets the eligib ility criteria prescribed by the Authority.\n(3) Without limiting the provisions of subsection (2) above, the Minister may designate\nentities, bodies, systems, organisations and institutions as data providers.\n(4) The Authority shall, in consultation with the Advisory Committee , prescribe the\ncriteria and procedures for determining eligibility as a data provider and the\nresponsibilities of approved data providers in their operation s on the National Data\nExchange Platform .", |
| "entities, bodies, systems, organisations and institutions as data providers.\n(4) The Authority shall, in consultation with the Advisory Committee , prescribe the\ncriteria and procedures for determining eligibility as a data provider and the\nresponsibilities of approved data providers in their operation s on the National Data\nExchange Platform .\n(5) The Authority shall issue guidelines on the process and technical requirements for\nonboarding and integration with the National Data Exchange Platform .\n6\n(6) A data provider shall:\n(a) ensure the accuracy and completeness of the ir database provided;\n(b) apply the appropriate classification, specifications and format requirements as\nprescribed under this Act;\n(c) implement appropriate security and technical measures, access controls and\ndata protection measures as required under this Act or any other applicable\nlaw; and\n(d) maintain internal processes to support tim ely and efficient data exchange in\naccordance with this Act and any Regulations, directives or guid elines issued\nunder this Act .\n(7) The Authority shall, in consultation with relevant sector regulators, maintain a\nregister of approved data providers .\nData Exchange Framework\n7. (1) Data providers shall grant access to their databases in a file format which is\nstructured , machine -readable and compatible with the National Data Exchange\nPlatform to allow software applications to easily identify, recognise and extr act specific\ndata.\n(2) The Authority shall, in consultation with the Advisory Committee , prescribe\ntechnical and operational standards, including but not limited to:\n(a) the use of standardised data formats across all databases ;\n(b) the adoption of sector -appropriate data exchange formats, including but not\nlimited to XML and JSON;\n(c) connectivity protocols that ensure secure, real -time, or scheduled data\ntransmission;", |
| "(a) the use of standardised data formats across all databases ;\n(b) the adoption of sector -appropriate data exchange formats, including but not\nlimited to XML and JSON;\n(c) connectivity protocols that ensure secure, real -time, or scheduled data\ntransmission;\n(d) the application of sector -specific classification systems, taxonomies, and\ndata dicti onaries;\n(e) the use of unique identifiers across sectors to ensure traceability and data\ndeduplication; and\n(f) metadata standards, classification levels, and tagging practices for all public\ninterest data.\n(3) The Authority shall prescribe the technical specificati ons referenced under\nsubsection (2) and update them periodically to reflect international best practices\nand emerging technologies.\n(4) Where conversion of public interest data into the prescribed digital format is\nimpossible or would involve a disproportiona te effort, the data provider shall\nconsult with the Authority to determine an appropriate alternative prior to their\nonboarding.\nSystem Integration and API Governance\n8. (1) A data provider shall ensure that all data sharing occurs through secure,\nstandard ised, and auditable APIs, as prescribed by the Authority in consultati on with\nthe Ghana Standards Authority .\n(2) The Authority shall prescribe technical specifications on:\n(a) API architecture, protocols, and endpoints to ensure system -wide\ninteroperability;\n(b) authentication and authorisation mechanisms, including the use of digital\ncredentials, access tokens, and role -based permissions;\n7 (c) encryption requirements for data in transit and at rest to preserve\nconfidentiality and integrity;\n(d) tracking, logging, and audi t mechanisms for each data request and response", |
| "credentials, access tokens, and role -based permissions;\n7 (c) encryption requirements for data in transit and at rest to preserve\nconfidentiality and integrity;\n(d) tracking, logging, and audi t mechanisms for each data request and response\nexchanged via the National Data Exchange Platform ;\n(e) implementation of tiered access or safeguard measures for sensitive data\nrequiring limited or controlled disclosure ; and\n(f) any other specifications that the Authority may deem relevant.\n(3) A data provider shall comply with all specifications provided by the Authority in\naccordance with sub section (2) and shall implement robust internal policies and\nprocedures to protect and safeguard access to their API keys to prevent\nunauthorised use.\n(4) A data provider who intentionally , recklessly or by gross negligence fails to prevent\nAPI exposure and unauthorised access is subject to an administrative penalty of up\nto ten thousand penalty units.\n(5) A data provider shall not e xpose or allow access to any database through the\nNational Data Exchange Platform unless the relevant API integration has been\ntested and approved by the Authority or a body designated by the Authority.\n(6) A data provider who fails to comply with subsection (5) commits an offence and shall\nbe liable upon summary conviction to a fine of not less than five hundred penalty\nunits and not more than fifty thousand penalty units .\n(7) The Authority may, in addition to the penalty under subsection (6), impose an\nadministrative penalty of up to one thousand penalty units.\n(8) The Authority shall monitor API performance, integrity, and security on a continuous\nbasis, and may issue technical updates or revoke access where necessary to\nensure compliance with this Act .\nData Security", |
| "administrative penalty of up to one thousand penalty units.\n(8) The Authority shall monitor API performance, integrity, and security on a continuous\nbasis, and may issue technical updates or revoke access where necessary to\nensure compliance with this Act .\nData Security\n9. (1) A data provider shall implement appropriate technical and organisational measures\nto ensure the confidentiality, integrity, security and continuous availability of the public\ninterest data they share through the National Data Exchange Pla tform .\n(2) Without limiting subsection (1) or any other obligations of data providers under this\nagreement, a data provider shall:\n(a) establish role-based access controls and user authentication protocols to\nprevent unauthorised access to the database;\n(b) ensure encryption of data in transit and at rest, using standards prescribed by\nthe Authority;\n(c) maintain routine backup systems for the database ;\n(d) implement business continuity and disaster recovery measures to minimise\ndisruption in the event of system failure or compromise; and\n(e) maintain internal controls and procedures for identifying, reporting, and\nresponding to security incident s.\n(3) The Authority may, in consultation with the Cyber Security Authority , Data\nProtection Commission and any other relevant government agencies , issue\nguidelines or directives specifying minimum security standards for data providers\nand data consumers.\n8 (4) The Authority may prescribe different data security benchmarks for specific\nsectors or databases , taking into account the nature, use, a nd sensitivity of the\ndata.\n(5) A data provider shall, upon request, furnish the Authority with evidence of the\ninternal procedures and systems in place to ensure data security in accordance\nwith this section.\n(6) A data provider shall notify the Authority promptly of any actual or suspected", |
