Status regarding Budapest ConventionStatus : Observer See legal profile
In July 2015, the Ministry of Communications produced the final draft of the National Cyber Security Policy & Strategy, which has received Cabinet approval. . It is hoped that the implementation of this strategy will form an effective structure for increasing Ghana’s cyber security by enhancing the sharing of information to provide a targeted, de-conflicted, national response.
This will provide the foundation for the creation of a new National Cyber Security Centre (NCSC) under the control of the NSC which will be pivotal to improving communications and de-confliction among relevant organisations. Together with the formation of a National Cyber Crime Awareness Program and a National Cyber Security Crisis Management Plan it is hoped that this strategy will improve awareness of cybercrime amongst the population and also the manner in which the Government responds to it.
There is no separate strategy covering cybercrime specifically, although cybercrime is one of the key threat areas that the proposed National Cyber Security Centre will look to address as dictated by the National Cyber Security Policy & Strategy.
State of cybercrime legislation
Ghana adopted the Electronic Transactions Act (“ETA”) in 2008. ETA is a comprehensive legislation that provides for many cybercrime offences and procedural powers with respect to handling of electronic evidence.
Other legislation such as the Economic and Organised Crime Act, 2010 (“EOCA”) and Security and Intelligence Agencies Act, 1996 (“SIAA”) also provide procedural powers with respect to investigation of cybercrime.
The definition of cybercrime across the board is focused primarily on financial fraud and SIM Box offences and not on other serious cybercrimes such as illegal access, illegal interception, data interference and system interference.
ETA provides for many of the definitions required by the Budapest Convention. The definition of computer system, for instance, which is based upon the Commonwealth Model Law, is largely consistent with Budapest Convention. However, certain integral definitions are either technically problematic or missing from ETA. For instance, there is a general lack of distinction in the law between the different forms of data, namely content data, traffic data and subscriber information.
ETA provides for an offence for unauthorised access to “protected computer” or to without authority or permission access (or intercept) any “electronic record”. However, it does provide for an offence that extends to unauthorised access to computer systems in general.
The definition of “access” under ETA conflicts with the definition of “unauthorised access” and is redundant.
ETA criminalizes access or interception of any electronic record without authority or permission.
There is no specific section that criminalizes system interference, i.e. the serious hindering of the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or supressing computer data. Although certain provisions may be inferred to extend to this offence of system interference, they do not cover all these elements and are hence limited in their scope.
Ghana’s legislation is missing specific dedicated provisions relating to computer-related fraud and computer-related forgery. Rather, the ETA extends Ghana’s already-existing legislation relating to traditional forgery (Criminal Offences Act, 1960) to acts of forgery committed by use of an electronic medium or in electronic form. The Criminal Offences Act 1960 does not cover inauthentic data being relied upon, and only does with corporal matters and physical property.
ETA has a comprehensive provision criminalizing the act of publishing, producing, procuring or possessing child pornography through or in a computer system.
With regard to offences related to infringements of copyright and related rights, the Ghana Copyright Act, 2005 extends to programs and software (i.e. source code) but does not offer protection to computer data generally, and therefore appears to exclude digital images and literature from protection as copyrighted work.
ETA generally provides for sufficient procedural safeguards with respect to the procedural powers provided therein, and to that extent is compliant with Article 15 of the Budapest Convention.
With respect to preservation and partial disclosure of traffic data, ETA does not have any corresponding provisions to the Budapest Convention. Due to the absence of any distinction between traffic data and content data, although traffic data may be preserved under the ETA, Ghanaian law enforcement agencies may not request for partial disclosure of traffic data without obtaining a warrant.
ETA enables law enforcement officers to execute production orders and to that extent it is consistent with the Budapest Convention. However, it is framed in terms of ordering production of a computer rather than computer data.
EOCA also provides law enforcement officers with the power to apply to court for production orders. However, any application for a production order must state that a person specified in the application is subject to investigation pending confiscation of that person’s property or for committing a serious offence. “Prohibited cyber activity” does not fall under the definition of “serious offence” and thus this power may not be used with respect to ordinary cybercrimes that do not otherwise fall under the definition of “serious offence” under EOCA.
ETA provides a comprehensive framework for seizure of stored computer data which provides for sufficient powers and judicial safeguards. EOCA also provides powers to law enforcement officials to conduct search and seizure but again, this power is restricted to serious offences.
With respect to electronic evidence, there are no guidelines in place, statutory or otherwise, that provide how electronic evidence is to be treated for the purposes of court. Moreover, there are no rules relating to admissibility and inadmissibility of electronic evidence in court.
Related laws and regulations
- Electronic Transactions Act (“ETA”), 2008
- Data Protection Act (“DPA”), 2012
- Economic and Organised Crime Act, 2010 (“EOCA”)
- Security and Intelligence Agencies Act, 1996 (“SIAA”)
- Anti-Money Laundering Act, 2008 (“AMLA”)
- Mutual Legal Assistance Act, 2010 (“MLAA”)
Ghana National CERT (CERT-GH) was established in August 2014 by the Ministry of Communications and is a positive step towards safeguarding GHANA’s cyber space.
The National Information Technology Agency (NITA) under the Ministry of Communications is responsible for enhancing Ghana governmental network infrastructure.
The Financial and Economic Crimes Court (FECC) is a specialized court that has been trained in hearing anti-money laundering cases and also handles other cybercrime cases.
The National Security Council (NSC) runs a cybersecurity working group that aims to steer Ghana`s law enforcement response to cybercrime and cyber security.
Ghana Police Service established a Cybercrime Unit as part of the Criminal Investigations Division (CID).
The Bureau of National Investigations (BNI) is the internal intelligence agency of Ghana and they have investigative jurisdiction to detain, arrest and interrogate over a wide range of criminal offences including cybercrime.
The Economic and Organized Crime Office (EOCO) is a specialized organized crime law enforcement and prosecution agency. Within EOCO`s mandate are the investigation and prosecution of serious offences that involve financial or economic crimes (in relation to the Government or state owned entity), money laundering, human trafficking, tax fraud, prohibited cyber activity and other serious offences.
The Data Protection Commission (“DPC”) is an independent statutory body established under DPA to regulate the processing of personal information and provide processes to obtain, hold, use and disclose personal information.
The Ministry for Gender, Children and Social protection is the Governmental institution responsible for assessing and reporting cases involving children. The Domestic Violence and Victim Support Unit (DOVVSU) (formerly known as the Women and Juvenile Unit) is a department of the Ghana Police Service that is tasked with the investigation and prosecution of domestic violence and child abuse cases.
The Financial Intelligence Centre (FIC) is responsible for monitoring transactions and flagging transactions that involve predicate offences. FIC has adopted a progressive role in investigating various financial offences including financing of weapons of mass destruction. FIC does not have power to freeze assets other than bank accounts and thus may not freeze assets such as crypto-currencies and virtual currencies that are used to commit cybercrimes.
Ghana has not signed or ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
The Mutual Legal Assistance Act, 2010 (“MLAA”) provides for the implementation of mutual legal assistance treaties and other arrangements for cooperation with other countries in respect of criminal matters.
Competent authorities and channels
Police prosecutors can prosecute cybercrime cases in Ghana. However, as a matter of practice, SIM box fraud cases are usually sent to the Attorney General’s Department (AGD) for prosecution before High Court.