Victoria Bright is the managing partner and co-founder of Addison Bright Sloane. She has over 28 years of experience, having worked in a number of law firms in the UK where she became a partner.
She has advised a number of local and cross-border clients in areas of corporate governance, energy, financial technology, project financing and infrastructure. She has expertise in complex governmental and international projects.
Justice Oteng is an associate at Addison Bright Sloane. His principal areas of interest include technology law, dispute resolution, admiralty, labour law, corporate law and financial regulation.
He has extensive experience in handling complex litigation and cross-border cases involving high-profile clients. He has also advised both domestic and international clients on privacy, data protection and technology-related matters.
Elsie Gyan is an associate at Addison Bright Sloane whose principal areas of interest include corporate and commercial practice, intellectual property law, technology law, dispute resolution and financial regulation.
She has specialised knowledge in the areas of bribery and anti-corruption, data protection, cybersecurity and financial technology law.
Audrey Ablorh-Quarcoo is a junior associate at Addison Bright Sloane, whose practice areas include corporate and commercial practice, employment and labour matters, litigation and natural resources law.
She has knowledge in the areas of data protection and cybersecurity law.
1 What are the key features of the main laws and regulations governing digital transformation in your jurisdiction?
The principal laws governing digital transformation in Ghana include the Electronic Transactions Act 2008 (Act 772) (ETA), Electronic Communications Act 2008 (Act 775), Data Protection Act 2012 (Act 843) (DPA), Payment Systems and Services Act 2019 (Act 987), National Communications Authority Act 2008 (Act 769), the National Information Technology Agency Act 2008 (Act 771) and the Cybersecurity Act 2020 (Act 1038). Some of the key features are as follows.
Legal recognition of electronic transactions
The Electronic Communications Act 2008 (Act 775) (ECA) gives statutory backing to electronic transactions and records within the jurisdiction. The law provides for the admissibility of electronic evidence in legal proceedings. Digital Certificates and signatures are given due recognition by the law. The ECA further mandates public institutions to take steps or enter into arrangements that allow for their functions to be carried out, delivered or accessed electronically or online. The legal recognition of electronic transactions and records is a significant step to put Ghana on a positive pedestal towards digital transformation.
Registration and licensing regime
The ECA, for instance, mandates a person or entity that intends to operate a public electronic communication service or network or provide a voice telephony service to obtain a licence from the National Communications Authority. Entities engaged in encryption and authentication services are enjoined by law to obtain a licence from the National Information Technology Agency. Payment systems and services providers as well as electronic money issuers must also obtain a licence from the Bank of Ghana. Under the DPA, data controllers and data processors are required to register with the Data Protection Commission before collecting or processing personal data. These registration and licensing requirements allow for supervision and streamlining of the electronic communication service space. The DPA also ensures that services providers comply with the relevant data protection protocols.
The integrity and confidentiality of a person’s data finds expression in the constitutionally guaranteed right to privacy. Data protection denotes the protection of an individual’s data from unauthorised access or use. Under the DPA, data processors and controllers are required to uphold the confidentiality of an individual’s personal data by complying with the veritable principles of accountability, the lawfulness of processing, specification of the purpose of data collected. Similarly, the Payment Systems and Services Act directs payment service providers and electronic money issuers to adhere to principles of consumer protection that entails the protection of consumer’s privacy, tangible and intangible assets related to the service including the personal details, financial information, and transaction data of the customer. Under the ETA, a provider of an electronic communication service or remote computing service is prohibited from knowingly divulging the contents of any record or information about its customers or subscribers while in electronic storage or the contents of any communication, which is carried or maintained on that service to any other person or entity. Ghanaian law also proscribes the interception of an electronic record without authorisation.
Ghana has recently enacted its first cybersecurity law, the Cyber Security Act 2020 (Act 1038) (CSA), which is targeted at regulating cybersecurity activities to promote its development in the country. A critical feature of the Act is the establishment of the Cyber Security Authority, with the object of preventing and managing cybersecurity threats as well as regulating owners of critical information infrastructure in respect of cybersecurity activities, cybersecurity service providers and practitioners to ensure a secured and resilient digital ecosystem. Further, the Act establishes the National Computer Emergency Response Team, which is responsible for responding to cybersecurity incidents of institutions as well as international bodies. In addition, the Act establishes the Cyber Security Incident Monitoring and Response System for the implementation of technical measures to ensure an effective monitoring and response system. There is a requirement under the Act for cybersecurity service providers to be licensed before the provision of any cybersecurity-related service. A licence acquired is not transferable and is renewable every two years.