| "data.\n(5) A data provider shall, upon request, furnish the Authority with evidence of the\ninternal procedures and systems in place to ensure data security in accordance\nwith this section.\n(6) A data provider shall notify the Authority promptly of any actual or suspected\nbreach, compromise, or unauthorised access affecting its database, and in any\ncase , no later than within seventy -two ( 72) hours of discovery :\n(a) where the breach is of a nature affect ing personal data, then the data\nprovider shall additionally notify the Data Protection Commission in\naccordance with the provisions of the [Data Protectio n Act 20XX, (Act\nXXX) ].\n(b) where the bre ach is of a nature involving cybersecurity -related matters\nthen the data provider shall additionally notify the Cybersecurity Authority\nwithin twenty -four (24) hours of detection in accordance with the\n[Cybersecurity Act 20XX, (Act XXX) ];\n(7) The form and manner of notification in subsection ( 6) and the immediate steps to\nbe implemented after notification shall be prescribed by the Authority .\n(8) A data provider who fails to comply with this section 9 commits an offence and\nshall be liable upon summary conviction to a fine of not less than five hundred\npenalty units a nd not more than fifty thousand penalty units.\n(9) The Authority may, in addition to the penalty under subsection (8), impose an\nadministrative penalty of up to ten thousand penalty units.\nData Quality Requirements\n10. (1) A data provider shall ensure that all databases made available through the National\nData Exchange Platform meet the quality standards prescribed by the Authority.", |
| "administrative penalty of up to ten thousand penalty units.\nData Quality Requirements\n10. (1) A data provider shall ensure that all databases made available through the National\nData Exchange Platform meet the quality standards prescribed by the Authority.\n(2) For the purposes of subsection (1), a data provider shall:\n(a) maintain the accuracy and completeness of public interest data contained in\nits databases;\n(b) eliminate duplicate records and ensure data consistency across systems;\n(c) establish procedures for regular updates, corrections, and verification of data\nentries; and\n(d) where appropriate, impleme nt version control mechanisms to track changes\nand ensure the integrity of historical records.\n(3) The Authority may prescribe different data quality benchmarks for specific sectors\nor categories of data, taking into account the nature, use, and sensitivity o f the\ndata.\n(4) A data provider shall, upon request, furnish the Authority with evidence of the\ninternal procedures and systems in place to ensure data quality in accordance with\nthis section .\nAudit Trails and Logging\n11. (1) A data provider shall implement and maintain audit trails and logging mechanisms\nfor every access, transmission, or modification of public interest data through the\nNational Data Exchange Platform .\n9\n(2) The audit trails and logs shall, at a minimum :\n(a) record the identity of the data consumer or sy stem initiating the access or\nrequest;\n(b) specify the nature, date, time, and outcome of the transaction;\n(c) indicate the database and category or classification of data accessed or\nexchanged; and\n(d) capture any anomalies, access failures, or unauthorised attempts .\n(3) Audit logs shall be :", |
| "(c) indicate the database and category or classification of data accessed or\nexchanged; and\n(d) capture any anomalies, access failures, or unauthorised attempts .\n(3) Audit logs shall be :\n(a) securely stored in tamper -evident form;\n(b) encrypted and protected from unauthorised access or deletion; and\n(c) retained for a minimum of five (5) years, or such other period as may be\nprescribed by the Authority .\n(4) The Authority may :\n(a) cond uct periodic reviews of audit trails for compliance monitoring or technical\nassessment;\n(b) require the submission of logs by data providers to support investigations, verify\nsystem integrity, or assess suspected misuse; and\n(c) issue directives regarding the form at, storage, or transmission of audit logs.\n(5) A data provider shall establish internal protocols for monitoring and analysing audit\ntrails to detect unusual activity, prevent abuse, and support incident response.\nOversight and Accountability\n12. (1) The Authority shall monitor and enforce compliance with this Act, and may take\nappropriate enforcement action s against any data provider or data consumer who fails\nto meet their obligations under this Act.\n(2) In carrying out its oversight function, the Authority shall issue guidelines,\ndirectives, and notices to ensure the proper functioning of the National Data\nExchange Platform .\n(3) The Authority shall consult the Advisory Committee and other relevant\nstakeholders in matters of joint oversight or technica l coordination.\n(4) A data provider shall submit periodic reports on their performance on the National\nData Exchange Platform and their compliance with this Act. The form and\nfrequency of the reports shall be determined by the Authority.", |
| "stakeholders in matters of joint oversight or technica l coordination.\n(4) A data provider shall submit periodic reports on their performance on the National\nData Exchange Platform and their compliance with this Act. The form and\nfrequency of the reports shall be determined by the Authority.\n(5) The Authority shall publish an annual report detailing performance indicators and\nother key metrics of the National Data Exchange Platform and other relevant\ninformation to promote transparency.\n(6) Each data provider shall:\n(a) appoint a designated officer responsible for ensuring compliance with the\nobligations under this Act;\n(b) respond to queries or directives issued by the Authority within the prescribed\ntimelines; and\n(c) take corrective actions directed by the Authority promptly where deficiencies\nare identified.\nGovernance Framework\n10 Oversight Authority\n13. The Authority shall be responsible for overseeing the implementation and\nenforcement of this Act .\nFunctions of the Authority\n14. The functions of the Authority include but are not limited to:\n(a) overseeing the establishment and maintenance of the National Data\nExchange Platform ;\n(b) ensuring the operational integrity, accessibility and efficiency of the National\nData Exchange Platform ;\n(c) overseeing compliance with the provisions of this Act and any subs idiary\nlegislation , regulations, directives, guidelines or notices issued under this Act;\n(d) developing, issuing and updating technical, operational and security\nguidelines in consultation with the Advisory Committee ;\n(e) overseeing the onboarding, registration, and monitoring of data providers and\ndata consumers;\n(f) maintaining a register of data providers and data consumers connected to\nthe National Data Exchange Platform ;\n(g) collaborating with relevant stakeholders to ensure alignment with national\npolicies and frame works;\n(h) coordinating with other regulatory bodies to ensure alignment with applicable", |
