| 1 DATA HARMONISATION BILL |
| ARRANGEMENT OF SECTIONS |
| PRELIMINARY MATTERS |
| 1. Application |
| 2. Objectives |
| 3. Guiding Principles |
| DATA SHARING AND THE NATIONAL DATA EXCHANGE PLATFORM |
| 4. Establishment of the National Data Exchange Platform |
| 5. Data Sharing Obligations |
| 6. Data Providers |
| 7. Data Exchange Framework |
| 8. System Integration and API Governance |
| 9. Data Security |
| 10. Data Quality Requirements |
| 11. Audit Trails and Logging |
| 12. Oversight and Accountability |
| GOVERNANCE FRAMEWORK |
| 13. Oversight Authority |
| 14. Functions of the Authority |
| 15. Data Harmonisation Advisory Committee |
| ACCESS AND USE OF THE NATIONAL DATA EXCHANGE PLATFORM |
| 16. Data Access |
| 17. Onboarding and Access Control Protocols |
| 18. Cross -Border Transfers |
| DATA PROTECTION |
| 19. Data Subject Rights |
| 20. Obligations of Data Controllers and Data Processo rs |
| COMPLIANCE AND ENFORCEMENT |
| 21. Compliance Monitoring |
| 22. Reporting Requirements |
| 23. Offences and Penalties |
| 24. Administrative Sanctions |
| 25. Dispute Resolution |
| 26. Dispute Resolution Committee |
| 27. Powers of the Dispute Resolution Committee |
| 28. Resolution of Referred Disputes |
| DATA HARMONISATION TRIBUNAL |
| 29. Establishment of the Data Harmonisation Tribunal |
| 30. Composition of the Tribunal |
| 2 31. Rules of Procedure of the Tribunal |
| 32. Right of Appeal |
| 33. Decisions of the Tribunal |
| FINANCIAL PROVISIONS |
| 34. Fees |
| 35. Sources of Funds |
| 36. Expenses |
| 37. Accounts and audits |
| TRANSITIONAL AND MISCELLANEOUS PROVISIONS |
| 38. Implementation and Pilot Scheme |
| 39. Relationship and Integration with Existing Laws |
| 40. Repeals and Savings |
| 41. Regulations |
| 42. Interpretation |
| SCHEDULES |
| FIRST SCHEDULE |
| Public Interest Data Classification Framework |
| SECOND SCHED ULE |
| Local Participation and Local Content Requirements |
| 3 |
| A BILL ENTITLED |
| THE DATA HARMONISATION ACT, 20XX (ACT XXXX) |
| AN ACT to promote data harmonisation, standardisation and exchange to enhance data |
| governance, enable efficient public service delivery, and safeguard data rights and to provide |
| for related matters . |
| DATE OF ASSENT : |
| PASSED by Parliament and assented to by the President: |
| Preliminary Matters |
| Application of this Act |
| 1. (1) This Act applies to all public interest data and all holders of public interest data . |
| (2) Without limiting subsection (1), this Act applies to: |
| (a) all public sector institutions, including ministries, departments, agencies, and |
| statutory bodies, that collect, generate, process, store or hold public interest |
| data; |
| (b) all private sector entities that generate, collect, store, or otherwise control or |
| proce ss public interest data in connection with a public function, a regulatory |
| obligation, or the provision of goods or services; |
| (c) any person or institution granted access to the National Data Exchange |
| Platform under this Act ; and |
| (d) any category of persons whom the Minister shall designate . |
| (3) This Act shall not compel the mandatory sharing of any information classified as |
| restricted data, or any other information whose disclosure would endanger |
| national security, defen ce, or public safety. |
| Objective s of the Act |
| 2. The purpose of this Act is to establish a legal and institutional framework for the |
| harmonisation, sharing and use of public interest data, through a secure data |
| exchange infrastructure, to support efficient public administration and national |
| development. The objectives of this Act are to: |
| (a) promote coordinated and harmonised data governance across public and |
| private institutions; |
| (b) improve the quality, accessibility, interconnected ness and interoperability of |
| public interest data ; |
| (c) provide the legal mandate f or the sharing of public interest data; |
| (d) enable the lawful and secure sharing of public interest data across institutional |
| and sectoral boundaries; |
| (e) support innovation, competition, research, and evidence -based policy making |
| by enabling lawful access to publ ic interest data; |
| (f) protect the public from fraud, misinformation, and other risks arising from poor |
| data management and fragmented information systems; and |
| (g) ensure that public interest data is governed in accordance with national |
| values, applicable standard s, and international best practices . |
| 4 |
| Guiding Principles |
| 3. The implementation of this Act shall be guided by the following principles: |
| (a) data integrity, public interest data must be consistent , accurate and reliable ; |
| (b) data standardisation, there must be common formats, definitions and |
| classifications used across databases to enable exchange of information and |
| comparability ; |
| (c) data democratisation, public interest data must be accessible and readily |
| available for use across sectors; |
| (d) interoperability, systems and institutions must be able to interpret, use, and |
| exchange data seamlessly through the appropriate standards and protocols; |
| (e) reusability, redundant data collection must be avoided ; where applicable, the |
| same data should be collected once only and re-used appropriately across |
| institutions ; |
| (f) security, access to public interest data should be as open as possible, but as |
| closed as necessary; the right to access data must be balanced with the |
| privacy and safety of citizens and the security of the Republ ic; |
| (g) optimisation, data sharing and system integration should support the delivery |
| of timely, efficient and citizen -centred public services; and |
| (h) transparency, the collection, access and use of public interest data should be |
| forthright and promote accountabi lity and public trust . |
| Data Sharing and the National Data Exchange Platform |
| Establishment of the National Data Exchange Platform |
| 4. (1) There is established by this Act the National Data Exchange Platform , a public |
| digital infrastructure for the secure, standardised and interoperable exchange of public |
| interest data . |
| (2) The National Data Exchange Platform shall operate as the central national |
| infrastructure for the provision and exchange of public interest data held by public |
| institutions and eligible private entities, specifically comprising open data and |
| shareable data. |
| (3) The National Data Exchange Platform shall: |
| (a) facilitate the lawful sharing , exchange and re -use of public interest data in |
| accordance with this Act; |
| (b) support machine -readable access to public interest data through standardised |
| APIs and related technologies; |
| (c) support accessi bility to public intere st data and the interoperability of |
| databases; |
| (d) facilitate the onboarding of data providers and data consumers; and |
| (e) promote transparency in the access and management of public interest data . |
| (4) The National Data Exchange Platform shall be held by the Republic through the |
| Ministry. |
| (5) The technical operation, configuration, administration and maintenance of the |
| National Data Exchange Platform shall be managed and supervised by the |
| Authority in accordance with the policy direction and objectives prescribed by the |
| Minister . |
| (6) The i nstallation and day -to-day operations of the National Data Exchange Platform |
