SECURITIES AND EXCHANGE COMMISSION GHANA PRIVACY POLICY

  1. Introduction

The Securities and Exchange Commission (SEC) Ghana’s object is to regulate and promote the growth and development of an efficient, fair and transparent securities market in which investors and the integrity of the market are protected. To achieve its object, the Commission collects and uses data/information including personal data.

Personal data is data about an individual who can be identified from the data or from other information in the possession of or likely to come into the possession of a data controller.

The SEC (we, us) has developed this Privacy policy to inform stakeholders/data subjects (you) of how the SEC processes (collect, use, store and share) your personal information in keeping with the requirements of the Data Protection Act 2012 (Act 843). It is our way of demonstrating our commitment to the protection of our stakeholders, especially those who visit our website, use our database applications, services, tools, physically contact us and those who may share their personal data with us.

Information Collected and Stored Automatically when you visit our website.

The SEC generally does not require those who visit its website to give personal information when they visit to read or download information, such as filings, press releases or publications. However, for the purposes of managing and improving our website, we automatically collect some statistical information sent to us by your computer, mobile phone or other electronic access devices you use when you visit our website.

  1. Personal information/data we collect from you.

The SEC may collect personal information including but not limited to the under listed:

  • Name, date of birth, marital status, nationality, age, health status, well-being, disability status, etc.
  • Identity information such as copies of ID Cards, passports, driver’s license etc.
  • Contact information including email-addresses, residential addresses, telephone numbers etc.
  • Education, medical, financial, employment information etc.
  • Information relevant to customer surveys and/or offers.

The SEC may use information about you that is in the public domain such as information on social media sites. We do not take liability/responsibility for information from such sources as we do not have control over them.

  1. How the SEC collects your personal information

The SEC may collect personal information directly from you or indirectly from other external sources to enable us fulfil our mandate as a Securities market regulator and to meet other national or international legal and regulatory requirements. By choosing to share your personal information with the SEC, you are consenting to our use of that information and permitting that it can be shared with our employees and contractors and in some circumstances, other third parties, to use in official business. It is worth mentioning that information that the SEC shares with third parties is normally in furtherance of the purpose for which you provided the information When you fail to provide such information as required, the SEC may not be able to provide the product/service you expect.

The SEC may also collect your personal information indirectly from its licensees, other regulators, law enforcement agencies, whistle blowers, media (social, newspapers and others), the public, and all other legal sources etc.

The SEC collects your personal information when you complete forms, respond to surveys, update your accounts/records on our portals, make enquiries, or conduct other activities on our platforms and premises, associate with us by virtue of employment and other engagements. The nature of personal information required will be determined by the information or service you expect from the us.

  1. Consent of Data Subject

Section 20(1) of the Data Protection Act (Act 843) spells out the conditions under which personal data of a data subject may be processed and emphasizes the need for consent of the data subject before data is processed.

Data Subject” as used in this policy means an individual who can be identified from any information supplied to the SEC.

Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her in the manner specified in this policy.

  1. Rational for collecting personal information.
  • To understand the needs of stakeholders (investors, members of the general public etc.) in order to provide better services such as responding to enquiries, handling complaints and tip offs, etc.
  • To better manage the relationship between the SEC and its licensees such as processing of licenses, registrations, supervision of business conduct, identification and assessment of contraventions to the laws governing the market etc.
  • For management of onboarding and continuous relationships with employees (prospective and actual), Board Members, other public officers, advisors and consultants etc.
  • To enable the SEC, use the services of third parties and service providers, and the management thereof.
  • For Internal record keeping.
  • To contact stakeholders for research purposes.
  • To share newsletters, reports or other information which we think relevant stakeholders may find interesting.
  • To monitor trends in the capital market, the financial sector as a whole and to identify emerging market conduct risks.
  1. Who we share your information with and how we process your information.

The SEC may disclose your information in fulfilling its mandate, in keeping with relevant national and international laws, as a duty to the public, prevention of crime, to ensure protection of your rights and legitimate interests as well as ours etc. We may also disclose information you have provided consent for us to disclose. Outlined below are how the SEC processes your personal information and with whom we are likely to share your information.