| "data consumers;\n(f) maintaining a register of data providers and data consumers connected to\nthe National Data Exchange Platform ;\n(g) collaborating with relevant stakeholders to ensure alignment with national\npolicies and frame works;\n(h) coordinating with other regulatory bodies to ensure alignment with applicable\nlaws, including but not limited to laws on data protection , cybersecurity ,\nstandardisation and open banking ;\n(i) issuing and enforcing administrative directives, notices or sa nctions as\nprovided under this Act;\n(j) investigat ing and resolv ing disputes ;\n(k) coordinating capacity building, stakeholder engagement, and public\neducation on data harmonisation and the National Data Exchange Platform ;\nand\n(l) advising the Minister on policy implementation matters under this Act.\nData Harmonisation Advisory Committee\n15. (1) There is established by this Act a Data Harmonisation Advisory Committee to\nprovide operational insight, discuss cross -sectoral matters on data harmonisation\nand provid e strategic advice to support the Authority in the effective performance of\nits functions .\n(2) The Committee shall be composed of:\n(a) the Minister;\n(b) a representative of the National Information Technology Agency not below\nthe rank of a director ;\n(c) a representative of the Bank of Ghana not below the rank of director ;\n(d) a representative of the Cyber Security Authority not below the rank of a\ndirector ;\n(e) a representative of the Data Protection Commission not below the rank of a\ndirector ;\n(f) a representative of the Ghana Stand ards Authority not below the rank of a\ndirector or its functional equivalent;\n(g) a representative of the Ghana Statistical Service not below the rank of a\ndirector or its functional equivalent ;", |
| "director ;\n(f) a representative of the Ghana Stand ards Authority not below the rank of a\ndirector or its functional equivalent;\n(g) a representative of the Ghana Statistical Service not below the rank of a\ndirector or its functional equivalent ;\n(h) a representative of the National Communications Authority not bel ow the\nrank of a director ;\n(i) a representative of the National Identification Authority not below the rank of\na director or its functional equivalent ;\n11 (j) a senior officer of the [National Intelligence Bureau/ National Security\nCouncil ];\n(k) a representative of the Office of the Registrar of Companies not below the\nrank of a director or its functional equivalent ;\n(l) two persons from the private sector with expertise in data management, data\narchitecture, data analysis, standards engineering, ICT or digital services;\nand\n(m) one representative of civil society with experience in data protection,\nintellectual property or digital rights.\n(3) The members of the Committee shall be appointed by the Minister on the\nrecommendation of the respective institutions and at least three ( 3) of the\nrepresentatives shall be women .\n(4) The Minister shall be C hairperson of the Advisory Committee .\n(5) The Committee shall meet at least once every six months and may hold\nextraordinary meetings:\n(a) at the request of the Chairperson; or\n(b) upon the written request of not less than one -third of the members of the\nAdvisory Committee.\n(6) The Advisory Committee shall provide practical guidance on the implementation\nof this Act only and shall not exercise any executive, regulatory or operational\nauthority under thi s Act.\n(7) The Committee shall advise the Authority on :\n(a) strategic direction and long -term planning for data exchange and\nharmonisation;", |
| "of this Act only and shall not exercise any executive, regulatory or operational\nauthority under thi s Act.\n(7) The Committee shall advise the Authority on :\n(a) strategic direction and long -term planning for data exchange and\nharmonisation;\n(b) stakeholder coordination and multi -agency alignment;\n(c) phased implementation of the Act and any practical challenges ;\n(d) cross -sector engagements and feedback;\n(e) drafting of guidelines under the Act;\n(f) standards for interoperability and integration; and\n(g) any other matters as may be referred to it by the Authority or the Minister.\n(8) The term of office of a member of the Committee is four years , and a member is\neligible for reappointment for another term only.\nAccess and Use of the National Data Exchange Platform\nData Access\n16. (1) A person approved by the Authority as a data consumer may access public\ninterest data through the National Data Exchange Platform in accordance with this\nAct.\n(2) Access to data on the National Data Exchange Platform shall be granted for the\nfollowing permitted purposes:\n(a) delivery of public services or performance of statutory functions;\n(b) research, innovat ion, and academic development;\n(c) statistical analysis and evidence -based policymaking;\n(d) detection and prevention of fraud, financial crime or other unlawful conduct;\n(e) regulatory compliance, oversight and supervision functions; or\n(f) any other lawful purpose s approved by the Authority in consultation with the\nMinister .\n12\n(3) A person seeking approval as a data consumer shall apply to the Authority for\nauthorisation. The application shall be made in a manner prescribed by the\nAuthority and at a minimum, must:", |
| "(f) any other lawful purpose s approved by the Authority in consultation with the\nMinister .\n12\n(3) A person seeking approval as a data consumer shall apply to the Authority for\nauthorisation. The application shall be made in a manner prescribed by the\nAuthority and at a minimum, must:\n(a) identify the applicant and describe the purpose for which access is required;\n(b) specify the public interest data for which access is being requested,\nincluding any intended re -use or onward sharing;\n(c) disclose the applicant \u2019s legal basis or authorisation for accessing the data,\nwhere applicable;\n(d) include high -level information on its technical systems for the purpose of\nassessment for integration;\n(e) comply with any other conditions prescribed by the Authority , including the\npayment of prescribed fees .\n(4) A person seeking app roval as a data consumer shall be a legal entity or body\ncorporate and shall not be a natural person.\n(5) Upon approval, a data consumer shall be granted access credentials to the\nNational Data Exchange Platform for a period of one (1) year and assigned a data\naccess tier in accordance with their authorisation level.\n(6) A data consumer may, upon expiration of their credentials, apply to the Authority\nfor a renewal of their subscription in the prescribed form. The Authority may\nrequest additional up -to-date information from the applicant prior to granting a\nrenewal.\n(7) A person who unlawfully or without the proper authorisation accesses databases\non the National Data Exchange Platform commits an offence and shall be liable\nupon summary conviction to a fine of not less than one thousand penalty units and\nnot more than one hundred thousand penalty units or a term of imprisonment of\nnot more than five years or both.", |
