Ghana's Data Protection Act, 2012 (DPA 2012) includes provisions that exempt certain financial sector activities from the Act's application, effectively creating a limited exclusion for central banks and financial institutions.

Text of Relevant Provisions

DPA 2012 Art.63(1a)(iv):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public(a) against loss or malpractice in the provision of(iv) other financial services, or"

DPA 2012 Art.63(1a)(i):

"(1) The provisions of this Act do not apply to the processing of personal data for protection of members of the public(a) against loss or malpractice in the provision of(i) banking, "

Analysis of Provisions

The DPA 2012 provides specific exemptions for data processing activities related to the financial sector. Article 63(1a) outlines several areas where the Act's provisions do not apply, including banking and other financial services. This exemption is specifically aimed at protecting members of the public against loss or malpractice in these sectors.The exemption covers two main areas:

1. Banking services (Art.63(1a)(i)): This provision explicitly exempts data processing related to banking activities from the Act's application when it is done to protect the public from loss or malpractice.
2. Other financial services (Art.63(1a)(iv)): This broader category extends the exemption to various financial services beyond traditional banking, potentially including activities of the central bank, investment firms, insurance companies, and other financial institutions.

The rationale behind these exemptions appears to be the recognition that financial institutions, including the central bank, operate under specialized regulatory frameworks that govern their data handling practices. These frameworks often include strict compliance requirements and oversight mechanisms specific to the financial sector.

Implications

The exemptions provided in Article 63 have several implications for financial institutions and data subjects in Ghana:

1. Regulatory overlap: Financial institutions may be subject to sector-specific data protection regulations rather than the general provisions of the DPA 2012.
2. Public protection focus: The exemption is specifically framed around protecting the public from loss or malpractice, suggesting that financial institutions may have more leeway in processing personal data for these purposes.
3. Scope of exemption: While the exemption covers banking and other financial services, it is not a blanket exclusion for all data processing by financial institutions. The exemption applies only to processing done for the purpose of protecting the public against loss or malpractice.
4. Potential gaps in protection: Data subjects may have different levels of protection for their personal data depending on whether it is processed by a financial institution for purposes covered by this exemption or for other purposes.
5. Compliance considerations: Financial institutions will need to carefully assess which of their data processing activities fall under this exemption and which remain subject to the full provisions of the DPA 2012.

It's important to note that while this exemption provides some flexibility for financial institutions, it does not completely remove them from the purview of data protection considerations. The specific wording of the exemption suggests that it is intended to allow financial institutions to process data necessary for maintaining the integrity and security of financial services, rather than providing a carte blanche for all data processing activities.