Key information about the Ghanaian voter have been released and shared by the EC of Ghana over an unrestricted Google drive account making it possible for anyone for any reason to download data of all 17 million voters. (The data has been downloaded: https://drive.google.com/folderview?*********)
This unrestricted sharing is contrary to Ghana Data Protection Act, 2012.
The Act is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals.
It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protecton principles.
Non-compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.
The official EC Google drive account was used to distribute information.
The information contained Full name, Voter ID card and location. The link to the information was also shared on WhatsApp to many people.
The EC has therefore put information about citizens of Ghana directly in the hands of fraudsters, spammers, private organisations who are not under any obligation to protect the information. Fraudsters may use this data to create financial accounts or financial documents.
Most people use their voter ID number to open bank accounts, register their mobile number, and service as primary Identification for any official documents.
With a bit of social digital engineering, contacts, photos, location and other personal information could easily be attained.
This is a clear breach of confidentiality.
A breach of confidentiality occurs when data or information provided in confidence to you by a client is disclosed to a third party without your client's consent.
While most confidentiality breaches may be unintentional, voters can still suffer financial losses and major security risks as a result. Any Ghanaian on the voter register may take legal action against the EC because this breach is intentional. This breach shows a severe lack of Information Systems Auditors who could produce guidelines to prevent such breaches.
Most organizations in Ghana, including Controller and Accountant General’s Department, in the past have given our critical information to third parties without following the laid down procedure by the Ghana Data Protection Act. Payslips and account details have often been found with roasted plantain and groundnut sellers for packaging food.
Some examples of how data confidentiality is breached:
• An IT professional having a laptop stolen that contains sensitive data about their client
•A management or business consultant “accidentally” emailing a confidential attachment containing a client's future business intentions to a competitor.
•A recruitment consultant sending a CV to an employer without getting permission from the applicant first.
• Sharing event attendance list with other companies often with mobile numbers
In some countries Breaches of confidentiality claims cost organizations millions of dollars and that serve as a clear warning.
How can data be protected? There are a range of steps that can minimise the chances of a breach of confidentiality:
1. All managers and key staff in the organization need to be trained in Information Systems Audit so they can understand how to handle information.
2. Manage folder permissions to prevent unauthorised employee access
3. Limit access to 'shared' email inboxes, or cloud servers
4. Encrypt confidential information held on removable media
5. Check with clients whether they consent to sharing potentially sensitive information
The Electoral Commission of Ghana could have built a web or mobile app that would link to a secured database. This app could allow individuals to query the system with their Voter IDs for all the information they want to provide, this could include GPS location of their polling Center. This app would take our team of developers maximum of five days to build and test. The EC officers in charge of ICT should undergo an intensive management and security training.
The writer, Prince Kpasra is an IT Security Consultant