Environmental and social assessment practitioners handle sensitive community data every day — but how many are doing so lawfully? Our latest webinar brought in a leading voice from the Data Protection Commission to unpack exactly what Act 843 means for EIA consultants and their clients.
Why Data Protection Matters in Environmental Practice
The fifth edition of our Webinar Series on Data Protection and Privacy in Environmental Assessment Practice convened practitioners, consultants, and regulators for an important conversation that sits at the intersection of two worlds: environmental law and data governance.
The featured presenter, Mr. Kwabena Okyere Duah of the Data Protection Commission of Ghana, guided participants through the obligations that flow from Act 843 — Ghana’s Data Protection Act — with a specific focus on how those obligations apply during project planning, environmental impact assessment (EIA), stakeholder consultation, reporting, and post-project monitoring.
“The goal is to help practitioners handle stakeholder data lawfully and ethically — from the very first community engagement all the way through to final reporting.
“Mr. Kwabena Okyere Duah, Data Protection Commission
Key Concepts Every Practitioner Should Know
Mr. Duah opened with a grounding in the language of the law, clarifying terms that are frequently misunderstood in practice:
Core Definitions under Act 843
- Personal Data: Any information that uniquely identifies an individual, including names, contact details, and even opinions expressed during stakeholder consultations.
- Processing: Any activity conducted on personal data: collecting, storing, sharing, anonymising, or deleting it all counts as “processing”.
- Data Controller: The entity (firm or client) that determines the purpose and means of processing personal data.
- Data Processor: A third party that processes data on behalf of a controller. Note: Employees of a firm are data recipients, not processors.
- Consent: A clear, informed, and voluntary agreement by a data subject to have their personal information processed.
Compliance: What Organisations Must Do
Compliance is not optional, and the presenter was clear that both consulting firms and their clients carry obligations under the Act if personal data is being processed.
Registration with the Commission
Any organisation that intends to process personal data must register with the Data Protection Commission. This applies to EIA consultants, social assessment firms, and the project developers who commission them. Once registered, organisations become subject to the Commission’s monitoring, audits, and investigations — and their details appear on the public compliance register.
Policies, Procedures and Records
Beyond registration, organisations are expected to maintain data protection policies, establish appropriate data retention schedules, keep records of all processing activities, and maintain a breach register for documenting any incidents where personal data is compromised.
The Eight Data Protection Principles
Organisations must comply with all eight principles
- Lawfulness of processing
- Purpose specification — data collected for one purpose cannot be used for another
- Compatibility of further processing
- Adequacy — collect only what is necessary (data minimisation)
- Accuracy
- Data subject participation rights
- Data security
- Accountability
Navigating Consent in Community Consultations
One of the most practical questions raised by participants was how to obtain valid consent from community members — particularly in areas with low literacy levels.
Mr. Duah clarified that consent does not have to be in writing to be valid, but it must be documented. Whether consent is given verbally or in writing, the practitioner must be able to evidence that it was given, that the person understood what they were agreeing to, and that appropriate security measures were in place when that information was recorded. This could take the form of audio recordings, witness sign-off, or pictorial consent forms adapted for non-literate participants.
“Evidence of consent is what matters. The form it takes can be adapted to the context — but you must be able to show that it happened.”
Mr. Kwabena Okyere Duah
Sharing Data with Regulators: A Delicate Balance
A recurring theme in the Q&A was the tension between data protection obligations and the practical need to include community data — names, grievances, locations — in EIA reports that are subsequently submitted to regulators and may become public documents.
Mr. Duah’s guidance here was nuanced:
- Regulators have a legal basis for requesting certain data — but that doesn’t mean every piece of personal information collected must be handed over.
- Where possible, anonymise personal information before including it in public documents. The goal is to demonstrate community engagement without unnecessarily exposing individuals.
- When data must be shared with regulators, consultants should put in place binding clauses or data processing agreements that specify how the regulator will handle the information.
- Practitioners should inform regulators about the specific purposes for which information is being shared and should not provide more data than what is legally required.
Mr. Duah acknowledged that there is currently a gap in Ghana’s data governance framework around systematic data sharing between environmental regulators and other institutions — a challenge the Commission is aware of and working to address.
Data Retention: How Long Is Long Enough?
The standard retention period under Ghanaian law is six years. However, organisations may retain personal data beyond this period if they can document a clear justification and demonstrate that adequate security measures remain in place throughout the extended retention period. Environmental projects with long operational lifespans – mines, power plants, and large infrastructure – may have legitimate grounds for longer retention, but this must be deliberately planned and documented.
Privacy Impact Assessments
The session also highlighted the role of Privacy Impact Assessments (PIAs) as part of the registration and compliance process. A PIA is a structured exercise to identify how a project or process may affect individuals’ privacy, and to put measures in place to mitigate those risks before they materialise. For practitioners, integrating a PIA into the early stages of project design — alongside the conventional EIA scoping exercise — is emerging as good practice.
What This Means for Your Practice
Whether you are a sole consultant or a large multi-disciplinary firm, the message from this webinar is clear: data protection compliance is not a bureaucratic afterthought. It is a professional obligation that runs through every stage of environmental assessment work — from the first community meeting through to post-closure monitoring reports.
Immediate action points for practitioners
- Check whether your firm and your clients are registered with the Data Protection Commission.
- Review your stakeholder engagement templates — do your consent forms clearly explain how data will be used, stored, and shared?
- Introduce anonymisation as a default practice for any community data included in public-facing reports.
- Put data processing agreements in place before sharing stakeholder information with third parties, including regulatory agencies.
- Establish a data retention schedule and breach register if you do not already have one.
- Appoint a data protection supervisor within your organisation.
This article is based on the proceedings of the fifth edition of our Webinar Series on Data Protection and Privacy in Environmental Assessment Practice. The session was presented by Mr. Kwabena Okyere Duah of the Data Protection Commission of Ghana and facilitated by Ewurama on behalf of the training team.
Have questions that were not covered in the session? Reach out directly to the training team at training@dataprotection.org.gh — they are happy to assist with follow-up queries.