| shall at all times be managed by an ent ity registered under the laws of Ghana and |
| 5 subject to the local content and local participation requirements prescribed by the |
| Authority. |
| (7) The Minister may prescribe requirements and procedures for the administration of |
| the National Data Exchange Platform . |
| Data Sharing Obligation s |
| 5. (1) All holders of public interest data shall identify and classify the public interest data |
| they hold as either open data, shareable data or restricted data in accordance with |
| Schedule 1 of this Act . |
| (2) The Minister may from time to time prescribe additional classifications of public |
| interest data. |
| (3) All open data holders shall provide access to such open data via the National |
| Data Exchange Platform in accordance with this Act and any directives issued |
| under it. |
| (4) Shareable data holders shall provide access to sharea ble data via the National |
| Data Exchange Platform upon the fulfilment of the relevant conditions required to |
| access that shareable data. |
| (5) Shareable data holders shall clearly define and make transparent any conditions, |
| procedures or terms which need to be met to access the shareable data. |
| (6) Nothing in this section shall be construed to require the sharing of data classified |
| as restricted, except as may be authoris ed under this Act or any other applicable |
| law. |
| (7) A holder of public interest data who fails to provide access in contravention of this |
| section commits an offence and shall be liable upon summary conviction to a fine |
| of not less than two hundred penalty unit s and not more than ten thousand penalty |
| units . |
| Data Providers |
| 6. (1) A holder of public interest data may be designated as a data provider under this Act |
| and shall be onboarded onto the National Data Exchange Platform . |
| (2) A person shall qualify as a data provider if that person: |
| (a) is a public body or private entity or institution that holds public interest data; |
| or |
| (b) performs a statutory, regulatory, or public service function involving the |
| generation or management of public interest data; and |
| (c) meets the eligib ility criteria prescribed by the Authority. |
| (3) Without limiting the provisions of subsection (2) above, the Minister may designate |
| entities, bodies, systems, organisations and institutions as data providers. |
| (4) The Authority shall, in consultation with the Advisory Committee , prescribe the |
| criteria and procedures for determining eligibility as a data provider and the |
| responsibilities of approved data providers in their operation s on the National Data |
| Exchange Platform . |
| (5) The Authority shall issue guidelines on the process and technical requirements for |
| onboarding and integration with the National Data Exchange Platform . |
| 6 |
| (6) A data provider shall: |
| (a) ensure the accuracy and completeness of the ir database provided; |
| (b) apply the appropriate classification, specifications and format requirements as |
| prescribed under this Act; |
| (c) implement appropriate security and technical measures, access controls and |
| data protection measures as required under this Act or any other applicable |
| law; and |
| (d) maintain internal processes to support tim ely and efficient data exchange in |
| accordance with this Act and any Regulations, directives or guid elines issued |
| under this Act . |
| (7) The Authority shall, in consultation with relevant sector regulators, maintain a |
| register of approved data providers . |
| Data Exchange Framework |
| 7. (1) Data providers shall grant access to their databases in a file format which is |
| structured , machine -readable and compatible with the National Data Exchange |
| Platform to allow software applications to easily identify, recognise and extr act specific |
| data. |
| (2) The Authority shall, in consultation with the Advisory Committee , prescribe |
| technical and operational standards, including but not limited to: |
| (a) the use of standardised data formats across all databases ; |
| (b) the adoption of sector -appropriate data exchange formats, including but not |
| limited to XML and JSON; |
| (c) connectivity protocols that ensure secure, real -time, or scheduled data |
| transmission; |
| (d) the application of sector -specific classification systems, taxonomies, and |
| data dicti onaries; |
| (e) the use of unique identifiers across sectors to ensure traceability and data |
| deduplication; and |
| (f) metadata standards, classification levels, and tagging practices for all public |
| interest data. |
| (3) The Authority shall prescribe the technical specificati ons referenced under |
| subsection (2) and update them periodically to reflect international best practices |
| and emerging technologies. |
| (4) Where conversion of public interest data into the prescribed digital format is |
| impossible or would involve a disproportiona te effort, the data provider shall |
| consult with the Authority to determine an appropriate alternative prior to their |
| onboarding. |
| System Integration and API Governance |
| 8. (1) A data provider shall ensure that all data sharing occurs through secure, |
| standard ised, and auditable APIs, as prescribed by the Authority in consultati on with |
| the Ghana Standards Authority . |
| (2) The Authority shall prescribe technical specifications on: |
| (a) API architecture, protocols, and endpoints to ensure system -wide |
| interoperability; |
| (b) authentication and authorisation mechanisms, including the use of digital |
| credentials, access tokens, and role -based permissions; |
| 7 (c) encryption requirements for data in transit and at rest to preserve |
| confidentiality and integrity; |
| (d) tracking, logging, and audi t mechanisms for each data request and response |
| exchanged via the National Data Exchange Platform ; |
| (e) implementation of tiered access or safeguard measures for sensitive data |
| requiring limited or controlled disclosure ; and |
| (f) any other specifications that the Authority may deem relevant. |
| (3) A data provider shall comply with all specifications provided by the Authority in |
| accordance with sub section (2) and shall implement robust internal policies and |
| procedures to protect and safeguard access to their API keys to prevent |
| unauthorised use. |
| (4) A data provider who intentionally , recklessly or by gross negligence fails to prevent |
| API exposure and unauthorised access is subject to an administrative penalty of up |
| to ten thousand penalty units. |
| (5) A data provider shall not e xpose or allow access to any database through the |
| National Data Exchange Platform unless the relevant API integration has been |
| tested and approved by the Authority or a body designated by the Authority. |
| (6) A data provider who fails to comply with subsection (5) commits an offence and shall |
| be liable upon summary conviction to a fine of not less than five hundred penalty |
| units and not more than fifty thousand penalty units . |
| (7) The Authority may, in addition to the penalty under subsection (6), impose an |
| administrative penalty of up to one thousand penalty units. |
| (8) The Authority shall monitor API performance, integrity, and security on a continuous |
| basis, and may issue technical updates or revoke access where necessary to |
| ensure compliance with this Act . |
| Data Security |