| "on the National Data Exchange Platform commits an offence and shall be liable\nupon summary conviction to a fine of not less than one thousand penalty units and\nnot more than one hundred thousand penalty units or a term of imprisonment of\nnot more than five years or both.\n(8) The Authority may, in addition to the penalty under subsection (7), impose an\nadministrative penalty of up to ten thousand penalty units.\n(9) Data consumers may be required to enter data use agreements as a precondition\nto accessing shareable data or restricted data.\n(10) Data consumers shall not re -use data obtained through the National Data\nExchange Platform in a manner that duplicates or directly competes with the\nservice offered by the data provider whose database they accessed .\n(11) Data consumers shall not re -use personal data except in a manner that has been\nconsented to by the data subject or is otherwise pe rmitted by law.\n(12) A data consumer that contravenes subsections ( 10) and ( 11) commits an offence\nand is liable on summary conviction to a fine of not less than five thousand\npenalty units and not more than fifty thousand penalty units .\n(13) The Authority shall, in consultation with the Advisory Committee, issue guidelines\non the permitted re -use of data.\n(14) A person who purchases or sells, attempts to purchase or sell, or does any act\nwith the intent to purchase or sell data obtained through the National Data\nExcha nge Platform , except as otherwise approved by the Authority, commits an\n13 offence and is liable upon summary conviction to a fine of not less than five\nthousand penalty units and not more than one hundred thousand penalty units or\na term of imprisonment of not more than seven years or both .", |
| "Excha nge Platform , except as otherwise approved by the Authority, commits an\n13 offence and is liable upon summary conviction to a fine of not less than five\nthousand penalty units and not more than one hundred thousand penalty units or\na term of imprisonment of not more than seven years or both .\n(15) A data provider shall maintain and submit to the Authority, in the form and\nmanner prescribed by the Authority, a data register cataloguing the public\ninterest data available through its database to promote ease of access . The data\nregister shall indicate:\n(a) the public interest data available on the data provider \u2019s database;\n(b) the classification of such data as open, shareable or restricted;\n(c) for restricted or shareable data, any conditions or protoco ls required for the\ndisclosure of that data;\n(d) the fees required to access their da tabase , where applicable; and\n(e) any other information prescribed by the Authority.\n(16) The Authority may refuse to grant an application where:\n(a) the applicant fails to satisfy the applicable eligibility, legal, or technical\nrequirements;\n(b) the data requested is classified as restricted and the applicant does not\npossess the necessary clearance ;\n(c) granting access may compromise national security, public safety, or data\nintegrity; or\n(d) the request is otherwise inconsistent with the objectives of this Act.\n(17) In the event of refusal, the Authority shall notify the applicant of the reasons for\nthe refusal.\n(18) An international organisation or a foreign entity operating in Ghana may apply\nfor access to the National Data Exchange Platform through the Authority .\nApplications for foreign data consumers shall be subject to additional conditions\nprescribed by the Authority, and must be approved by the Minister.", |
| "the refusal.\n(18) An international organisation or a foreign entity operating in Ghana may apply\nfor access to the National Data Exchange Platform through the Authority .\nApplications for foreign data consumers shall be subject to additional conditions\nprescribed by the Authority, and must be approved by the Minister.\n(19) The Authority shall submit a list of all foreign data consumer applications that\nhave satisfied the prescribed additional criteria to the Minister for final approval\non a quarterly basis.\nOnboarding and Access Control Protocols\n17. (1) The Authority shall establish a process for onboarding data consumers which may\ninclude the payment of any applicable onboarding or service fees.\n(2) The Authority shall implement access control protocols to govern the scope and\nlevel of access granted to each data consumer.\n(3) A data consumer shall not access any database or transmit data beyond the\nlevel or purpose for which access has been granted. The Authority may suspend\nor revoke access for any data consumers who fail to comply with this section.\n(4) Data consumers who contrav ene subsection (3) commit an offence and shall be\nliable upon summary conviction to a fine of not less than five hundred penalty\nunits and not more than fifty thousand penalty units.\n(5) The Authority may, in addition to the penalties under subsections (3) an d (4),\nimpose an administrative penalty of up to five hundred penalty units.\n14 Cross -Border Transfers\n18. (1) The transfer of public interest data through the National Data Exchange Platform\nto data consumers outside the jurisdiction of Ghana is permitted only in accordance\nwith the provisions of this Act.\n(2) Cross -border transfers pursuant to subsection (1) shall:", |
| "14 Cross -Border Transfers\n18. (1) The transfer of public interest data through the National Data Exchange Platform\nto data consumers outside the jurisdiction of Ghana is permitted only in accordance\nwith the provisions of this Act.\n(2) Cross -border transfers pursuant to subsection (1) shall:\n(a) be in compliance with the [Data Protection Act, 20XX(Act XXX) ] and other\napplicable laws;\n(b) comply with any safeguards, protocols or limitations prescribed under this Act\nor issued by the Authority ; and\n(c) be approved by the Minister.\n(3) Safeguards under subsection (2) may include:\n(a) restrictions on the type or category of data which may be transferred outside\nthe jurisdiction ;\n(b) mandatory access through a registered Ghanaian subsidiary or an approved\nlocal representative regulated by the Authority ;\n(c) limitations on the duration of access;\n(d) additional requirements for technical safeguards, access logs and audits ; and\n(e) any safeguards prescribed by the Minister o r the Authority.\n(4) A data provider or data consumer that facilitates or permits cross -border transfers\nof data through the National Data Exchange Platform in a manner that\ncircumvents or violates this section, commits an offence and shall be liable upon\nsummary conviction to a fine of not less than five hundred penalty units and not\nmore than one hundred thousand penalty units.\n(5) The Authority may, in addition to the penalty under subsection (4), impose other\nadministrative sanctions, including an administrat ive penalty of up to five thousand\npenalty units .\nData Protection\nData Subject Rights\n19. Nothing in this Act shall be construed to limit or derogate from the rights of data", |