Offences or penalties
The aforementioned statutes set out elaborate provisions on offences and penalties touching on breaches of digital transformation laws.
The ETA is replete with provisions dealing with cyber offences ranging from stealing to unauthorised access to electronic records. Critically, a person who secures unauthorised access or attempts to secure access to a protected system commits an offence and is liable on summary conviction to a fine of not more than 5,000 penalty units or to a term of imprisonment of not more than 10 years or to both. A striking feature of the law worth mentioning is the omnibus criminal provision under section 123 of ETA to include offences wholly or partially committed in an electronic medium or form but are not specifically mentioned in the ETA. Specifically, such offences committed under any law that gives rise to the offence, shall be deemed to have been committed under the relevant law and the provisions of that law shall apply to the person who commits that offence. Thus, where a person commits an offence under any existing law in an electronic form, that person would be liable under that law even though there is no specific reference to an electronic form.
Under the DPA, a person who purchases personal data or knowingly obtains or recklessly discloses the personal data of another person or causes to be disclosed to another person commits an offence and is liable on summary conviction to a fine of not more than 250 penalty units or to a term of imprisonment of not more than two years or both. Likewise, a person who sells or offers to sell the personal data of another person commits an offence and is liable on summary conviction to a fine of not more than 2,500 penalty units or to a term of imprisonment of not more than five years or to both. Further, a person who knowingly or recklessly discloses information in contravention of the confidentiality requirement commits an offence and is liable on summary conviction to a fine of not more than 2,500 penalty units or to a term of imprisonment of not more than five years or to both.
Under the Payment Systems and Services Act, a body corporate that engages in an electronic money business without authorisation from the Bank of Ghana commits an offence and is liable on summary conviction to a fine of not less than 4,000 penalty units and not more than 7,000 penalty units.
Under the ECA, a person who knowingly obstructs or interferes with the sending, transmission, delivery or reception of communication or provides an electronic communication service without a licence commits an offence and is liable on summary conviction to a fine of not more than 3,000 penalty units or to a term of imprisonment of not more than five years, or both.
Offences under the CSA
The CSA provides that, a person who without authorisation secures access or attempts to secure access to a computer system or computer network designated as a critical information infrastructure commits an offence and is liable on summary conviction to a fine of not less than 2,500 penalty units and not more than 15,000 penalty units or to a term of imprisonment of not less than two years and not more than five years or to both.
Also, a person who takes, produces, processes or shares an indecent image of a child commits an offence and is liable on summary conviction to a fine of not less than 2,500 penalty units and not more than 5,000 penalty units or to a term of imprisonment of not less than five years and not more than 10 years or to both.
Similarly, a person who uses a computer online service or an internet service for sexual abuse commits an offence and is liable on summary conviction to a term of imprisonment of not less than five years and not more than 15 years. Likewise, a person who uses an online or electronic means to perpetrate sexual extortion commits an offence and is liable on summary conviction to a term of imprisonment of not less than 10 years and not more than 25 years.
2 What are the most noteworthy recent developments affecting organisations’ digital transformation plans and projects in your jurisdiction, including any government policy or regulatory initiatives?
The accelerated process of migrating the economy from a cash-based one into a cashless economy is a recent noteworthy drive towards digital transformation in Ghana. Most organisations have recently adopted electronic means of payment for goods and services. Mobile money services, electronic payment systems and services, and online banking services have increased in popularity over the past decade. The various telecommunication networks in the country have created mobile banking platforms for customers for easier and faster financial transactions such as mobile money transfers, internet banking and Unstructured Supplementary Service Data codes. The Ghana Interbank Payment and Settlement Systems Company has created the Mobile Money Interoperability Payment platform to allow transactions across various telecommunications networks in the country. Some banks have collaborated with payment services providers to provide online banking services to their customers. The use of QR codes for payment of goods has recently become an option for consumers within the country.
The government as part of its ICT for Accelerated Development policy has introduced programmes meant to enhance digital transformation. The Ministry of Communications through the Ghana Investment Fund for Electronic Communications in collaboration with Huawei Company Limited has started the deployment of about 2,000 Rural Star Sites across the country, which will provide voice and data services for over 3.4 million people in underserved and unserved communities to extend the national mobile communication coverage from 83 per cent to 95 per cent.