| 9. (1) A data provider shall implement appropriate technical and organisational measures |
| to ensure the confidentiality, integrity, security and continuous availability of the public |
| interest data they share through the National Data Exchange Pla tform . |
| (2) Without limiting subsection (1) or any other obligations of data providers under this |
| agreement, a data provider shall: |
| (a) establish role-based access controls and user authentication protocols to |
| prevent unauthorised access to the database; |
| (b) ensure encryption of data in transit and at rest, using standards prescribed by |
| the Authority; |
| (c) maintain routine backup systems for the database ; |
| (d) implement business continuity and disaster recovery measures to minimise |
| disruption in the event of system failure or compromise; and |
| (e) maintain internal controls and procedures for identifying, reporting, and |
| responding to security incident s. |
| (3) The Authority may, in consultation with the Cyber Security Authority , Data |
| Protection Commission and any other relevant government agencies , issue |
| guidelines or directives specifying minimum security standards for data providers |
| and data consumers. |
| 8 (4) The Authority may prescribe different data security benchmarks for specific |
| sectors or databases , taking into account the nature, use, a nd sensitivity of the |
| data. |
| (5) A data provider shall, upon request, furnish the Authority with evidence of the |
| internal procedures and systems in place to ensure data security in accordance |
| with this section. |
| (6) A data provider shall notify the Authority promptly of any actual or suspected |
| breach, compromise, or unauthorised access affecting its database, and in any |
| case , no later than within seventy -two ( 72) hours of discovery : |
| (a) where the breach is of a nature affect ing personal data, then the data |
| provider shall additionally notify the Data Protection Commission in |
| accordance with the provisions of the [Data Protectio n Act 20XX, (Act |
| XXX) ]. |
| (b) where the bre ach is of a nature involving cybersecurity -related matters |
| then the data provider shall additionally notify the Cybersecurity Authority |
| within twenty -four (24) hours of detection in accordance with the |
| [Cybersecurity Act 20XX, (Act XXX) ]; |
| (7) The form and manner of notification in subsection ( 6) and the immediate steps to |
| be implemented after notification shall be prescribed by the Authority . |
| (8) A data provider who fails to comply with this section 9 commits an offence and |
| shall be liable upon summary conviction to a fine of not less than five hundred |
| penalty units a nd not more than fifty thousand penalty units. |
| (9) The Authority may, in addition to the penalty under subsection (8), impose an |
| administrative penalty of up to ten thousand penalty units. |
| Data Quality Requirements |
| 10. (1) A data provider shall ensure that all databases made available through the National |
| Data Exchange Platform meet the quality standards prescribed by the Authority. |
| (2) For the purposes of subsection (1), a data provider shall: |
| (a) maintain the accuracy and completeness of public interest data contained in |
| its databases; |
| (b) eliminate duplicate records and ensure data consistency across systems; |
| (c) establish procedures for regular updates, corrections, and verification of data |
| entries; and |
| (d) where appropriate, impleme nt version control mechanisms to track changes |
| and ensure the integrity of historical records. |
| (3) The Authority may prescribe different data quality benchmarks for specific sectors |
| or categories of data, taking into account the nature, use, and sensitivity o f the |
| data. |
| (4) A data provider shall, upon request, furnish the Authority with evidence of the |
| internal procedures and systems in place to ensure data quality in accordance with |
| this section . |
| Audit Trails and Logging |
| 11. (1) A data provider shall implement and maintain audit trails and logging mechanisms |
| for every access, transmission, or modification of public interest data through the |
| National Data Exchange Platform . |
| 9 |
| (2) The audit trails and logs shall, at a minimum : |
| (a) record the identity of the data consumer or sy stem initiating the access or |
| request; |
| (b) specify the nature, date, time, and outcome of the transaction; |
| (c) indicate the database and category or classification of data accessed or |
| exchanged; and |
| (d) capture any anomalies, access failures, or unauthorised attempts . |
| (3) Audit logs shall be : |
| (a) securely stored in tamper -evident form; |
| (b) encrypted and protected from unauthorised access or deletion; and |
| (c) retained for a minimum of five (5) years, or such other period as may be |
| prescribed by the Authority . |
| (4) The Authority may : |
| (a) cond uct periodic reviews of audit trails for compliance monitoring or technical |
| assessment; |
| (b) require the submission of logs by data providers to support investigations, verify |
| system integrity, or assess suspected misuse; and |
| (c) issue directives regarding the form at, storage, or transmission of audit logs. |
| (5) A data provider shall establish internal protocols for monitoring and analysing audit |
| trails to detect unusual activity, prevent abuse, and support incident response. |
| Oversight and Accountability |
| 12. (1) The Authority shall monitor and enforce compliance with this Act, and may take |
| appropriate enforcement action s against any data provider or data consumer who fails |
| to meet their obligations under this Act. |
| (2) In carrying out its oversight function, the Authority shall issue guidelines, |
| directives, and notices to ensure the proper functioning of the National Data |
| Exchange Platform . |
| (3) The Authority shall consult the Advisory Committee and other relevant |
| stakeholders in matters of joint oversight or technica l coordination. |
| (4) A data provider shall submit periodic reports on their performance on the National |
| Data Exchange Platform and their compliance with this Act. The form and |
| frequency of the reports shall be determined by the Authority. |
| (5) The Authority shall publish an annual report detailing performance indicators and |
| other key metrics of the National Data Exchange Platform and other relevant |
| information to promote transparency. |
| (6) Each data provider shall: |
| (a) appoint a designated officer responsible for ensuring compliance with the |
| obligations under this Act; |
| (b) respond to queries or directives issued by the Authority within the prescribed |
| timelines; and |
| (c) take corrective actions directed by the Authority promptly where deficiencies |
| are identified. |
| Governance Framework |
| 10 Oversight Authority |
| 13. The Authority shall be responsible for overseeing the implementation and |
| enforcement of this Act . |
| Functions of the Authority |
| 14. The functions of the Authority include but are not limited to: |
| (a) overseeing the establishment and maintenance of the National Data |
| Exchange Platform ; |
| (b) ensuring the operational integrity, accessibility and efficiency of the National |
| Data Exchange Platform ; |
| (c) overseeing compliance with the provisions of this Act and any subs idiary |
| legislation , regulations, directives, guidelines or notices issued under this Act; |
