Monday, 25 January

2020 polls: Distribution of EC's confidential information

Feature Article
Jean Mensah, EC Chairperson

Key information about the Ghanaian voter have been released and shared by the EC of Ghana over an unrestricted Google drive account making it possible for anyone for any reason to download data of all 17 million voters. (The data has been downloaded:*********)

This unrestricted sharing is contrary to Ghana Data Protection Act, 2012.

The Act is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals.

It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protecton principles. 

Non-compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The official EC Google drive account was used to distribute information.

The information contained Full name, Voter ID card and location. The link to the information was also shared on WhatsApp to many people.

The EC has therefore put information about citizens of Ghana directly in the hands of fraudsters,  spammers,  private  organisations  who  are  not  under  any  obligation  to  protect  the  information.  Fraudsters may use this data to create financial accounts or financial documents. 

Most people use their  voter  ID  number  to  open  bank  accounts, register  their  mobile  number,  and  service  as  primary  Identification for any official documents. 

With a bit of social digital engineering, contacts,  photos,  location and other personal information could easily be attained.

This is a clear breach of confidentiality. 

A breach of confidentiality occurs when data or information provided in confidence to you by a client is disclosed to a third party without your client's consent.

While  most  confidentiality  breaches  may  be  unintentional,  voters  can  still  suffer  financial  losses  and  major security risks as a result. Any Ghanaian on the voter register may take legal action against the EC because this breach is intentional. This breach shows a severe lack of Information Systems Auditors who could produce guidelines to prevent such breaches. 

Most  organizations  in  Ghana,  including  Controller  and  Accountant  General’s  Department,  in  the  past  have  given  our  critical  information  to  third  parties  without  following  the  laid  down  procedure  by the  Ghana Data Protection Act. Payslips and account details have often been found with roasted plantain and groundnut sellers for packaging food. 

Some examples of how data confidentiality is breached:

• An IT professional having a laptop stolen that contains sensitive data about their client

•A  management  or  business  consultant  “accidentally”  emailing  a  confidential  attachment  containing a client's future business intentions to a competitor. 

•A  recruitment  consultant  sending  a  CV  to  an  employer  without  getting  permission  from the applicant first. 

• Sharing event attendance list with other companies often with mobile numbers 

In some countries Breaches of confidentiality claims cost organizations millions of dollars and that serve as a clear warning.

How can data be protected? There are a range of steps that can minimise the chances of a breach of confidentiality:

1.      All managers and key staff in the organization need to be trained in Information Systems Audit so they can understand how to handle information.

2.      Manage folder permissions to prevent unauthorised employee access

3.      Limit access to 'shared' email inboxes, or cloud servers

4.      Encrypt confidential information held on removable media

5.      Check with clients whether they consent to sharing potentially sensitive information

The Electoral Commission of Ghana could have built a web or mobile app that would link to a secured database.  This  app  could  allow  individuals  to  query  the  system  with  their  Voter  IDs  for  all  the  information they want to provide, this could include GPS location of their polling Center. This app would  take  our  team  of  developers maximum  of  five  days  to  build and  test. The EC officers in charge of ICT should undergo an intensive management and security training. 

The writer, Prince Kpasra is an IT Security Consultant

[email protected]