Ghana DPA · Act 843
Data Protection Statement.
How DDR Technologies approaches Ghana's Data Protection Act, 2012 (Act 843) — for the hospitals that run DDRT, and for the patients whose care it records. Last updated 6 July 2026.
The roles, plainly. When a hospital runs DDRT, the hospital is the data controller: patient records belong to the institution and its patients, never to us. DDR Technologies acts as a processor only where a deployment requires it — and on an on-premises deployment, patient data lives on the hospital's own hardware, inside the hospital's own walls. We designed for that deployment model precisely so that “where is our data?” has a one-word answer: here.
What the platform enforces by architecture. Access is denied by default and granted explicitly — to a person, in a role, for a reason. Sensitive fields carry their own guards, not just whole screens. Every write is audited, and so are reads of sensitive records — attributable and tamper-evident. Data is encrypted in transit and at rest. These are platform guarantees, not configuration suggestions; the security overview describes each one and how to verify it in a demo.
Act 843 principles we build to. Lawfulness and consent management for processing; purpose limitation — clinical data serves care, billing serves billing, and cross-use is a permission, not a default; data minimisation in what integrations and AI features can see; accuracy through validation and audit; retention that the controller configures; and security safeguards as above. Patient rights of access, correction, and erasure are workflows the hospital can execute in the system — not letters we hope someone answers.
AI features. Assistants in DDRT read through the same permission model as the person using them, every AI read is audited like any other read, and models can run entirely on the hospital's own hardware — patient data never has to leave the building to make the software intelligent.
What we don't claim. We claim alignment with Act 843 by design, and we put it in contracts. Certifications we don't hold yet (ISO 27001 is on the roadmap) are stated as roadmap on the security page — published honestly, never claimed early. Registration and filings with Ghana's Data Protection Commission are handled per deployment with each customer, where the controller's obligations actually sit.
Website visitors. This site itself collects almost nothing — the Privacy Policy covers it in four paragraphs.
Questions, requests, or concerns — including anything under Act 843: hello@ddr-technologies.com. Security disclosures: security@ddr-technologies.com.