Is an ICT Acceptable Use Policy legally required for companies in Ghana?

While no single statute in Ghana expressly mandates a standalone ICT Acceptable Use Policy by that name, the obligation to have one arises from several intersecting legal requirements. The Cybersecurity Act, 2020 (Act 1038), Section 30, requires owners of critical information infrastructure and private sector organisations to implement reasonable cybersecurity measures, which the Cyber Security Authority (CSA) interprets as including written user conduct policies. The Data Protection Act, 2012 (Act 843) requires data controllers registered with the Data Protection Commission of Ghana (DPC) to implement appropriate technical and organisational measures to protect personal data — and a written acceptable use policy is a core organisational measure. The Labour Act, 2003 (Act 651) requires that disciplinary rules be communicated to employees in writing before disciplinary action can fairly be taken, meaning ICT-related misconduct rules must be documented and communicated. Regulated entities — banks licensed by the Bank of Ghana (BoG), insurance companies regulated by the National Insurance Commission (NIC), and payment service providers under the Payment Systems and Services Act, 2019 (Act 987) — face express regulatory requirements for ICT governance policies from their respective regulators.

Can an employer in Ghana monitor employees' use of company IT systems?

An employer in Ghana may monitor employees' use of company ICT assets provided the monitoring is lawful, proportionate, and disclosed to employees in advance. The Data Protection Act, 2012 (Act 843) treats employees as data subjects whose personal data — including email content, browsing history, and keystrokes — is processed during monitoring. Lawful monitoring requires: a legitimate purpose (security, compliance, productivity); proportionate methods; prior notice to employees (typically through the ICT Acceptable Use Policy or the employment contract); and registration of the monitoring activity with the Data Protection Commission of Ghana (DPC) as part of the organisation's data processing register. The Electronic Transactions Act, 2008 (Act 772) does not prohibit interception of electronic communications on a company's own systems where the system owner has given prior notice of monitoring. However, covert monitoring of personal email accounts, personal devices, or private communications unrelated to work is likely to breach Act 843 and — in extreme cases — the right to privacy under Article 18 of the Constitution of Ghana, 1992.

What cybersecurity obligations does Ghana's Cybersecurity Act 2020 impose on businesses?

The Cybersecurity Act, 2020 (Act 1038) establishes the Cyber Security Authority (CSA) and the Computer Emergency Response Team (CERT-GH) and imposes the following obligations on businesses operating in Ghana: owners of critical information infrastructure (CII) — defined under Act 1038 to include systems in banking, energy, telecommunications, healthcare, and government — must designate a cybersecurity focal point, implement minimum cybersecurity standards prescribed by the CSA, conduct annual cybersecurity audits, and report significant cyber incidents to CERT-GH within 24 hours of detection. Non-CII private businesses are subject to general cybersecurity obligations including implementing reasonable security measures to protect their systems and data, maintaining incident response plans, and cooperating with CSA investigations. The Act 1038 creates cybercrime offences including unauthorised access to computer systems (Section 55), interception of data (Section 57), and computer fraud (Section 58), each attracting fines and imprisonment. Organisations that fail to implement reasonable cybersecurity measures and suffer a data breach affecting their customers may face liability under both Act 1038 and the Data Protection Act, 2012 (Act 843).

What are the consequences of an employee breaching an ICT Acceptable Use Policy in Ghana?

An employee who breaches an ICT Acceptable Use Policy in Ghana faces disciplinary consequences under the Labour Act, 2003 (Act 651) and potentially criminal liability under the Electronic Transactions Act, 2008 (Act 772) and the Cybersecurity Act, 2020 (Act 1038). Under Act 651, an employer may take disciplinary action — including warnings, suspension, or dismissal — for misconduct, provided the employer follows a fair procedure: notifying the employee of the specific breach, giving the employee an opportunity to respond, and conducting a fair investigation before imposing a sanction. Summary dismissal (without notice) is permissible for serious ICT misconduct such as downloading illegal content, accessing confidential competitor systems, or deliberately destroying company data. Criminal liability under the Electronic Transactions Act, 2008 (Act 772) arises for computer-related fraud, forgery, and system sabotage. Under the Cybersecurity Act, 2020 (Act 1038), employees who commit cybercrime offences using company systems may be prosecuted before the High Court of Ghana with penalties including fines up to GHS 1,000,000 and imprisonment up to 15 years for the most serious offences.

