New NIA directive sets limits on how agencies handle personal data
The National Identification Authority (NIA) has rolled out compulsory guidelines outlining how organisations that access data from the National Identity Register (NIR) must store, protect, and dispose of such information, effective Thursday, March 19, 2026.
Issued under the National Identity Register Act, 2008 (Act 750), as amended by Act 950 of 2017, the directives target “user agencies”, including banks, telecom companies, public institutions, and other entities that regularly retrieve personal data from the NIR for verification and administrative purposes.
According to the NIA, the guidelines are intended to ensure that personal data is securely stored and retained only for as long as necessary, while encouraging responsible data handling and reducing the risk of unauthorised access, misuse, or data loss.
The Authority further noted that the measures are designed to enforce compliance with Ghanaian laws and align with global standards on data protection and information security.
Legally, the directives are grounded in Sections 59 and 61 of Act 750, which empower the NIA to define how long personal data may be retained by user agencies and provide direction on how such data should be managed after collection.
In effect, organisations that rely on NIR data, whether for SIM registration, financial onboarding, or government service delivery, must now adhere to a defined regulatory framework that sets clear limits on data retention and prescribes strict security requirements.
This development comes as Ghana continues to expand its digital identity system. The Ghana Card, issued by the NIA, has become essential for everyday activities, including opening bank accounts, accessing public services, and registering SIM cards. The growing volume of personal data handled by these agencies has made stronger data governance increasingly necessary.
Although the Data Protection Act, 2012 (Act 843) already sets general standards for processing personal data, the new guidelines provide more specific direction.
User agencies are therefore required to review and implement the guidelines immediately from Thursday, March 19, 2026.
About The Author