The government has expanded the automation of government business processes (E-governance system) to many more state institutions including the Registrar General’s Department, the Ghana Passport Office, Ghana Revenue Authority, the courts (E-justice), the ports (Paperless Port Systems), and the Lands Commission among others. For instance, the Ministry of Local Government and Rural Development recently rolled out a new digital revenue solution, the District Local Revenue software, which is a free cloud-based software specially designed for the revenue management cycle of data collection, billing, revenue collection and reporting in about 100 metropolitan, municipal and district assemblies within the country. These initiatives have enabled government agencies to migrate their business and service delivery onto an electronic platform. It has also helped reduce delays in government services delivery. The introduction of a digital address system using the GhanaPost GPS platform has helped in generating an accurate data about the housing situation in Ghana.
3 What are the key legal and practical factors that organisations should consider for a successful Cloud and data centre strategy?
The key legal and practical factors an organisation should consider for a successful Cloud and data centre strategy include the following.
Organisations in Ghana must give consideration to an adherence to data protection and privacy by ensuring that data collected is processed and stored in a manner that safeguards the privacy of the data subject. It is vital for organisations to give primacy to data security to prevent unauthorised access to retained data or information. Consideration must also be given to the provision under the CSA, which requires that complex systems such as a cloud system or a data centre be registered with the Cyber Security Authority. This allows such organisations to report cybersecurity incidents to either the Sectoral Computer Emergency Response Team or the National Emergency Computer Response Team.
A successful cloud and data centre establishment relies on affordable and speedy access to the internet. This requires investment in internet infrastructure and services. Ghana has one of the best internet penetration rates in Africa, with a rate of 50 per cent as at January 2021. There are a number of internet service providers (ISPs) in Ghana. Among the leading ISPs are MTN Ghana, Vodafone Ghana, Airtel Tigo, Surfline and Teledata ICT Limited.
Access to electricity
Access to constant and reliable electricity supply is one of the considerations when setting up a reliable data centre. Erratic or unstable power supply can cause damage to machinery and result in possible system breaches. Ghana has a relatively stable power system that can support a successful cloud and data centre operation.
4 What contracting points, techniques and best practices should organisations be aware of when procuring digital transformation services at each level of the Cloud ‘stack’? How have these evolved over the past five years and what is the direction of travel?
In procuring digital transformation services, an organisation should consider the following best practices.
Assembling the right team
To get the most out of procuring digital services, an organisation must secure the services of a team that understands ICT procurement processes and the peculiar needs of the organisation. The existence of a team of experts promotes transparency in the organisation’s process, ensures value for the projects executed and increases efficiency. Over the past five years, organisations have prioritised recruiting ICT professionals with knowledge in procurement on acquiring tailor-made ICT solutions that truly result in digital transformation.
Digital contract management
Contract management is at the heart of the procurement cycle. Purchase orders and invoicing can now be done electronically. Over the past five years, organisations have begun a gradual migration of contract processes unto digital platforms. With this, companies can minimise risk and maximise transparency. Automated procurement processes and contract management enable a centralised and easily accessible system that is cost-efficient and guarantees security.
Critically, organisations should be able to understand the specific ICT solutions they are procuring so that they can assess the product that is finally delivered. A lack of understanding of the specifications of the ICT solutions tends to be a major source of dispute between service providers and organisations.
In procuring digital services, an organisation must ensure that the services and or products are compliant with data protection protocols and principles. All personal data must be collected, processed and stored in accordance with the DPA.
5 In your experience, what are the typical points of contention in contract discussions and how are they best resolved?
Dispute resolution clauses
A contentious point in contract discussions involves the proper channels to employ in resolving disputes that arise under the contract. This is due to the challenges that certain dispute resolution procedures may present to the parties. The court system of settling disputes is time consuming and the Ghanaian courts may lack expertise in a specialised area such as ICT law. The parties should consider an alternative dispute resolution mechanism such as arbitration. The parties may be able to appoint experts and/or institutions to handle any dispute arising out a contract for issues to be resolved effectively and expeditiously.
Delivery of ICT services not fit for purpose
Another contentious issue in contract discussions is that entities are unable to communicate technically and effectively their organisation’s ICT needs to service providers for customised solutions. The result is that the final services or solutions offered to organisations are inferior and mostly unfit for purpose and thereby compelling organisations to redo their entire project because the initial implementation failed to meet the expectations of the organisation. To resolve this issue, parties must ensure that during the negotiation stage, product specifications are clearly defined and communicated. Organisations must endeavour to consult and use experts in their negotiations and processes before executing a contract.