| (d) developing, issuing and updating technical, operational and security |
| guidelines in consultation with the Advisory Committee ; |
| (e) overseeing the onboarding, registration, and monitoring of data providers and |
| data consumers; |
| (f) maintaining a register of data providers and data consumers connected to |
| the National Data Exchange Platform ; |
| (g) collaborating with relevant stakeholders to ensure alignment with national |
| policies and frame works; |
| (h) coordinating with other regulatory bodies to ensure alignment with applicable |
| laws, including but not limited to laws on data protection , cybersecurity , |
| standardisation and open banking ; |
| (i) issuing and enforcing administrative directives, notices or sa nctions as |
| provided under this Act; |
| (j) investigat ing and resolv ing disputes ; |
| (k) coordinating capacity building, stakeholder engagement, and public |
| education on data harmonisation and the National Data Exchange Platform ; |
| and |
| (l) advising the Minister on policy implementation matters under this Act. |
| Data Harmonisation Advisory Committee |
| 15. (1) There is established by this Act a Data Harmonisation Advisory Committee to |
| provide operational insight, discuss cross -sectoral matters on data harmonisation |
| and provid e strategic advice to support the Authority in the effective performance of |
| its functions . |
| (2) The Committee shall be composed of: |
| (a) the Minister; |
| (b) a representative of the National Information Technology Agency not below |
| the rank of a director ; |
| (c) a representative of the Bank of Ghana not below the rank of director ; |
| (d) a representative of the Cyber Security Authority not below the rank of a |
| director ; |
| (e) a representative of the Data Protection Commission not below the rank of a |
| director ; |
| (f) a representative of the Ghana Stand ards Authority not below the rank of a |
| director or its functional equivalent; |
| (g) a representative of the Ghana Statistical Service not below the rank of a |
| director or its functional equivalent ; |
| (h) a representative of the National Communications Authority not bel ow the |
| rank of a director ; |
| (i) a representative of the National Identification Authority not below the rank of |
| a director or its functional equivalent ; |
| 11 (j) a senior officer of the [National Intelligence Bureau/ National Security |
| Council ]; |
| (k) a representative of the Office of the Registrar of Companies not below the |
| rank of a director or its functional equivalent ; |
| (l) two persons from the private sector with expertise in data management, data |
| architecture, data analysis, standards engineering, ICT or digital services; |
| and |
| (m) one representative of civil society with experience in data protection, |
| intellectual property or digital rights. |
| (3) The members of the Committee shall be appointed by the Minister on the |
| recommendation of the respective institutions and at least three ( 3) of the |
| representatives shall be women . |
| (4) The Minister shall be C hairperson of the Advisory Committee . |
| (5) The Committee shall meet at least once every six months and may hold |
| extraordinary meetings: |
| (a) at the request of the Chairperson; or |
| (b) upon the written request of not less than one -third of the members of the |
| Advisory Committee. |
| (6) The Advisory Committee shall provide practical guidance on the implementation |
| of this Act only and shall not exercise any executive, regulatory or operational |
| authority under thi s Act. |
| (7) The Committee shall advise the Authority on : |
| (a) strategic direction and long -term planning for data exchange and |
| harmonisation; |
| (b) stakeholder coordination and multi -agency alignment; |
| (c) phased implementation of the Act and any practical challenges ; |
| (d) cross -sector engagements and feedback; |
| (e) drafting of guidelines under the Act; |
| (f) standards for interoperability and integration; and |
| (g) any other matters as may be referred to it by the Authority or the Minister. |
| (8) The term of office of a member of the Committee is four years , and a member is |
| eligible for reappointment for another term only. |
| Access and Use of the National Data Exchange Platform |
| Data Access |
| 16. (1) A person approved by the Authority as a data consumer may access public |
| interest data through the National Data Exchange Platform in accordance with this |
| Act. |
| (2) Access to data on the National Data Exchange Platform shall be granted for the |
| following permitted purposes: |
| (a) delivery of public services or performance of statutory functions; |
| (b) research, innovat ion, and academic development; |
| (c) statistical analysis and evidence -based policymaking; |
| (d) detection and prevention of fraud, financial crime or other unlawful conduct; |
| (e) regulatory compliance, oversight and supervision functions; or |
| (f) any other lawful purpose s approved by the Authority in consultation with the |
| Minister . |
| 12 |
| (3) A person seeking approval as a data consumer shall apply to the Authority for |
| authorisation. The application shall be made in a manner prescribed by the |
| Authority and at a minimum, must: |
| (a) identify the applicant and describe the purpose for which access is required; |
| (b) specify the public interest data for which access is being requested, |
| including any intended re -use or onward sharing; |
| (c) disclose the applicant ’s legal basis or authorisation for accessing the data, |
| where applicable; |
| (d) include high -level information on its technical systems for the purpose of |
| assessment for integration; |
| (e) comply with any other conditions prescribed by the Authority , including the |
| payment of prescribed fees . |
| (4) A person seeking app roval as a data consumer shall be a legal entity or body |
| corporate and shall not be a natural person. |
| (5) Upon approval, a data consumer shall be granted access credentials to the |
| National Data Exchange Platform for a period of one (1) year and assigned a data |
| access tier in accordance with their authorisation level. |
| (6) A data consumer may, upon expiration of their credentials, apply to the Authority |
| for a renewal of their subscription in the prescribed form. The Authority may |
| request additional up -to-date information from the applicant prior to granting a |
| renewal. |
| (7) A person who unlawfully or without the proper authorisation accesses databases |
| on the National Data Exchange Platform commits an offence and shall be liable |
| upon summary conviction to a fine of not less than one thousand penalty units and |
| not more than one hundred thousand penalty units or a term of imprisonment of |
| not more than five years or both. |
| (8) The Authority may, in addition to the penalty under subsection (7), impose an |
| administrative penalty of up to ten thousand penalty units. |
| (9) Data consumers may be required to enter data use agreements as a precondition |
| to accessing shareable data or restricted data. |
| (10) Data consumers shall not re -use data obtained through the National Data |
| Exchange Platform in a manner that duplicates or directly competes with the |
| service offered by the data provider whose database they accessed . |
| (11) Data consumers shall not re -use personal data except in a manner that has been |