  • Internal processing: Your personal information may be processed by staff of the SEC.
  • Information processing by advisors, consultants and other public officers: Section 13 of Securities Industry Act 2016 (Act 929) as amended provides for use of the services of consultants, advisers and other public officers.
  • Information sharing and processing by other third parties such as other financial regulatory bodies, law enforcement agencies, government institutions and private sector institutions performing government functions, service providers etc.
  • Information sharing and processing by foreign regulatory authorities.
  1. How we protect your personal information

The SEC has in place security systems and controls designed to maintain confidentiality, reduce the risk of loss, misuse, unauthorized access, disclosure and alteration of information in its custody by:

  • Ensuring information stored and processed on its computers and systems are protected from intrusion and cyber-attacks using antiviruses and firewalls. The Commission has physical access controls and information access controls in place to restrict and control access to information. Security vulnerability assessments, scans and penetration tests are conducted periodically by IT staff and occasionally by external experts to reduce cyber security risk.
  • Ensuring compliance with Section 202 of the Securities Industry Act 2016(Act 929) as amended which imposes confidentiality restrictions on the Commission, its Board and Officers in the performance of the duties of the Commission.
  • Where the SEC is required to share your personal data with an authority in another country it is guided by Sections 40 and 41 of the Securities Industry Act 2016(Act 929) as amended which requires that the SEC take steps to satisfy itself that the foreign regulatory authority has the capacity to protect the confidentiality of the information shared with it. Where the SEC is required to share personal information provided by a foreign regulatory authority to fulfil legal or international regulatory requirements, it is guided by Section 202(6) of Act 929 to notify foreign regulatory authorities before disclosing non-public information received from them with any relevant authority.
  1. Your Rights as a Data Subject

The Constitution of Ghana guarantees data subjects the right to privacy. Privacy rights in relation to the processing of data subjects’ personal information is covered by the Data Protection Act. An obligation is imposed on the SEC to ensure respect for the right to privacy of its stakeholders. Data subjects can therefore exercise their rights in relation to the personal information, which the SEC holds as follows:

  • Request access to the personal information held.
  • Prevent processing of personal data.
  • Prevent processing of personal data for direct marketing.
  • Expect that the SEC would take the necessary steps to ensure stakeholder awareness of the purpose for the collection of personal data.
  • Give and withdraw consent.
  • Request rectification, blockage, erasure and destruction of personal information in the possession of the SEC or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Object to the way in which the SEC processes their personal information.
  • Request freedom from automated decision making. This right allows data subjects to require SEC to ensure that any decision it takes/taken on its behalf which significantly affects them is not based solely on processing their personal data by automated means.
  • Request compensation where the SEC’s failure to comply with the requirement of the Data Protection Act causes a data subject to suffer damage or distress.
  • Complain to the SEC about the way it processes their personal information using the contact details of SEC as follows:

Email: info@sec.gov.gh

Telephone: 0302768970-2

In cases of dissatisfaction, complaints may be lodged with the Data Protection Commission using their details below:

Email: info@dataprotection.org.gh

Telephone: +233-(0)256301360.

Please note that the SEC must balance the rights of its data subjects against other competing rights because of the public interest nature of its mandate. The SEC may also rely on certain exceptions which may impact on the rights of data subjects. These exceptions may be explained where possible.

  1. What we will do in case there is a breach

In line with Section 31 of the Data Protection Act, 2012 (Act 843), the SEC will notify the affected data subjects and the Data Protection Commission of any data breaches within a reasonable time frame after the discovery of the unauthorized access and take steps to ensure the restoration of the integrity of the information system.

  1. Links to Other Websites and Premises

The SEC has provided links to other websites we consider may be useful to those who visit our website. Note that the SEC has no control over such websites and does not take responsibility for what happens on them. The SEC does not necessarily endorse or guarantee the content of those sites. The guarantee of privacy is only limited to the SEC website and other information you share with us. Any other link you follow may be subject to other policies. We advise you to assess the security and trustworthiness of such sites before you connect to and share any personal information with them.

  1. Security Advise

In as much as the SEC has a responsibility to protect the information stakeholders have provided, it also wishes to state that all stakeholders have a responsibility to ensure confidentiality of the information shared with the SEC by putting in place their own security measures. The SEC advises all stakeholders not to share any password, username, identification code, or any other information created as part of standard access security requirements with any third party(ies).

The SEC reserves the right to disable identification codes, passwords, and others if it has reason to believe that they have failed to comply with the requirements for access to its systems.

The SEC requests that all stakeholders comply with the physical security protocols on its premises and to deal with only its authorized officers.

  1. Retention of personal information

The Securities Industry Act 2016(Act 929) as amended provides for a period of keeping records and books under the Act. The SEC is guided by its Data Retention Policy which requires that all data at the SEC is retained for specific periods of time (Up to 5 years) unless otherwise indicated in the policy. Personal information is retained and destroyed as required by the policy.

  1. Amendment

The SEC may amend this Privacy Policy at any time to reflect changes in the law, technology, and its processes. A revised version of the policy reflecting the changes made will be posted on the SEC website in place of the previous one. The revised version would be effective 5 days from the date of such publication.