6 How do your jurisdiction’s cybersecurity laws affect organisations on their digital transformation journey?
The CSA is the primary source of cybersecurity law in Ghana and its existence will positively impact the digital transformation journey of companies in Ghana. The law promotes the security of computers and computer systems and monitors cybersecurity threats within and outside the country. The law also establishes codes of practice and standards of cybersecurity and monitors compliance with codes of practice and standards by the public and private sector owners of critical information infrastructure. The CSA sets out the parameters and limits to access secured information on a critical information infrastructure and this ensures that an organisation’s data is not illegally accessed by intruders and used for destructive purposes. Further, the CSA provides for the appointment of inspectors with the duty of ensuring, among other things, that data retained or retrieved is used for the purpose for which the data is retained or retrieved. The requirement for cybersecurity service providers to register with the Cyber Security Authority before the provision of related services is to ensure that the terrain is protected and only qualified persons are authorised to operate within the cybersecurity space.
The ETA is another source of cybersecurity law in Ghana. It is replete with provisions dealing with acts and breaches of cyber space. The ETA encourages organisations to put in place mechanisms that protect against unauthorised access to electronic systems, devices and records. The National Cyber Security Authority (NCSA), an agency under the Ministry of Communications, is responsible for Ghana’s cybersecurity development including cybersecurity incidents response coordination with the government and with the private sector. The NCSA works closely with the National Cyber Security Technical Working Group in the implementation of cybersecurity initiatives across government and non-governmental sectors. The DPA makes provision for securing the personal data of users. The laws aforementioned and in particular the setting-up of the NCSA has promoted confidence among organisations to digitally transform their businesses with the firm assurance that when there is a breach of their cyberspace, there is legislation and a dedicated institution to deal with their concerns.
7 How do your jurisdiction’s data protection laws affect organisations as they undergo digital transformation?
Most businesses within the jurisdiction are unaware of the DPA and its guidelines on data processing and storage. Thus, compliance with these guidelines is minimal and the statutory agency responsible for ensuring compliance (Data Protection Commission), has begun engagement with various organisations to ensure compliance with Ghana’s data protection laws. The DPA requires data controllers to register with the Commission before they collect, process and retain data. A data processor must seek the consent of the data subject before the collection, processing, and retention of personal data. A data controller under the DPA cannot retain personal data for a period longer than is necessary to achieve the purpose for which the data was collected unless the retention is backed by law or under a contract between the parties. A data controller is required to destroy the record at the end of the retention period. A data controller or processor who intends to collect process or retain personal data relating to a foreign data subject is expected to register with the Data Protection Commission and must provide the name and description of the country to which the data will be transferred.
8 What do organisations in your jurisdiction need to do from a legal standpoint to move software development from (traditional) waterfall through Agile (continuous improvement) to DevOps (continuous delivery)?
Organisations must secure the services of legal experts who possess the skills and understanding of the interface between technology law, customer success and product development. IT legal expertise is relatively underdeveloped in Ghana. A legal team comprising persons with expertise in contract, procurement and technology law and experience in business development to assist organisations to develop or negotiate cutting-edge contracts that envisage the entire software development life cycle.
9 What constitutes effective governance and best practice for digital transformation in your jurisdiction?
Establishing effective accountability, roles and decision-making authority for an organisation’s digital presence is essential in digital transformation. Organisations should put in a clear digital policy that will shape their activities. Ad hoc decisions touching on an organisation’s digital presence does very little for an organisation’s digital transformation. Organisations must also put in place a digital team structure that is responsible for the specific digital services and products of the organisation. This will ensure accountability and decentralisation of the production and maintenance of the organisation’s digital presence. The team should also monitor its digital platforms to ensure that there is constant feedback on their products and services.
On the level of the state, government should expand its e-governance services to other agencies and Ghana’s rural communities. The provision of ICT infrastructure in schools across the country will help build a strong human resource that is prepared to participate meaningfully in the digital transformation agenda in Ghana.
The Inside Track
What aspects of and trends in digital transformation do you find most interesting and why?
We find the entire subject totally fascinating. Artificial intelligence presents a fascinating tool to handle the growing complexities in the world across various industry sectors such as agriculture, healthcare, financial services and education. We are optimistic that Google’s establishment of its first Africa AI research centre in Ghana will expedite local AI development and research to increase the pace of Ghana’s (and Africa’s) digital transformation.
What challenges have you faced as a practitioner in this area and how have you navigated them?
The most difficult challenge we encounter in our practice is the lack of local expertise in this area of the law. This is slowing down the pace of progress in this field. We navigate this challenge by constantly building the capacity of practitioners with a genuine interest in technology law to assist in bridging the knowledge gap.
What do you see as the essential qualities and skill sets of an adviser in this area?
Extensive knowledge and understanding of IT law and policy both globally and within the specific context of Africa, a thorough understanding of the client’s requirements and the ability to learn quickly and adapt to change.