| consented to by the data subject or is otherwise pe rmitted by law. |
| (12) A data consumer that contravenes subsections ( 10) and ( 11) commits an offence |
| and is liable on summary conviction to a fine of not less than five thousand |
| penalty units and not more than fifty thousand penalty units . |
| (13) The Authority shall, in consultation with the Advisory Committee, issue guidelines |
| on the permitted re -use of data. |
| (14) A person who purchases or sells, attempts to purchase or sell, or does any act |
| with the intent to purchase or sell data obtained through the National Data |
| Excha nge Platform , except as otherwise approved by the Authority, commits an |
| 13 offence and is liable upon summary conviction to a fine of not less than five |
| thousand penalty units and not more than one hundred thousand penalty units or |
| a term of imprisonment of not more than seven years or both . |
| (15) A data provider shall maintain and submit to the Authority, in the form and |
| manner prescribed by the Authority, a data register cataloguing the public |
| interest data available through its database to promote ease of access . The data |
| register shall indicate: |
| (a) the public interest data available on the data provider ’s database; |
| (b) the classification of such data as open, shareable or restricted; |
| (c) for restricted or shareable data, any conditions or protoco ls required for the |
| disclosure of that data; |
| (d) the fees required to access their da tabase , where applicable; and |
| (e) any other information prescribed by the Authority. |
| (16) The Authority may refuse to grant an application where: |
| (a) the applicant fails to satisfy the applicable eligibility, legal, or technical |
| requirements; |
| (b) the data requested is classified as restricted and the applicant does not |
| possess the necessary clearance ; |
| (c) granting access may compromise national security, public safety, or data |
| integrity; or |
| (d) the request is otherwise inconsistent with the objectives of this Act. |
| (17) In the event of refusal, the Authority shall notify the applicant of the reasons for |
| the refusal. |
| (18) An international organisation or a foreign entity operating in Ghana may apply |
| for access to the National Data Exchange Platform through the Authority . |
| Applications for foreign data consumers shall be subject to additional conditions |
| prescribed by the Authority, and must be approved by the Minister. |
| (19) The Authority shall submit a list of all foreign data consumer applications that |
| have satisfied the prescribed additional criteria to the Minister for final approval |
| on a quarterly basis. |
| Onboarding and Access Control Protocols |
| 17. (1) The Authority shall establish a process for onboarding data consumers which may |
| include the payment of any applicable onboarding or service fees. |
| (2) The Authority shall implement access control protocols to govern the scope and |
| level of access granted to each data consumer. |
| (3) A data consumer shall not access any database or transmit data beyond the |
| level or purpose for which access has been granted. The Authority may suspend |
| or revoke access for any data consumers who fail to comply with this section. |
| (4) Data consumers who contrav ene subsection (3) commit an offence and shall be |
| liable upon summary conviction to a fine of not less than five hundred penalty |
| units and not more than fifty thousand penalty units. |
| (5) The Authority may, in addition to the penalties under subsections (3) an d (4), |
| impose an administrative penalty of up to five hundred penalty units. |
| 14 Cross -Border Transfers |
| 18. (1) The transfer of public interest data through the National Data Exchange Platform |
| to data consumers outside the jurisdiction of Ghana is permitted only in accordance |
| with the provisions of this Act. |
| (2) Cross -border transfers pursuant to subsection (1) shall: |
| (a) be in compliance with the [Data Protection Act, 20XX(Act XXX) ] and other |
| applicable laws; |
| (b) comply with any safeguards, protocols or limitations prescribed under this Act |
| or issued by the Authority ; and |
| (c) be approved by the Minister. |
| (3) Safeguards under subsection (2) may include: |
| (a) restrictions on the type or category of data which may be transferred outside |
| the jurisdiction ; |
| (b) mandatory access through a registered Ghanaian subsidiary or an approved |
| local representative regulated by the Authority ; |
| (c) limitations on the duration of access; |
| (d) additional requirements for technical safeguards, access logs and audits ; and |
| (e) any safeguards prescribed by the Minister o r the Authority. |
| (4) A data provider or data consumer that facilitates or permits cross -border transfers |
| of data through the National Data Exchange Platform in a manner that |
| circumvents or violates this section, commits an offence and shall be liable upon |
| summary conviction to a fine of not less than five hundred penalty units and not |
| more than one hundred thousand penalty units. |
| (5) The Authority may, in addition to the penalty under subsection (4), impose other |
| administrative sanctions, including an administrat ive penalty of up to five thousand |
| penalty units . |
| Data Protection |
| Data Subject Rights |
| 19. Nothing in this Act shall be construed to limit or derogate from the rights of data |
| subjects under the [Data Protection Act, 20 XX (Act XXX)]. Where public interest data |
| includes personal data, the processing, access, or sharing of such data through the |
| National Data Exchange Platform shall be undertaken in a manner that upholds Act |
| XXX. The Authority shall work in collaboration with the Data P rotection Commission |
| to ensure the enforcement of data subject rights in relation to the use , re-use and |
| exchange of personal data through the National Data Exchange Platform . |
| Obligations of Data Controllers and Data Processors |
| 20. Nothing in this Act shall be construed to limit or derogate from the obligations of data |
| controllers and data processors under the [Data Protection Act, 20XX(Act XXX) ]. |
| Compliance and Enforcement |
| Compliance Monitoring |
| 21. (1) The Authority shall establish and maintain a monitoring system to monitor |
| compliance with the rules, obligations and requirements of the National Data |
| Exchange Platform and this Act . |
| (2) The Authority may appoint inspectors to carry out monitoring functio ns outlined |
| under this Act or prescribed by the Authority or the Minister. |
| 15 |
| (3) The inspector may at reasonable times: |
| (a) enter and inspect a premises, which the inspector knows or reasonably |
| suspects to be used for a purpose to which this Act applies, to ensure that the |
| provisions of this Act are complied with; or |
| (b) enter a premises to perform any other function imposed on the inspector |
| under this Act, or by the Authority. |
| (4) The inspectors shall submit quarterly compliance reports in the manner |
| prescribed by the Aut hority. |
| (5) The Authority may conduct audits on all participating institutions , within periods |
| to be determined by the Authority, to assess a participating institution ’s |
| compliance with applicable laws and the rules of the National Data Exchange |
| Platform . |
| Reporting Requirements |
| 22. (1) Where requested by the Authority, a participating institution shall provide reports |
