The National Identification Authority (NIA) has introduced new guidelines imposing strict timelines and security measures for the handling of personal data accessed from the National Identity Register (NIR).
The directive, which takes effect from March 19, 2026, is issued under Sections 59 and 61 of the National Identity Register Act, 2008 (Act 750), as amended, and is aimed at strengthening accountability among institutions that rely on national identity data.
In a statement signed by Executive Secretary Wisdom Kwaku Deku, the Authority said the guidelines establish clear rules on how long user agencies can retain personal information and how such data must be securely stored and eventually disposed of.
Under the new framework, institutions are required to retain personal data only for specific periods depending on its purpose. These include six months for identity verification, up to two years after the end of a service, one year for employment checks, and between five to seven years for regulatory compliance.
The NIA emphasised that any data retained beyond these periods must be justified and approved, warning that failure to comply could attract sanctions.
The guidelines apply to a wide range of institutions, including the Ghana Revenue Authority, National Health Insurance Authority, Social Security and National Insurance Trust, and the Ghana Immigration Service, among others.
Additionally, all user agencies are required to adopt robust security systems such as encryption and access controls, maintain audit records, and submit annual compliance reports to the NIA.
The Authority warned that breaches of the guidelines could lead to suspension or revocation of access to the NIR, as well as possible legal action under the Data Protection Act, 2012 (Act 843).
The NIA says the move is part of broader efforts to safeguard personal data and ensure responsible use of Ghana’s growing digital identity infrastructure.