| "administrative sanctions, including an administrat ive penalty of up to five thousand\npenalty units .\nData Protection\nData Subject Rights\n19. Nothing in this Act shall be construed to limit or derogate from the rights of data\nsubjects under the [Data Protection Act, 20 XX (Act XXX)]. Where public interest data\nincludes personal data, the processing, access, or sharing of such data through the\nNational Data Exchange Platform shall be undertaken in a manner that upholds Act\nXXX. The Authority shall work in collaboration with the Data P rotection Commission\nto ensure the enforcement of data subject rights in relation to the use , re-use and\nexchange of personal data through the National Data Exchange Platform .\nObligations of Data Controllers and Data Processors\n20. Nothing in this Act shall be construed to limit or derogate from the obligations of data\ncontrollers and data processors under the [Data Protection Act, 20XX(Act XXX) ].\nCompliance and Enforcement\nCompliance Monitoring\n21. (1) The Authority shall establish and maintain a monitoring system to monitor\ncompliance with the rules, obligations and requirements of the National Data\nExchange Platform and this Act .\n(2) The Authority may appoint inspectors to carry out monitoring functio ns outlined\nunder this Act or prescribed by the Authority or the Minister.\n15\n(3) The inspector may at reasonable times:\n(a) enter and inspect a premises, which the inspector knows or reasonably\nsuspects to be used for a purpose to which this Act applies, to ensure that the\nprovisions of this Act are complied with; or\n(b) enter a premises to perform any other function imposed on the inspector\nunder this Act, or by the Authority.\n(4) The inspectors shall submit quarterly compliance reports in the manner", |
| "provisions of this Act are complied with; or\n(b) enter a premises to perform any other function imposed on the inspector\nunder this Act, or by the Authority.\n(4) The inspectors shall submit quarterly compliance reports in the manner\nprescribed by the Aut hority.\n(5) The Authority may conduct audits on all participating institutions , within periods\nto be determined by the Authority, to assess a participating institution \u2019s\ncompliance with applicable laws and the rules of the National Data Exchange\nPlatform .\nReporting Requirements\n22. (1) Where requested by the Authority, a participating institution shall provide reports\non activities undertaken through the National Data Exchange Platform . The report\nshall include any information as may be prescribed by the Author ity.\n(2) A participating institution shall notify the Authority within seven days of any change\nin the information that was submitted to the Authority for approval as a\nparticipating institution.\nOffences and Penalties\n23. (1) A person who contravenes or fails to comply with any provision of this Act\ncommits an offence and, where no penalty is expressly provided, shall be liable upon\nsummary conviction to a fine of not less than two hundred penalty units and not more\nthan ten thousand penalty units or to a term of imprisonment of not more than two\nyears or both .\n(2) A person who fails to comply with an administrative sanction prescribed by the\nAuthority under section 24 of this Act commits an offence and, where no penalty is\nexpres sly provided, shall be liable upon summary conviction to a fine of not less\nthan two hundred penalty units and not more than ten thousand penalty units or to\na term of imprisonment of not more than two years or both.", |
| "expres sly provided, shall be liable upon summary conviction to a fine of not less\nthan two hundred penalty units and not more than ten thousand penalty units or to\na term of imprisonment of not more than two years or both.\n(3) Where an offence under this Act is com mitted by a body corporate or by a member\nof a partnership or other firm, every director or officer of that body corporate or a\nmember of the partnership or any other person concerned with the management\nof the firm shall be deemed to have committed that offence and is liable on\nsummary conviction to a fine or term of imprisonment as prescribed.\n(4) A person shall not be convicted of an offence under subsection (3) if it is proved\nthat:\n(a) due diligence was exercised to prevent the commission of the offence; and\n(b) the offence was committed without the knowledge, consent or connivance of\nthat person.\nAdministrative Sanctions\n24. (1) A person who contravenes or fails to comply with any provision of this Act which is\nnot designated as an offence may be liable to adminis trative sanctions as prescribed\nby the Authority.\n16\n(2) The Authority may prescribe the following sanctions:\n(a) issue a warning or non -compliance notice to a participating institution;\n(b) suspend a participating institution from use of the National Data Exchange\nPlatform;\n(c) revoke access and r emove a participating institution from the National Data\nExchange Platform ;\n(d) impose administrative penalties on a participating institution;\n(e) impose bans on a participating institution; and\n(f) any other sanction as may be appropriate to redress the stated non -\ncompliance.", |
| "Exchange Platform ;\n(d) impose administrative penalties on a participating institution;\n(e) impose bans on a participating institution; and\n(f) any other sanction as may be appropriate to redress the stated non -\ncompliance.\n(3) A participating institution that has its access or approval revoked may submit a\nfresh application to the Authority to be reinstated after rectifying the breach or\nnon-compliance.\n(4) Participating institutions that have been banned shall not be permitted to reapply\nfor access.\n(5) The imposition of administrative sanctions or fines under this Act shall be without\nprejudice to any penalties, fines or sanctions that may be imposed by any other\nregulatory authority under any o ther enactment.\n(6) Where the conduct of a person constitutes an offence under this Act and any\nother enactment, nothing in this Act shall prevent the institution of proceedings\nunder that other enactment.\nDispute Resolution\n25. (1)The Authority shall establish a dispute resolution process to resolve disputes:\n(a) between data providers and data consumers;\n(b) between or among different data providers;\n(c) between data subjects and data providers or data consumers; and\n(d) between the Authority and data providers, data consumers or data subjects .\n(2) Where a dispute, pursuant to subsection s (c) and (d) above, concerns a matter\ninvolv ing data subjects , their personal data and data subject rights, then the\nAuthority shall involve the Data Protection [ Commission/ Authority ] in the\nresolution of the dispute .\n(3) Where a dispute under subsection (1) involves matters pertaining to issues of\ncybersecurity , then the Authority shall involve the Cybersecurity Authority in the\nresolution of the dispute.", |