| on activities undertaken through the National Data Exchange Platform . The report |
| shall include any information as may be prescribed by the Author ity. |
| (2) A participating institution shall notify the Authority within seven days of any change |
| in the information that was submitted to the Authority for approval as a |
| participating institution. |
| Offences and Penalties |
| 23. (1) A person who contravenes or fails to comply with any provision of this Act |
| commits an offence and, where no penalty is expressly provided, shall be liable upon |
| summary conviction to a fine of not less than two hundred penalty units and not more |
| than ten thousand penalty units or to a term of imprisonment of not more than two |
| years or both . |
| (2) A person who fails to comply with an administrative sanction prescribed by the |
| Authority under section 24 of this Act commits an offence and, where no penalty is |
| expres sly provided, shall be liable upon summary conviction to a fine of not less |
| than two hundred penalty units and not more than ten thousand penalty units or to |
| a term of imprisonment of not more than two years or both. |
| (3) Where an offence under this Act is com mitted by a body corporate or by a member |
| of a partnership or other firm, every director or officer of that body corporate or a |
| member of the partnership or any other person concerned with the management |
| of the firm shall be deemed to have committed that offence and is liable on |
| summary conviction to a fine or term of imprisonment as prescribed. |
| (4) A person shall not be convicted of an offence under subsection (3) if it is proved |
| that: |
| (a) due diligence was exercised to prevent the commission of the offence; and |
| (b) the offence was committed without the knowledge, consent or connivance of |
| that person. |
| Administrative Sanctions |
| 24. (1) A person who contravenes or fails to comply with any provision of this Act which is |
| not designated as an offence may be liable to adminis trative sanctions as prescribed |
| by the Authority. |
| 16 |
| (2) The Authority may prescribe the following sanctions: |
| (a) issue a warning or non -compliance notice to a participating institution; |
| (b) suspend a participating institution from use of the National Data Exchange |
| Platform; |
| (c) revoke access and r emove a participating institution from the National Data |
| Exchange Platform ; |
| (d) impose administrative penalties on a participating institution; |
| (e) impose bans on a participating institution; and |
| (f) any other sanction as may be appropriate to redress the stated non - |
| compliance. |
| (3) A participating institution that has its access or approval revoked may submit a |
| fresh application to the Authority to be reinstated after rectifying the breach or |
| non-compliance. |
| (4) Participating institutions that have been banned shall not be permitted to reapply |
| for access. |
| (5) The imposition of administrative sanctions or fines under this Act shall be without |
| prejudice to any penalties, fines or sanctions that may be imposed by any other |
| regulatory authority under any o ther enactment. |
| (6) Where the conduct of a person constitutes an offence under this Act and any |
| other enactment, nothing in this Act shall prevent the institution of proceedings |
| under that other enactment. |
| Dispute Resolution |
| 25. (1)The Authority shall establish a dispute resolution process to resolve disputes: |
| (a) between data providers and data consumers; |
| (b) between or among different data providers; |
| (c) between data subjects and data providers or data consumers; and |
| (d) between the Authority and data providers, data consumers or data subjects . |
| (2) Where a dispute, pursuant to subsection s (c) and (d) above, concerns a matter |
| involv ing data subjects , their personal data and data subject rights, then the |
| Authority shall involve the Data Protection [ Commission/ Authority ] in the |
| resolution of the dispute . |
| (3) Where a dispute under subsection (1) involves matters pertaining to issues of |
| cybersecurity , then the Authority shall involve the Cybersecurity Authority in the |
| resolution of the dispute. |
| (4) Any o ne or more parties to a dispute m ay refer the dispute to the Authority for |
| settlement by any alternative dispute resolution mechanism . |
| (5) Where parties to a dispute agree that the dispute is to be settled by |
| (a) the dispute resolution committee established under section 2 6; or |
| (b) any alternative dispute resolution mechanism |
| the parties shall not institute an action in court until the dispute resolution |
| procedure has been exhausted. |
| Dispute Resolution Committee |
| 17 26. (1) The Authority shall establish a Dispute Resolution Committee for the purpose of |
| the resolution of disputes and shall prescribe the rules of procedure of the Dispute |
| Resolution Committee . |
| (2) The composition of the Dispute Resolution Committee shall be determined by |
| the board of the Authority in consultation with the Advisory Committee . |
| (3) The Dispute Reso lution Committee shall expeditiously investigate and hear any |
| matter which is brought before it. |
| (4) The Authority shall determine the period within which disputes may be settled. |
| (5) The Dispute Resolution Committee may require evidence or argum ents to be |
| presented in writing and may decide the matters upon which it will hear oral |
| evidence or written arguments. |
| (6) A party to a dispute may appear at the hearing and may be represented by a |
| lawyer or another person of that person's choice. |
| Powers of the Dispute Resolution Committee |
| 27. (1) The Dispute Resolution Committee shall have the power to : |
| (a) issue summons to compel the attendance of witnesses ; |
| (b) examine witnesses on oath, affirmation or otherwise ; |
| (c) compel the production of documents ; and |
| (d) refer a person for trial at the High Court for contempt. |
| (2) A summons issued by the Dispute Resolution Committee shall be under the hand |
| of the Secretary of the Authority . |
| Resolution of Referred Disputes |
| 28. (1)The Dispute Resolution Committee may, in settling a dispute . |
| (a) make a declaration setting out the rights and obligations of the parties to the |
| dispute; |
| (b) make provisional or interim orders or awards related to the matter or part of |
| the matter, or give directions in furtherance of the hearing ; |
| (c) dismiss or refrain from hearing or determining a matter in whole or in part if it |
| appears that the matter or part of the matter, is trivial or vexatious or that |
| further proceedings are not necessary or desirable in the public interest; |
| (d) in appropriate circumstances, order an y party to pay the reasonable costs |
| and expenses of another party, including the expenses of witnesses and fees |
| of lawyers, in bringing the matter before the Authority; and |
| (e) generally give directions and do anything that is necessary or expedient for |
| the h earing and determination of the matter. |
| Data Harmonisation Tribunal |
| Establishment of the Data Harmonisation Tribunal |
| 29. (1) There is by this Act established an appeal tribunal to be called the Data |
| Harmonisation Tribunal which shall be convened on an ad -hoc basis to consider |
| appeals against: |
| (a) decisions or orders made by the Authority or to review a particular matter |
