The National Identification Authority (NIA) has introduced new guidelines to regulate how institutions handle personal data obtained from the National Identity Register (NIR), in a move aimed at strengthening data protection and security across Ghana.

The guidelines, which take effect from March 19, 2026, are issued pursuant to Sections 59 and 61 of the National Identity Register Act, 2008 (Act 750), as amended by Act 950.

In a statement signed by its Executive Secretary, Wisdom Kwaku Deku, the Authority said the directive is intended to ensure the secure storage, responsible use, and timely disposal of personal information by all user agencies.

The NIA explained that the move seeks to minimise the risks of unauthorised access, misuse, or loss of personal data, while aligning Ghana’s data governance framework with international standards.

The guidelines apply to a broad range of institutions classified as “user agencies,” including the Ghana Revenue Authority, National Health Insurance Authority, Social Security and National Insurance Trust, and the Ghana Immigration Service, as well as other approved public and private entities that access NIA data.

Under the new regime, these agencies are required to store personal data in secure environments, implement safeguards such as encryption and access controls, and ensure that only authorised personnel can access sensitive information.

The NIA further directed that personal data must only be retained for as long as necessary for the purpose for which it was collected. It outlined specific retention periods, including six months for identity verification, up to two years after service completion for ongoing services, one year for employment vetting, and between five to seven years for regulatory compliance.

Data used for research or statistical purposes may be retained indefinitely, provided it is properly anonymised.

The guidelines also mandate the secure disposal of data once retention periods expire, using approved methods such as shredding for physical records and certified digital deletion standards for electronic data.

In addition, user agencies are required to maintain data retention and disposal policies, keep audit logs, and submit annual compliance reports to the NIA by January 31 each year.

The Authority warned that non-compliance could attract sanctions, including suspension or revocation of access to the NIR, corrective directives, and possible referral to the Data Protection Commission for further action under the Data Protection Act, 2012 (Act 843).

“User agencies may also face civil or criminal liability in cases of data breaches, misuse, or unauthorised access,” the statement noted.

The NIA added that it will conduct periodic audits to ensure compliance and may publish findings of breaches in the interest of transparency.

The guidelines will be reviewed every three years or earlier if necessary, as Ghana continues to expand its digital identity ecosystem.