| "Authority shall involve the Data Protection [ Commission/ Authority ] in the\nresolution of the dispute .\n(3) Where a dispute under subsection (1) involves matters pertaining to issues of\ncybersecurity , then the Authority shall involve the Cybersecurity Authority in the\nresolution of the dispute.\n(4) Any o ne or more parties to a dispute m ay refer the dispute to the Authority for\nsettlement by any alternative dispute resolution mechanism .\n(5) Where parties to a dispute agree that the dispute is to be settled by\n(a) the dispute resolution committee established under section 2 6; or\n(b) any alternative dispute resolution mechanism\nthe parties shall not institute an action in court until the dispute resolution\nprocedure has been exhausted.\nDispute Resolution Committee\n17 26. (1) The Authority shall establish a Dispute Resolution Committee for the purpose of\nthe resolution of disputes and shall prescribe the rules of procedure of the Dispute\nResolution Committee .\n(2) The composition of the Dispute Resolution Committee shall be determined by\nthe board of the Authority in consultation with the Advisory Committee .\n(3) The Dispute Reso lution Committee shall expeditiously investigate and hear any\nmatter which is brought before it.\n(4) The Authority shall determine the period within which disputes may be settled.\n(5) The Dispute Resolution Committee may require evidence or argum ents to be\npresented in writing and may decide the matters upon which it will hear oral\nevidence or written arguments.\n(6) A party to a dispute may appear at the hearing and may be represented by a\nlawyer or another person of that person's choice.\nPowers of the Dispute Resolution Committee\n27. (1) The Dispute Resolution Committee shall have the power to :", |
| "evidence or written arguments.\n(6) A party to a dispute may appear at the hearing and may be represented by a\nlawyer or another person of that person's choice.\nPowers of the Dispute Resolution Committee\n27. (1) The Dispute Resolution Committee shall have the power to :\n(a) issue summons to compel the attendance of witnesses ;\n(b) examine witnesses on oath, affirmation or otherwise ;\n(c) compel the production of documents ; and\n(d) refer a person for trial at the High Court for contempt.\n(2) A summons issued by the Dispute Resolution Committee shall be under the hand\nof the Secretary of the Authority .\nResolution of Referred Disputes\n28. (1)The Dispute Resolution Committee may, in settling a dispute .\n(a) make a declaration setting out the rights and obligations of the parties to the\ndispute;\n(b) make provisional or interim orders or awards related to the matter or part of\nthe matter, or give directions in furtherance of the hearing ;\n(c) dismiss or refrain from hearing or determining a matter in whole or in part if it\nappears that the matter or part of the matter, is trivial or vexatious or that\nfurther proceedings are not necessary or desirable in the public interest;\n(d) in appropriate circumstances, order an y party to pay the reasonable costs\nand expenses of another party, including the expenses of witnesses and fees\nof lawyers, in bringing the matter before the Authority; and\n(e) generally give directions and do anything that is necessary or expedient for\nthe h earing and determination of the matter.\nData Harmonisation Tribunal\nEstablishment of the Data Harmonisation Tribunal\n29. (1) There is by this Act established an appeal tribunal to be called the Data", |
| "(e) generally give directions and do anything that is necessary or expedient for\nthe h earing and determination of the matter.\nData Harmonisation Tribunal\nEstablishment of the Data Harmonisation Tribunal\n29. (1) There is by this Act established an appeal tribunal to be called the Data\nHarmonisation Tribunal which shall be convened on an ad -hoc basis to consider\nappeals against:\n(a) decisions or orders made by the Authority or to review a particular matter\nunder this Act or its regulations , directives or guidelines; and\n(b) decisions of the Dispute Resolutio n Committee of the Authority .\nComposition of the Tribunal\n18 30. (1) The members of the Tribunal shall be appointed by the Minister and shall consist\nof:\n(a) a chairperson who is either a retired Justice of the Superior Court or a lawyer\nof at least fifteen years standing who has experience in technology law\n(particularly data privacy, intellectual property, and cybersecurity matters) ,\npolicy, regulations or ar bitration ; and\n(b) two other members with experience or academic or professional qualifications\nin the data governance , public digital infrastructure, electronic engineering,\ndata protection, cybersecurity, law, economics or business or public\nadministration .\n(3) The Minister shall appoint a registrar and other staff necessary for the smooth\noperations of the Tribunal.\n(4) The expenses of the Tribunal shall be paid out of income derived by the Authority\nunder this Act and shall be part of the annual budget of the A uthority.\nRules of Procedure of the Tribunal\n31. (1) The Authority shall, within thirty days of the commencement of this Act, prepare\nproposals for rules of procedure for the Tribunal .", |
| "under this Act and shall be part of the annual budget of the A uthority.\nRules of Procedure of the Tribunal\n31. (1) The Authority shall, within thirty days of the commencement of this Act, prepare\nproposals for rules of procedure for the Tribunal .\n(2) The proposals shall be approved by a panel of the Tribunal specifically convened\nfor the purpose.\n(3) The Authority shall by legislative instrument make Regulations under this Act\nwhich shall prescribe the approved rules.\nRight of Appeal\n32. (1) A person affected by a decision of the Authority or the Dispute Resolution\nCommittee may appeal against it by sending a notice of appeal to the Tribunal in\naccordance with the rules of procedure of the Tribunal .\n(2) The notice of appeal must be sent within twenty -eight days after the date on\nwhich the decision being appealed against is announced or received .\n(3) The appellant shall set out in the notice of appeal:\n(a) the decision appealed against;\n(b) the provision under which the decision appealed against was taken; and\n(c) the grounds of appeal.\n(4) Within one month after receipt of a notice of appeal the Tribunal shall be\nconvened to consider the appeal.\nDecisions of the Tribunal\n33. (1) The Tribunal, after hearing the appeal may:\n(a) quash the decision ;\n(b) allow the appeal in whole or in part ; or\n(c) dismiss the appeal and confirm the decision of the Authority .\n(2) If the Tribunal allows the appeal in part, it may vary the decision of the Authority\nin any manner and subject to any conditions or limitations that it considers\nappropriate to impose .\n(3) The Tribunal may take into account any submissions filed by a person acti ng as", |