| under this Act or its regulations , directives or guidelines; and |
| (b) decisions of the Dispute Resolutio n Committee of the Authority . |
| Composition of the Tribunal |
| 18 30. (1) The members of the Tribunal shall be appointed by the Minister and shall consist |
| of: |
| (a) a chairperson who is either a retired Justice of the Superior Court or a lawyer |
| of at least fifteen years standing who has experience in technology law |
| (particularly data privacy, intellectual property, and cybersecurity matters) , |
| policy, regulations or ar bitration ; and |
| (b) two other members with experience or academic or professional qualifications |
| in the data governance , public digital infrastructure, electronic engineering, |
| data protection, cybersecurity, law, economics or business or public |
| administration . |
| (3) The Minister shall appoint a registrar and other staff necessary for the smooth |
| operations of the Tribunal. |
| (4) The expenses of the Tribunal shall be paid out of income derived by the Authority |
| under this Act and shall be part of the annual budget of the A uthority. |
| Rules of Procedure of the Tribunal |
| 31. (1) The Authority shall, within thirty days of the commencement of this Act, prepare |
| proposals for rules of procedure for the Tribunal . |
| (2) The proposals shall be approved by a panel of the Tribunal specifically convened |
| for the purpose. |
| (3) The Authority shall by legislative instrument make Regulations under this Act |
| which shall prescribe the approved rules. |
| Right of Appeal |
| 32. (1) A person affected by a decision of the Authority or the Dispute Resolution |
| Committee may appeal against it by sending a notice of appeal to the Tribunal in |
| accordance with the rules of procedure of the Tribunal . |
| (2) The notice of appeal must be sent within twenty -eight days after the date on |
| which the decision being appealed against is announced or received . |
| (3) The appellant shall set out in the notice of appeal: |
| (a) the decision appealed against; |
| (b) the provision under which the decision appealed against was taken; and |
| (c) the grounds of appeal. |
| (4) Within one month after receipt of a notice of appeal the Tribunal shall be |
| convened to consider the appeal. |
| Decisions of the Tribunal |
| 33. (1) The Tribunal, after hearing the appeal may: |
| (a) quash the decision ; |
| (b) allow the appeal in whole or in part ; or |
| (c) dismiss the appeal and confirm the decision of the Authority . |
| (2) If the Tribunal allows the appeal in part, it may vary the decision of the Authority |
| in any manner and subject to any conditions or limitations that it considers |
| appropriate to impose . |
| (3) The Tribunal may take into account any submissions filed by a person acti ng as |
| a friend of the Tribunal in reaching a decision on an appeal brought before it . |
| 19 |
| (4) A decision of the Tribunal has the same effect as a judgement of the High Court |
| and shall be final unless submitted to the High Court for review . |
| Financial Provisions |
| Fees |
| 34. The Minister shall determine the fees to be charged under this Act in accordance with |
| the Fees and Charges (Miscellaneous Provisions) Act, 2022 (Act 1080). |
| Sources of Funds |
| 35. The funds of the National Data Exchange Platform shall include: |
| (a) seed money; |
| (b) fees accruing to the National Data Exchange Platform under this Act; |
| (c) moneys provided by Parliament; |
| (d) donations, gifts , grants and other voluntary contribution ; and |
| (e) any other moneys that are approved by the Minister responsible for Finance. |
| Expenses |
| 36. The expenses of the National Data Exchange Platform shall be paid from moneys |
| provided from the funds of the National Data Exchange Platform . |
| Accounts and audits |
| 37. (1) The Authority shall keep books of account and proper records in relation to the |
| National Data Exchange Platform in the form approved by the Auditor -General. |
| (2) The Authority shall submit the accounts of the National Data Exchange Platform |
| to the Auditor -General for audit within three months after the end of the financial |
| year. |
| (3) The Auditor -General shall, not later than three months after the receipt of the |
| accounts, audit the accounts and forward a copy of the audit report to the |
| Minister. |
| (4) The Internal Audit Agency Act, 2003 (Act 658) shall apply to this Act. |
| (5) The financial year of the Authority and the entity that manages the National Data |
| Exchange Platform shall be the same as the financial year of the Government. |
| Transitional and Miscellaneous Provisions |
| Implementation and Pilot Scheme |
| 38. The implementation of this Act shall be in phases as prescribed by the Minister. |
| Relationship and Integration with Existing Laws |
| 39. (1)This Act shall be read in conjunction with applicable laws governing data |
| protection, intellectual property, public access to information, cybersecurity, electronic |
| transactions, and any other law which confers rights or imposes obligations relating |
| to the generation, use, protection, and sharing of data in Ghana, including but not |
| limited to the: |
| (a) Copyright Act, 2005 (Act 690) ; |
| (b) [Cybersecurity Act 20XX (Act XXXX) ]; |
| (c) [Data Protection Act, 20XX (Act XXXX) ]; |
| (d) [Electronic Communications Act, 20XX (Act XXXX )]; |
| (e) [Electronic Transactions Act, 20XX (Act XXXX )]; |
| 20 (f) Ghana Standards Authority Act, 2022 (Act 1078 ); |
| (g) National Identification Authority Act, 2006 (Act 707) |
| (h) National Signals Bureau Act, 2020 (Act 1040); |
| (i) Patents Act, 2003 (Act 657); |
| (j) Protection Against Unfair Competition Act, 2000 (Act 589); |
| (k) Right to Information Act, 2019 (Act 989) ; |
| (l) Security and Intelligence Agencies Act, 2020 (Act 1030) ; |
| (m) State Secrets Act, 1962 (Act 101) ; |
| and shall not, except as otherwise provided in this Act, derogate from the |
| provisions of these Acts. |
| (2) Where there is any conflict between this Act and any relevant enactment in |
| respect of the standardisation and sharing of data , the provisions of this Act shal l |
| prevail. |
| 40. Repeals and Savings |
| [TBD] |
| Regulations |
| 41. The Minister may, on the recommendation of the Authority, make Regulations for the |
| implementation of this Act . |
| Interpretation |
| 42. In this Act unless the context otherwise requires: |
| “Advisory Committee ” means the strategic Advisory Committee established to advise |
| the Authority on the implementation of this Act ; |
| “API” means an Application Programming Interface that enables the secure and |
| structured exchange of data between different systems or databases, including |
| authentication, authorisation, and data formatting protocols. |
| “Authority ” means the National Information Technology Agency ; |
| “database ” means an organised collection of relevant public interest data, whether |
| structured or unstructured , which is maintained and made available by a data |
| provider for access, exchange and use on the National Data Exchange Platform; |
| "data consumer" means a n artificial person or entity that accesses, uses, re -uses or |
| exchanges data through the National Data Exchange Platform for any lawful |
| purpose, including research, service delivery, innovation, or regulatory compliance; |
| “data controller ” shall be construed in accordance with the [Data Protection Act, 20 XX |