Must an ICT Acceptable Use Policy in Ghana address social media use?

Yes. Social media provisions are an important component of an ICT Acceptable Use Policy in Ghana, given the widespread use of WhatsApp, Facebook, X (formerly Twitter), LinkedIn, TikTok, and Instagram among Ghanaian employees. The policy should address: whether employees may access personal social media on work devices or work internet connections; restrictions on posting content that discloses the organisation's confidential information, trade secrets, or client data in breach of the Non-Disclosure Agreement or the Data Protection Act, 2012 (Act 843); prohibitions on posting content that defames colleagues, clients, or the organisation — noting that the Criminal Offences Act, 1960 (Act 29) recognises criminal libel and sedition; requirements to disclose a connection to the employer when commenting on industry matters in an official capacity; and guidance on managing the organisation's official social media accounts including who is authorised to post and the approval process. The Electronic Transactions Act, 2008 (Act 772) applies to electronic communications made through social media, and employees may face criminal liability for false or harmful digital publications under Act 772.

ICT Acceptable Use Policy (Ghana)

ICT Acceptable Use Policy

ICT ACCEPTABLE USE POLICY

Issued by: [Organisation Name], [Organisation Address]

Effective Date: [Effective Date] Policy Owner: [Policy Owner]

This Policy is issued pursuant to the Electronic Transactions Act, 2008 (Act 772), the Cybersecurity Act, 2020 (Act 1038), the Data Protection Act, 2012 (Act 843), and the Labour Act, 2003 (Act 651).

1. Scope and Application

1.1

This Policy applies to all employees, fixed-term staff, contractors, interns, and authorised third-party users who access the ICT assets of [Organisation Name].

1.2

The following ICT assets are covered by this Policy: [Covered Assets].

1.3

All ICT assets remain the property of [Organisation Name]. Users have no expectation of privacy when using organisational ICT assets.

2. Permitted Uses

2.1

ICT assets may be used for legitimate business purposes including email communication, internet research, document creation, video conferencing, and access to approved software applications.

2.2

Limited personal use of ICT assets is: [Personal Use Allowed]. Where permitted, personal use must not interfere with work performance or bring the organisation into disrepute.

3. Prohibited Uses

The following activities are strictly prohibited on [Organisation Name]'s ICT assets:

3.1

Accessing, downloading, or distributing pornographic, extremist, or illegal content contrary to the Electronic Transactions Act, 2008 (Act 772) and the Criminal Offences Act, 1960 (Act 29).

3.2

Attempting to circumvent, disable, or compromise cybersecurity controls in violation of the Cybersecurity Act, 2020 (Act 1038).

3.3

Installing unlicensed software or using software in a manner that infringes the Copyright Act, 2005 (Act 690).

3.4

Sharing personal data of colleagues, clients, or third parties without authorisation, in breach of the Data Protection Act, 2012 (Act 843).

3.5

Using ICT assets for personal financial gain, secondary employment, or activities that conflict with the user's duties to the organisation.

3.6

Publishing content on social media or digital platforms that discloses confidential information, defames the organisation, or constitutes a criminal offence under Act 772 or Act 29.

4. Data Protection Obligations

4.1

[Organisation Name] is registered with the Data Protection Commission of Ghana (DPC) as a data controller under the Data Protection Act, 2012 (Act 843). All users must process personal data only for approved business purposes and in accordance with the organisation's data protection procedures.

4.2

Users must report suspected data breaches or cybersecurity incidents to the [Policy Owner] immediately, who shall notify the Cyber Security Authority (CSA) and CERT-GH under the Cybersecurity Act, 2020 (Act 1038) where required.

5. Monitoring and Enforcement

5.1

[Organisation Name] may monitor users' ICT activity for security and compliance purposes. Monitoring scope: [Monitoring Scope]. Users are deemed to have consented to such monitoring by their continued use of the organisation's ICT assets.

