The ECOWAS Identity Card, widely referred to as the Ghana Card, is a pivotal instrument for streamlining identity verification in order to advance and ensure economic, political and social activities within Ghana.
First referenced under Section 2(1) of the National Identification Authority Act, 2006 (Act 707), which mandates the National Identification Authority (NIA) to create these national identity cards, this biometric smart card stores unique personal information, including one’s name, date of birth, sex, place and country of birth, fingerprints, facial recognition, residential and postal address, as well as a unique ID number, among others. These personal details are collected pursuant to the provisions of Section 3(2) of the National Identity Register (Amendment) Act, 2017 (Act 950). Therefore, the main objective of the Ghana Card is to act as a secure, universal identification card for Ghanaians and legally resident foreigners in the country.
Notably, the Ghana Card supports access to services such as healthcare, banking and financial services, voter registration, passport issuance, purchasing of insurance policies, driver licence services, and SIM card registration, while advancing modern governance like social security, tax identification, curbing fraud, and promoting financial inclusion.
As a result of the vital information the Ghana Card stores, its widespread adoption brings significant privacy and data protection challenges, underscoring the need to understand its advantages and risks particularly, under Article 18(2) of the 1992 Constitution of Ghana and Data Protection Act, 2012 (Act 2012). These statutory provisions, among other laws, regulate how personal data is collected, processed, used, held and disclosed within Ghana.
Therefore, it is not surprising that the photocopying of an individual’s Ghana Card, a common practice in Ghana, would be deemed a risky way of verification and authentication of a person’s identity.
The Dangers of Photocopying One’s Ghana Card
Photocopying an individual’s Ghana Card may seem harmless, especially when institutions such as banks, telecommunication companies, or corporate businesses request a copy for verification and authentication purposes. However, under Regulation 9 of the National Identity Register Regulations, 2012 (L.I. 2111), verification or authentication of a user of a Ghana Card should only be done using a portable ID card reader and in its absence, scanning the individual’s fingerprints as the Ghana Card biometrically contain the requisite data. Consequently and with respect to the provisions of Article 18(2) of the 1992 Constitution of Ghana and Data Protection Act, 2012 (Act 2012), photocopying can pose significant risks and jeopardise personal information in many ways, some of which are enumerated below:
1. Identity Theft
According to the Bank of Ghana’s 2024 Fraud Reports for Banks, Specialised Deposit-taking Institutions (SDIs), and Payment Service Providers (PSPs), identity theft is one of the most prevalent fraudulent acts on the market in recent times. The report further stated that there was a sharp 33% increase in staff involvement in fraudulent activities across the banking and specialised deposit-taking sector for the year 2024.
Since the Ghana Card contains the cardholder’s sensitive details, a photocopy in the wrong hands when left unattended on unsecured could be scanned or taken by an untrustworthy employee or even another person and used to impersonate the cardholder. For example, a scammer could use an individual’s Ghana Card details to open a fraudulent bank account, make purchases online, engage in fraudulent withdrawals or apply for a loan, leaving the cardholder to deal with the eventual fallout.
2. Unauthorized Sharing
Without a cardholder’s consent, businesses might share the photocopy of the individual’s Ghana Card’s with third parties, such as marketers or partners, violating Section 40 of Act 843 which provides for the right to prevent the processing of personal data for direct marketing. Imagine giving a copy to a telecommunication agent, only to find your details sold to a spam caller, a betting or lottery company for unapproved purposes. This unauthorized sharing can lead to privacy invasions or worse, including targeted scams.
3. Lack of Accountability
When the photocopy of a Ghana Card is handed over to a service provider or any other entity, there is often no clear record of who handles it or how it is used. Where a data breach occurs, it is often difficult to trace the source. For example, a microfinance company may collect a photocopy of one’s Ghana Card to open an account but fail to log who had access to it or lack a secure system to track how it is stored, shared or accessed, leaving the owner vulnerable if the data is misused.
4. Over Collection of Data
Businesses often request a full photocopy of an individual’s Ghana Card when they only need specific details, such as their full name, date of birth, sex, nationality, residence and telephone number. Under Section 19 of Act 843’s principle of data minimality, organizations are entreated to collect and process only what is necessary. For instance, a gym requiring an individual’s personal details to confirm membership, does not need the person’s biometric data or Ghana Card. Extra data increases the risk of misuse if it is lost or stolen.
5. Fraudulent Duplication
The practice of photocopying Ghana Cards can lead to fraudulent duplication as altered copies by unscrupulous individuals can facilitate identity fraud and unauthorized access to personal data. Despite the inclusion of biometric and scannable features in the original Card, visual duplication of the Card enables criminals to produce convincing counterfeits.
6. Unsecure Storage
Many organizations store photocopies in unsecured ways, such as storing paper copies in unlocked drawers or unencrypted digital scans. Thus, an unauthorised access to such photocopies or scans could have dire repercussions.
Conclusion
Photocopying Ghana Cards exposes cardholders to data privacy and security risks. To safeguard personal information, proactive measures must be implemented, and data protection laws must be enforced to the letter.
At August Law, our lawyers advise our clients on compliance with applicable regulations such as the Data Protection Act, and drafting privacy policies, data processing agreements, as well as consent forms. Whether you are an individual facing a personal data breach or a business seeking to comply with data laws, we offer expert advice, comprehensive compliance audits, and representation in disputes where necessary.
Contact us today to ensure your personal information stays secure or to strengthen your organization’s data protection practices.
