Data Breach Notification Form (Ghana)

A Data Breach Notification Form in Ghana captures the structured information needed to complete the process it supports.

The Data Protection Act 2012 (Act 843) is the primary legislation governing personal data protection in Ghana. Act 843 establishes the Data Protection Commission (DPC) as the supervisory authority responsible for registration of data controllers, enforcement of data protection obligations, and investigation of complaints from data subjects. Every data controller that processes personal data in Ghana must register with the DPC under Section 17 of Act 843. The DPC is headquartered in Accra and maintains the National Data Protection Register.

Section 30 of Act 843 requires a data controller to notify the DPC of a personal data breach without undue delay. The notification must describe the nature of the breach, the contact details of the data protection officer (DPO) or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach. Where the breach is likely to result in high risk to the rights and freedoms of natural persons, the data controller must also notify the affected data subjects directly.

A personal data breach under Act 843 includes any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Breaches may arise from cyberattacks on systems of banks licensed by the Bank of Ghana (BoG), telecommunications networks of operators licensed by the National Communications Authority (NCA), or healthcare providers whose patient records are stored electronically.

The Electronic Transactions Act 2008 (Act 772) and the Cybersecurity Act 2020 (Act 1038) complement the Data Protection Act 2012 (Act 843) in governing data security obligations in Ghana. The Cyber Security Authority (CSA), established under Act 1038, regulates cybersecurity practices and may be notified of cyber-incidents that give rise to personal data breaches. The Data Breach Notification Form (Ghana) serves as the primary instrument for discharging notification obligations under Act 843 s.30.

The legal framework governing the Data Breach Notification Form (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a Data Breach Notification Form (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act 2012 (Act 843) sets the foundational requirements.

A Data Breach Notification Form in Ghana is required in the following circumstances.

A Data Breach Notification Form is needed when a data controller registered with the Data Protection Commission (DPC) under Section 17 of the Data Protection Act 2012 (Act 843) discovers or reasonably suspects that a personal data breach has occurred affecting data subjects whose personal data the controller processes.

A Data Breach Notification Form is required when a bank licensed by the Bank of Ghana (BoG) or a non-bank financial institution regulated by the BoG experiences an unauthorised access to customer personal data stored in its core banking system, triggering notification obligations to the DPC and affected customers under Act 843 s.30.

A Data Breach Notification Form is needed when a telecommunications operator licensed by the National Communications Authority (NCA) experiences a data breach affecting subscriber personal data, and must notify both the NCA and the DPC in accordance with Act 843 and the Electronic Communications Act 2008 (Act 775).

A Data Breach Notification Form is required when a healthcare provider whose patient records are stored electronically discovers that patient personal health data has been accessed by an unauthorised person, requiring notification to the DPC and, where the risk to patients is high, to the affected patients directly.

A Data Breach Notification Form is needed when a data processor — a third-party service provider processing personal data on behalf of a data controller — discovers a breach and must notify the data controller without undue delay so that the controller can comply with its own notification obligations under Act 843.

A Data Breach Notification Form is required when an e-commerce or digital services company operating in Ghana experiences a breach affecting customer names, email addresses, payment card details, or other personal data, necessitating notification to the DPC and affected customers. Parties in Ghana should complete and submit the Data Breach Notification Form to the DPC without undue delay upon discovery of a personal data breach to avoid enforcement action by the Commission.

A valid Data Breach Notification Form in Ghana under the Data Protection Act 2012 (Act 843) must contain the following essential elements.

Data Controller Details: Full legal name of the data controller organisation; DPC registration number under Section 17 of Act 843; registered address in Ghana; name and contact details of the Data Protection Officer (DPO) or the designated contact person for DPC communications; and the date and time the breach was discovered.

Nature of the Breach: A description of the type of breach — whether an accidental disclosure, unauthorised access, ransomware attack, physical theft of devices, or insider threat; the systems or processes affected; and whether the breach is ongoing or contained at the time of notification.

Categories and Volume of Data Affected: The categories of personal data involved — such as names, Ghana Card numbers, bank account details, health records, or biometric data; and the approximate number of data subject records affected. The Data Protection Act 2012 (Act 843) s.30 requires this information to be provided to the DPC.

Categories of Data Subjects Affected: Whether the affected data subjects are customers, employees, patients, or members of the public; their approximate number; and whether any of the affected data subjects are vulnerable persons such as minors or persons with disabilities.

Likely Consequences: An assessment of the likely consequences of the breach for the affected data subjects — including risks of identity theft, financial loss, discrimination, reputational damage, or physical harm — as required by Act 843 s.30.

Containment and Remediation Measures: The technical and organisational measures taken or proposed to address the breach, contain its spread, recover compromised data, and prevent recurrence. Relevant measures may include password resets, system patching, engagement of cybersecurity specialists under the Cybersecurity Act 2020 (Act 1038), and notification to the Cyber Security Authority (CSA).

Data Subject Notification: Where the breach is likely to result in high risk to data subjects, a description of the communication sent or proposed to be sent to affected data subjects, including the plain-language description of the breach, steps the data subjects can take to protect themselves, and the DPO contact details.

Additional compliance elements for a Data Breach Notification Form (Ghana) include: cross-referencing obligations under the Electronic Transactions Act 2008 (Act 772) and Cybersecurity Act 2020 (Act 1038); notifying sector regulators such as the Bank of Ghana (BoG) or National Communications Authority (NCA) where applicable; and retaining records of all breach notifications for DPC audit purposes. Forms-legal.com provides this template as a starting point for Ghana-compliant data breach notification documentation.

Additional compliance elements for a Data Breach Notification Form (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.