5.2

Breach of this Policy will result in disciplinary action under the Labour Act, 2003 (Act 651): [Disciplinary Consequences]. Serious breaches may be referred to the Ghana Police Service or the Cyber Security Authority (CSA) for criminal investigation under Act 1038.

6. Policy Review

6.1

This Policy will be reviewed [Review Frequency] by [Policy Owner] to ensure continued compliance with Ghanaian law, including the Electronic Transactions Act, 2008 (Act 772), the Cybersecurity Act, 2020 (Act 1038), and the Data Protection Act, 2012 (Act 843).

7. Employee Acknowledgement

I acknowledge that I have read, understood, and agree to comply with this ICT Acceptable Use Policy of [Organisation Name]. I understand that breach of this Policy may result in disciplinary action up to and including dismissal.

Employee / User

________________

Signature

HR Representative / Policy Owner

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a ICT Acceptable Use Policy (Ghana)?

An ICT Acceptable Use Policy in Ghana establishes the obligations and procedures governing the conduct it regulates.

Ghana's ICT regulatory framework spans several legislative instruments and regulatory bodies. The National Communications Authority (NCA) under the Electronic Communications Act, 2008 (Act 775) regulates electronic communications networks and services in Ghana. The Ghana Investment Promotion Centre (GIPC) and the Ministry of Communications and Digitalisation drive Ghana's digital economy agenda through the National ICT Policy and the Digital Ghana Agenda. The Data Protection Commission of Ghana (DPC) established under the Data Protection Act, 2012 (Act 843) regulates the processing of personal data by private and public organisations, requiring data controllers — defined broadly under Act 843 as any person who determines the purpose and means of processing personal data — to register with the DPC and comply with data protection principles.

An ICT Acceptable Use Policy is essential for companies registered under the Companies Act, 2019 (Act 992) with the Office of the Registrar of Companies (ORC) that deploy IT systems for employees in Ghana, because the Cybersecurity Act, 2020 (Act 1038) at Section 30 imposes liability on organisations that fail to implement reasonable security measures to prevent cybercrime. The Computer Emergency Response Team (CERT-GH) under the Cyber Security Authority (CSA) created by Act 1038 handles cybersecurity incident reporting for Ghanaian organisations. Employees who misuse ICT assets may face disciplinary action under the Labour Act, 2003 (Act 651) and potential criminal prosecution under the Electronic Transactions Act, 2008 (Act 772) for offences including unauthorised access, data theft, and electronic fraud.

The ICT Acceptable Use Policy differs from a standalone Data Protection Policy (which addresses the organisation's obligations as a data controller under Act 843) and from a Cybersecurity Policy (which addresses technical security controls). The Acceptable Use Policy focuses specifically on user behaviour — what employees and contractors may and may not do with the organisation's ICT resources — and is implemented as part of the employment contract regime under the Labour Act, 2003 (Act 651), forming part of the terms and conditions of employment.

The legal framework governing the ICT Acceptable Use Policy (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a ICT Acceptable Use Policy (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Electronic Transactions Act 2008 (Act 772) sets the foundational requirements.

When Do You Need a ICT Acceptable Use Policy (Ghana)?

An ICT Acceptable Use Policy in Ghana is required by any organisation that provides employees or contractors with access to ICT systems, and the following circumstances make a written policy particularly important.

An ICT Acceptable Use Policy is required when a company registered under the Companies Act, 2019 (Act 992) in Ghana deploys enterprise IT systems — including email servers, enterprise resource planning (ERP) software, customer relationship management (CRM) platforms, or cloud storage services — to its workforce, as the Cybersecurity Act, 2020 (Act 1038) imposes a duty of care on system owners to establish use rules and security protocols.

An ICT Acceptable Use Policy is needed when an organisation processes personal data of Ghanaian employees, customers, or third parties on its IT systems, as the Data Protection Act, 2012 (Act 843) requires the data controller to implement organisational measures — including user access policies — to protect personal data from unauthorised processing, loss, or disclosure.