| "(2) If the Tribunal allows the appeal in part, it may vary the decision of the Authority\nin any manner and subject to any conditions or limitations that it considers\nappropriate to impose .\n(3) The Tribunal may take into account any submissions filed by a person acti ng as\na friend of the Tribunal in reaching a decision on an appeal brought before it .\n19\n(4) A decision of the Tribunal has the same effect as a judgement of the High Court\nand shall be final unless submitted to the High Court for review .\nFinancial Provisions\nFees\n34. The Minister shall determine the fees to be charged under this Act in accordance with\nthe Fees and Charges (Miscellaneous Provisions) Act, 2022 (Act 1080).\nSources of Funds\n35. The funds of the National Data Exchange Platform shall include:\n(a) seed money;\n(b) fees accruing to the National Data Exchange Platform under this Act;\n(c) moneys provided by Parliament;\n(d) donations, gifts , grants and other voluntary contribution ; and\n(e) any other moneys that are approved by the Minister responsible for Finance.\nExpenses\n36. The expenses of the National Data Exchange Platform shall be paid from moneys\nprovided from the funds of the National Data Exchange Platform .\nAccounts and audits\n37. (1) The Authority shall keep books of account and proper records in relation to the\nNational Data Exchange Platform in the form approved by the Auditor -General.\n(2) The Authority shall submit the accounts of the National Data Exchange Platform\nto the Auditor -General for audit within three months after the end of the financial\nyear.\n(3) The Auditor -General shall, not later than three months after the receipt of the", |
| "(2) The Authority shall submit the accounts of the National Data Exchange Platform\nto the Auditor -General for audit within three months after the end of the financial\nyear.\n(3) The Auditor -General shall, not later than three months after the receipt of the\naccounts, audit the accounts and forward a copy of the audit report to the\nMinister.\n(4) The Internal Audit Agency Act, 2003 (Act 658) shall apply to this Act.\n(5) The financial year of the Authority and the entity that manages the National Data\nExchange Platform shall be the same as the financial year of the Government.\nTransitional and Miscellaneous Provisions\nImplementation and Pilot Scheme\n38. The implementation of this Act shall be in phases as prescribed by the Minister.\nRelationship and Integration with Existing Laws\n39. (1)This Act shall be read in conjunction with applicable laws governing data\nprotection, intellectual property, public access to information, cybersecurity, electronic\ntransactions, and any other law which confers rights or imposes obligations relating\nto the generation, use, protection, and sharing of data in Ghana, including but not\nlimited to the:\n(a) Copyright Act, 2005 (Act 690) ;\n(b) [Cybersecurity Act 20XX (Act XXXX) ];\n(c) [Data Protection Act, 20XX (Act XXXX) ];\n(d) [Electronic Communications Act, 20XX (Act XXXX )];\n(e) [Electronic Transactions Act, 20XX (Act XXXX )];\n20 (f) Ghana Standards Authority Act, 2022 (Act 1078 );\n(g) National Identification Authority Act, 2006 (Act 707)\n(h) National Signals Bureau Act, 2020 (Act 1040);", |
| "20 (f) Ghana Standards Authority Act, 2022 (Act 1078 );\n(g) National Identification Authority Act, 2006 (Act 707)\n(h) National Signals Bureau Act, 2020 (Act 1040);\n(i) Patents Act, 2003 (Act 657);\n(j) Protection Against Unfair Competition Act, 2000 (Act 589);\n(k) Right to Information Act, 2019 (Act 989) ;\n(l) Security and Intelligence Agencies Act, 2020 (Act 1030) ;\n(m) State Secrets Act, 1962 (Act 101) ;\nand shall not, except as otherwise provided in this Act, derogate from the\nprovisions of these Acts.\n(2) Where there is any conflict between this Act and any relevant enactment in\nrespect of the standardisation and sharing of data , the provisions of this Act shal l\nprevail.\n40. Repeals and Savings\n[TBD]\nRegulations\n41. The Minister may, on the recommendation of the Authority, make Regulations for the\nimplementation of this Act .\nInterpretation\n42. In this Act unless the context otherwise requires:\n\u201cAdvisory Committee \u201d means the strategic Advisory Committee established to advise\nthe Authority on the implementation of this Act ;\n\u201cAPI\u201d means an Application Programming Interface that enables the secure and\nstructured exchange of data between different systems or databases, including\nauthentication, authorisation, and data formatting protocols.\n\u201cAuthority \u201d means the National Information Technology Agency ;\n\u201cdatabase \u201d means an organised collection of relevant public interest data, whether\nstructured or unstructured , which is maintained and made available by a data\nprovider for access, exchange and use on the National Data Exchange Platform;", |
| "\u201cAuthority \u201d means the National Information Technology Agency ;\n\u201cdatabase \u201d means an organised collection of relevant public interest data, whether\nstructured or unstructured , which is maintained and made available by a data\nprovider for access, exchange and use on the National Data Exchange Platform;\n\"data consumer\" means a n artificial person or entity that accesses, uses, re -uses or\nexchanges data through the National Data Exchange Platform for any lawful\npurpose, including research, service delivery, innovation, or regulatory compliance;\n\u201cdata controller \u201d shall be construed in accordance with the [Data Protection Act, 20 XX\n(Act XXX)] and means a person who either alone, jo intly with other persons\ndetermines the purposes for and the manner in which personal data is processed or\nis to be processed ;\n\"data provider\" means a public or private entity that generates, collects, processes,\nstores or holds public interest data and makes that data available through the\nNational Data Exchange Platform in accordance with this Act;\n\u201cdata register \u201d means a catalogue created by data providers to assist with navigating\ntheir database .\n21 \u201cdata subject \u201d shall be construed in accordance with the Data Protection Act, 20XX\n(Act XXX) and means an individual who is the subject of personal data;\n\u201cdata subject rights \u201d shall be c onstrued in accordance with the [Data Protection Act,\n20XX (Act XXX) ] and means [\u2026]\n\u201cexchange \u201d means the structured, secure, and authorised transmission of data\nbetween systems, institutions, or entities for a specific permitted purpose\n\u201cforeign \u201d means, in relation to a person or entity, any person or entity that is not\nGhanaian or an entity that is not incorporated, registered, or established under the", |
