NIA Issues Data Rules for Institutions as Identity System Faces Scrutiny

0
National Identification Authority X
National Identification Authority X

Ghana’s National Identification Authority (NIA) has rolled out binding guidelines governing how public and private institutions store, secure, retain, and dispose of personal data drawn from the National Identity Register (NIR), effective Thursday, March 19, 2026.

The guidelines apply to all agencies that access the NIR for verification, identification, and service delivery, a category that spans banks, telecommunications firms, government ministries, hospitals, and regulatory bodies. They set out specific requirements for securing personal information against unauthorised access, define how long institutions may hold such data for operational purposes, and mandate proper disposal procedures once retention periods lapse.

The NIA anchored the new rules in the National Identity Register Act, 2008 (Act 750) and the National Identity Register (Amendment) Act, 2017, both of which empower the Authority to set standards for how its database is accessed and managed by third parties.

The directive arrives at a charged moment for Ghana’s data governance landscape. Just two days before the guidelines took effect, National Communications Authority (NCA) Director-General Rev. Ing. Edmund Yirenkyi Fianko disclosed at a stakeholder engagement that an audit of approximately two million SIM card records from the 2021 to 2023 registration exercise returned zero fingerprint matches against the NIA database. The finding exposed a fundamental gap in how identity data flowed between the two institutions during that exercise.

President John Dramani Mahama subsequently attributed the collapse of the earlier SIM registration to a breakdown in coordination between the Ministry of Communications and the NIA, and announced a new framework requiring each SIM card to be matched against three separate identity systems simultaneously when Ghana’s third registration exercise launches later this year.

The NIA’s new guidelines go beyond procedural compliance. The Authority described them as an effort to instil responsible data management culture among the hundreds of institutions that depend on the NIR daily, and to reduce the risk of breaches, misuse, and data loss before the upcoming registration exercise intensifies pressure on the national identity infrastructure.

Policy think tank IMANI Africa Centre for Policy and Education had specifically called on the NIA to clarify data custody and protection arrangements before any new registration proceeds, describing biometric information as fundamentally different from ordinary data because it cannot be changed if it is leaked or compromised.

Ghana is simultaneously moving on a broader data protection overhaul. Communications Minister Samuel Nartey George announced at the 2026 Data Protection Conference in Accra that a new Data Protection Bill is being drafted to modernise enforcement mechanisms, tighten international data transfer rules, and bring the country’s legal framework in line with the realities of artificial intelligence (AI) and large-scale biometric processing.

Send your news stories to [email protected] Follow News Ghana on Google News