| (Act XXX)] and means a person who either alone, jo intly with other persons |
| determines the purposes for and the manner in which personal data is processed or |
| is to be processed ; |
| "data provider" means a public or private entity that generates, collects, processes, |
| stores or holds public interest data and makes that data available through the |
| National Data Exchange Platform in accordance with this Act; |
| “data register ” means a catalogue created by data providers to assist with navigating |
| their database . |
| 21 “data subject ” shall be construed in accordance with the Data Protection Act, 20XX |
| (Act XXX) and means an individual who is the subject of personal data; |
| “data subject rights ” shall be c onstrued in accordance with the [Data Protection Act, |
| 20XX (Act XXX) ] and means […] |
| “exchange ” means the structured, secure, and authorised transmission of data |
| between systems, institutions, or entities for a specific permitted purpose |
| “foreign ” means, in relation to a person or entity, any person or entity that is not |
| Ghanaian or an entity that is not incorporated, registered, or established under the |
| laws of Ghana. |
| "National Data Exchange Platform " means the public digital infrastruct ure designated |
| under this Act for the secure and standardised exchange of public interest data |
| between the public and private sectors ; |
| “Minister ” means the Minister assigned responsibility for the Ministry of |
| Communications; |
| “Ministry ” means the Ministry of Communications ; |
| "open data" means public interest data that is not subject to any law, regulation, or |
| policy that restricts its access or use, and may be accessed, used, reused, and |
| distributed by any person without legal or technical restriction; |
| “personal data ” shall be construed in accordance with the Data Protection Act, 20XX |
| (Act XXX) and means any information relating to an identified or identifiable natural |
| person , and includes one or a combination of the following, whether iden tified by |
| manual or automated processing: |
| (a) direct identifiers such as name ; email address ; phone number, identification |
| number ; registration number; bank account, bank or smart card number; |
| photographic or video image of face; |
| (b) indirect identifiers such as an location data ; age or age -range, occupation; |
| job; profession; vocation; business; workplace; title; education; voice - |
| recordings, postal code; place of birth; date of birth; marital status; |
| photographs or videos without facia l detail but identifications such as side |
| views, clothing, marks and mannerism; language preference; profiles without |
| facial detail but which could be attributed to a natural person by the use of |
| additional information ; |
| (c) online identifiers such as IP addres s; cookies; device ID; login credentials; |
| user IDs; push notification tokens, browser history or fingerprints; |
| (d) data which have undergone pseudonymisation, but which could be attributed |
| to a natural person by the use of additional information should be cons idered |
| to be information on an identifiable natural person ; and |
| (e) one or more factors specific to the physical, physiological, mental, economic, |
| cultural or social identity of that natural person ; |
| “participating institution ” means a data provider or data c onsumer as defined under |
| this Act ; |
| “processing ” shall be construed in accordance with the [Data Protection Act, 20 XX |
| (Act XXXX )] and means an operation or activity or set of operations by electronic or |
| other means that concerns data or personal data and the |
| (a) collection, organization, adaptation or alteration of the information or data, |
| 22 (b) retrieval, consultation or use of the information or data , |
| (c) disclosure of the information or data by transmission, dissemination or other |
| means available, or |
| (d) alignment, combination, blocking, erasure or destruction of the information or |
| data; |
| "public interest data" means data, whether personal or non -personal, recorded and |
| documented in any manner and on any medium, which is collected, created, |
| generated, held or otherwise processed by public authorities, private entities, or other |
| institutions, and is either necessary for or beneficial to public purposes, inclu ding but |
| not limited to, the provision of public services, performance of public functions, |
| regulatory compliance, or national development. Public interest data shall include any |
| data prescribed as public interest data by the Minister; |
| "restricted data" m eans public interest data of a sensitive or classified nature, for |
| which access is limited by law, or may only be granted upon fulfilment of specified |
| conditions, including the demonstration of a legitimate interest or the application of |
| special procedures . Restricted Data includes state secrets, information relating to |
| national security, confidential business information, or other categories that the law |
| exempt s from public disclosure. Restricted data shall include any data prescribed as |
| restricted data by the Minister ; |
| “Republic ” means the Republic of Ghana; |
| “re-use” means the use , whether commercial or non -commercial, of public interest |
| data obtained through the National Data Exchange Platform for a purpose other than |
| the initial purpose for which the data was collected ; |
| "shareable data" means public interest data that is not classified as restricted data |
| but may only be accessed or used subject to prescribed terms, procedures, or |
| conditions; and |
| 23 |
| FIRST SCHEDULE |
| Part X |
| (Section X) |
| Public Interest Data Classification Framework |
| Public interest data shall be classified for the purposes of this Act into — |
| a. open data , |
| b. shareable data , and |
| c. restricted data . |
| Open data refers to public interest data that : |
| a. is not subject to any le gal, commercial, or confidentiality restrictions; and |
| b. may be freely accessed, used, reused, or redistributed without requiring specific |
| authorisation. |
| Shareable data refers to public interest data that : |
| a. is not openly available to the public; but |
| b. may be accessed or reused by authorised persons under specific terms, conditions or |
| procedures prescribed by law or determined by the data provider. |
| Restricted data refers to public interest data : |
| a. which is subject to legal, contractual, or institutiona l restrictions on access, use, or |
| disclosure; or |
| b. which, if disclosed, may reasonably be expected to pose a risk to national security, public |
| order, individual privacy, or the rights and interests of a third party. |
| The Data Protection [Commission /Authority] is in consultation with the Authority shall |
| prescribe guid elines for the classification of data |
| The Minister may, on the advice of the Authority, by legislative instrument, issue guidelines |
| for: |
| a. the further classification of public interest data by sector, type, sensitivity, or purpose; and |
| b. the criteria for reclassification of data from one category to another, including from |
| restricted to shareable or from shareable to open, where applicable. |
| 24 |
| SECOND SCHEDULE |
| Part X |
| (Section X) |
| Local Participation and Local Content Requirements for the National Data Exchange |
| Platform operator |