| "between systems, institutions, or entities for a specific permitted purpose\n\u201cforeign \u201d means, in relation to a person or entity, any person or entity that is not\nGhanaian or an entity that is not incorporated, registered, or established under the\nlaws of Ghana.\n\"National Data Exchange Platform \" means the public digital infrastruct ure designated\nunder this Act for the secure and standardised exchange of public interest data\nbetween the public and private sectors ;\n\u201cMinister \u201d means the Minister assigned responsibility for the Ministry of\nCommunications;\n\u201cMinistry \u201d means the Ministry of Communications ;\n\"open data\" means public interest data that is not subject to any law, regulation, or\npolicy that restricts its access or use, and may be accessed, used, reused, and\ndistributed by any person without legal or technical restriction;\n\u201cpersonal data \u201d shall be construed in accordance with the Data Protection Act, 20XX\n(Act XXX) and means any information relating to an identified or identifiable natural\nperson , and includes one or a combination of the following, whether iden tified by\nmanual or automated processing:\n(a) direct identifiers such as name ; email address ; phone number, identification\nnumber ; registration number; bank account, bank or smart card number;\nphotographic or video image of face;\n(b) indirect identifiers such as an location data ; age or age -range, occupation;\njob; profession; vocation; business; workplace; title; education; voice -\nrecordings, postal code; place of birth; date of birth; marital status;\nphotographs or videos without facia l detail but identifications such as side\nviews, clothing, marks and mannerism; language preference; profiles without", |
| "recordings, postal code; place of birth; date of birth; marital status;\nphotographs or videos without facia l detail but identifications such as side\nviews, clothing, marks and mannerism; language preference; profiles without\nfacial detail but which could be attributed to a natural person by the use of\nadditional information ;\n(c) online identifiers such as IP addres s; cookies; device ID; login credentials;\nuser IDs; push notification tokens, browser history or fingerprints;\n(d) data which have undergone pseudonymisation, but which could be attributed\nto a natural person by the use of additional information should be cons idered\nto be information on an identifiable natural person ; and\n(e) one or more factors specific to the physical, physiological, mental, economic,\ncultural or social identity of that natural person ;\n\u201cparticipating institution \u201d means a data provider or data c onsumer as defined under\nthis Act ;\n\u201cprocessing \u201d shall be construed in accordance with the [Data Protection Act, 20 XX\n(Act XXXX )] and means an operation or activity or set of operations by electronic or\nother means that concerns data or personal data and the\n(a) collection, organization, adaptation or alteration of the information or data,\n22 (b) retrieval, consultation or use of the information or data ,\n(c) disclosure of the information or data by transmission, dissemination or other\nmeans available, or\n(d) alignment, combination, blocking, erasure or destruction of the information or\ndata;\n\"public interest data\" means data, whether personal or non -personal, recorded and\ndocumented in any manner and on any medium, which is collected, created,", |
| "means available, or\n(d) alignment, combination, blocking, erasure or destruction of the information or\ndata;\n\"public interest data\" means data, whether personal or non -personal, recorded and\ndocumented in any manner and on any medium, which is collected, created,\ngenerated, held or otherwise processed by public authorities, private entities, or other\ninstitutions, and is either necessary for or beneficial to public purposes, inclu ding but\nnot limited to, the provision of public services, performance of public functions,\nregulatory compliance, or national development. Public interest data shall include any\ndata prescribed as public interest data by the Minister;\n\"restricted data\" m eans public interest data of a sensitive or classified nature, for\nwhich access is limited by law, or may only be granted upon fulfilment of specified\nconditions, including the demonstration of a legitimate interest or the application of\nspecial procedures . Restricted Data includes state secrets, information relating to\nnational security, confidential business information, or other categories that the law\nexempt s from public disclosure. Restricted data shall include any data prescribed as\nrestricted data by the Minister ;\n\u201cRepublic \u201d means the Republic of Ghana;\n\u201cre-use\u201d means the use , whether commercial or non -commercial, of public interest\ndata obtained through the National Data Exchange Platform for a purpose other than\nthe initial purpose for which the data was collected ;\n\"shareable data\" means public interest data that is not classified as restricted data\nbut may only be accessed or used subject to prescribed terms, procedures, or\nconditions; and\n23\nFIRST SCHEDULE\nPart X\n(Section X)\nPublic Interest Data Classification Framework\nPublic interest data shall be classified for the purposes of this Act into \u2014\na. open data ,\nb. shareable data , and\nc. restricted data .", |
| "conditions; and\n23\nFIRST SCHEDULE\nPart X\n(Section X)\nPublic Interest Data Classification Framework\nPublic interest data shall be classified for the purposes of this Act into \u2014\na. open data ,\nb. shareable data , and\nc. restricted data .\nOpen data refers to public interest data that :\na. is not subject to any le gal, commercial, or confidentiality restrictions; and\nb. may be freely accessed, used, reused, or redistributed without requiring specific\nauthorisation.\nShareable data refers to public interest data that :\na. is not openly available to the public; but\nb. may be accessed or reused by authorised persons under specific terms, conditions or\nprocedures prescribed by law or determined by the data provider.\nRestricted data refers to public interest data :\na. which is subject to legal, contractual, or institutiona l restrictions on access, use, or\ndisclosure; or\nb. which, if disclosed, may reasonably be expected to pose a risk to national security, public\norder, individual privacy, or the rights and interests of a third party.\nThe Data Protection [Commission /Authority] is in consultation with the Authority shall\nprescribe guid elines for the classification of data\nThe Minister may, on the advice of the Authority, by legislative instrument, issue guidelines\nfor:\na. the further classification of public interest data by sector, type, sensitivity, or purpose; and\nb. the criteria for reclassification of data from one category to another, including from\nrestricted to shareable or from shareable to open, where applicable.\n24\nSECOND SCHEDULE\nPart X\n(Section X)\nLocal Participation and Local Content Requirements for the National Data Exchange\nPlatform operator" |
| ] |