File photo
Background
Ghana’s Right to Information Act, 2019 (Act 989) was passed into law in September 2019 after over two decades of political innuendos. Though Ghana’s constitution stipulates the right of citizens to access public records, it was quite a logrolling effort trying to find any records pertaining to government’s activities. This Act thereby gives individuals a statutory right to have access to a huge amount of information held by government institutions and public bodies.
Under the Act, anyone of any nationality, and living anywhere in the world, can make a written request for information and expect a response within 20 working days. The public authority will be obliged to meet that request subject to a number of specified exemptions and certain practical and financial constraints. The Act imposes a substantial burden on heads of public institutions to ensure proper recordkeeping practices to meet the requests from the public. The primary impact of the Act will not only be on public institutions but will have a knock-on effect on private companies dealing with public institutions.
What does this mean for public sector institutions?
The public sector employer (the government) is faced with a new challenge of meeting the huge requests for information that would be coming from not only Ghanaians but anyone who has interest in the activities of government. While the aim of the Act is to increase openness in the public sector and disclosing information about decisions and activities of governments, it is recognized that public institutions might be overwhelmed with the need to create or capture, maintain, secure, and distribute government records in a responsible manner. Public institutions would also be faced with the challenge of identifying and extracting personal data from the data they retrieve for information requesters. This means that government institutions need to improve how they manage public records and make commitments towards improving records management infrastructure and leadership. Considering the fact that at the core of the RTI Act is the need to make government “records” available to the public, it would be counter-intuitive for public institutions to ignore their core mandate in this venture – which is, effectively managing the entire life-cycle of government records.
Even more, there is a bigger responsibility on the part of the Public Records and Archives Administration Department (PRAAD) and the National Information Technology Authority (NITA) as government institutions with the oversight responsibility for effective records management and the management of government’s IT infrastructure. There needs to be a strong collaboration between these two institutions and the RTI commission to ensure that the right policies and procedures, and appropriate technology are developed and implemented for effective information management in public institutions.
How does the Act apply to private sector institutions?
Although it may seem that the Act will mainly impact the activities of public institutions, in practice it will also have some measured impact on the private sector. While there are limited circumstances where a private company may be deemed a “public” entity for the purposes of the Act (and therefore may be required to disclose information that it holds), the more concerning effect of the Act relates to type of information that private sector businesses hand over to the public sector. Most public institutions regularly contract private companies for the provision of goods and services. Many of these contracts contain sensitive information which the private companies would rather not be disclosed. However, all this information is held by public authorities and, in theory, is now accessible by anyone requesting it.
If a public institution receives an RTI request and decides they need to disclose information that relates to your business, this may have a significant impact on your commercial or other interests. A public body would normally be expected to take reasonable steps to contact and consult with a third party regarding the release of such information. This is typically known as 'third party consultation'. The RTI Act will apply to your private business if:
• the information you share with a public body is subject to an RTI request
• the information you share is published under the public institution’s publication scheme
• your business deals with public or regulatory bodies (E.g. through grants, licenses, research, tenders, and many others)
• your business has a public-private partnership agreement with a government institution
It should be noted however that not all information is liable to be disclosed under the law. Certain types of information, for example, financial or personal records may be exempt from disclosure. Types of information at risk of disclosure under the RTI Act include but not limited to:
• information that you give to regulators in reports, annual returns, investigations
• public tenders or contracts information
• commercial agreements
• your responses to public consultations
• information relating to planning procedures and proposed developments for public projects
If public institutions have confidential or commercially sensitive information on your business due to your dealings with them, such information may be exempt if they are properly classified.
How to minimize the risk of RTI disclosure
If you plan to or are already rendering services to any government institution, then you cannot avoid the risks associated with disclosing information to public authorities. However, you can minimize the extent of disclosure in several ways. For example:
• Improve your records management practices to ensure there is an effective governance framework around the creation, receipt, use, storage, security, distribution, and disposition of company records. Remember that if there is an information request to which your organization is liable for retrieval, you could be facing legal actions if you are unable to meet the request. This is the best time to invest generously in your records management department.
• Review your business processes and identify the types of information you deem confidential or commercially sensitive. Classify these documents by clearly labelling them 'confidential' or 'restricted', then think carefully if it is necessary to disclose any of them at any point in time. Submit sensitive information separately from less-sensitive information to reduce the risk of accidental disclosure. Keep in mind that the exemption that applies to confidential information is a very narrow one and that it only applies in certain limited circumstances. It is best to task your legal team to explore the exemptions clauses of the Act to obtain some clarity.
• Do not rely on vague confidentiality clauses. Properly document the specific details of your classified records and sign them off as official business documents. Carefully review the terms and conditions for dealing with public institutions and try to minimize the impact of the Act on your business.
• When drafting your contracts or agreements, require that your “consultation rights” be respected. That is, the right to be informed before the public institution makes any disclosure. This may give you a chance to take action to protect your business before the information goes public.
• Develop and implement internal document exchange policies and procedures for sharing of company information with public institutions or third parties who have links with government. This process will record all the information you share with public institutions and review them regularly. Consider assigning this responsibility to the records management team.
• Be aware that information which is passed to public authorities may contain employees or certain individuals’ information. Thought should be given to consulting any affected third parties prior to releasing the information, else you could be in trouble for violating their data protection rights.
• Orient your staff on RTI requirements, data protection rights, and the potential risk of information disclosure. This will guide them in their dealings with such institutions. Consider providing your staff with frequent refresher training on RTI requirements, alerting them of their right to object to disclosure of personally identifiable information (PII) under the Data Protection Act, 2012 (Act 843).
How to use the RTI Act to your business’ advantage
While the RTI Act can present a certain risk for your business, it can also provide an opportunity to gain useful information. Public sector organizations may hold information that is relevant to your business or industry. For example, this can be information on their procurement processes, previous bid proposals or existing public contracts, and even information on your competitors. You have the right to request this information under the Act. You may not get all the information you ask for – especially if it would result in someone's personal details or commercial secrets being revealed. Before you make a request for information, you should check if the information is:
• already in the public domain
• available elsewhere, example, through a public institution’s publication scheme or their website
Conclusion
I will conclude on a cautionary note, that private organizations should resist the temptation to ignore the impact this Act has on their business, because if they find themselves entangled in the web of the law, they may lose money, their reputation, or their entire business. The same admonishment goes to public institutions and governments who may want to downplay the need to put “their house in order”. It is essential for both sectors to implement systems, policies, procedures, trainings, and raise awareness within their organisations as to how the Act should be dealt with.