An ICT Acceptable Use Policy is required for any organisation operating under a licence from the National Communications Authority (NCA) under the Electronic Communications Act, 2008 (Act 775), including telecommunications companies, internet service providers (ISPs), and financial technology (fintech) companies, as NCA licensing conditions include requirements for user and employee conduct policies.

An ICT Acceptable Use Policy is needed when onboarding new employees under a contract of employment governed by the Labour Act, 2003 (Act 651), as the policy forms part of the employee's terms and conditions, and disciplinary action for ICT misuse can only be taken fairly if the employee was given clear written notice of the prohibited conduct.

An ICT Acceptable Use Policy is required for educational institutions accredited by the Ghana Accreditation Commission (GAC), hospitals licensed by the Ghana Health Service (GHS), and financial institutions licensed by the Bank of Ghana (BoG) — all of which handle sensitive personal and financial data on ICT systems subject to sector-specific regulatory requirements.

An ICT Acceptable Use Policy is needed when responding to a data breach incident reportable to the Data Protection Commission of Ghana (DPC) under Act 843, as the DPC will assess whether the organisation had reasonable organisational safeguards — including written use policies — in place at the time of the breach.

What to Include in Your ICT Acceptable Use Policy (Ghana)

A valid ICT Acceptable Use Policy in Ghana under the Electronic Transactions Act, 2008 (Act 772), the Cybersecurity Act, 2020 (Act 1038), and the Data Protection Act, 2012 (Act 843) must contain the following essential elements.

Scope and Application: The policy must define which ICT assets are covered (computers, smartphones, tablets, corporate email accounts, VPN access, cloud platforms, social media accounts used for work purposes), which persons are bound (permanent employees, fixed-term staff, contractors, interns, and third-party service providers with system access), and the effective date of the policy consistent with Act 651 employment terms.

Permitted Uses: Clear description of the permitted business purposes for which ICT assets may be used — including email, internet research, document creation, video conferencing, access to approved software applications — and the conditions under which limited personal use is allowed (if at all), with reference to the organisation's bring-your-own-device (BYOD) policy if separate.

Prohibited Uses: Specific list of prohibited activities including: accessing, downloading, or distributing pornographic, extremist, or illegal content contrary to the Electronic Transactions Act, 2008 (Act 772) and the Criminal Offences Act, 1960 (Act 29); using ICT assets for personal financial gain or secondary employment; attempting to circumvent cybersecurity controls; downloading unlicensed software in violation of the Copyright Act, 2005 (Act 690); and making unauthorised disclosures of personal data in breach of the Data Protection Act, 2012 (Act 843).

Data Protection Obligations: The policy must articulate the user's obligations under Act 843 regarding the processing of personal data on the organisation's systems — including the prohibition on sharing personal data with unauthorised third parties, the requirement to use only approved cloud services registered with the organisation's data processor register, and the obligation to report suspected data breaches to the Data Protection Officer (DPO) immediately.

Monitoring and Enforcement: Statement that the organisation may monitor employees' use of ICT assets for security and compliance purposes, with reference to the Cybersecurity Act, 2020 (Act 1038) and the Data Protection Act, 2012 (Act 843) as the legal basis for monitoring; the escalation process for ICT security incidents to the Cyber Security Authority (CSA) and CERT-GH; and the disciplinary consequences for policy breach under the Labour Act, 2003 (Act 651) and the Electronic Transactions Act, 2008 (Act 772).

Acknowledgement: A signed acknowledgement form for each employee confirming receipt and understanding of the policy, retained in the employee's personnel file. Forms-legal.com provides this ICT Acceptable Use Policy template as a starting point for Ghana-compliant ICT governance documentation.

Additional compliance elements for a ICT Acceptable Use Policy (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). ICT Acceptable Use Policy (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/ict-acceptable-use-policy-ghana

MLA

"ICT Acceptable Use Policy (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/ict-acceptable-use-policy-ghana.

BibTeX

@misc{formslegal-ict-acceptable-use-policy-ghana,
  author       = {{Forms Legal}},
  title        = {ICT Acceptable Use Policy (Ghana) (Ghana)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/ghana/business/policies/ict-acceptable-use-policy-ghana}},
  note         = {Free legal document template}
}

Frequently Asked Questions

Statute-referenced template — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know