Is Ghana and other Developing Countries Embracing AI Governance?

AI governance refers to the rules, norms, and policies that are put in place to ensure that artificial intelligence (AI) is developed and used responsibly and ethically. As AI technology continues to advance and become more prevalent in our daily lives, the need for effective AI governance becomes increasingly important.

One of the major challenges of AI governance is managing the potential risks and negative consequences that can arise from the use of AI. These can include issues such as bias in AI algorithms, losing jobs because of automation, and the potential for AI to be used for malicious purposes. To address these concerns, governments, businesses, and other organizations are developing frameworks and guidelines for the responsible development and deployment of AI.

One example of an AI governance framework is the "Four Principles of AI Governance" developed by the UK government. These principles are accountability, transparency, fairness, and human rights. These principles aim to guide how to ensure that AI is developed and used in a way that is transparent, accountable, fair, and respects the rights of individuals. Other examples from private and government organizations are The Aletheia Framework by Rolls Royce, The Data Ethics Framework, The proposed model AI Governance Framework v2 by Singapore Personal Data Protection Commission, and the Ethics, Transparency, and Accountability framework for Automated Decision-making by the UK government.

Another important aspect of AI governance is the development of standards and guidelines for the ethical use of AI. This can include issues such as ensuring that AI systems are fair and that they do not discriminate against certain groups of people. It can also involve ensuring that AI systems are transparent and explainable so that those who are affected by them can understand and question their decisions.

In addition to these more general principles and guidelines, there are also specific areas of AI governance that are being addressed by governments (in jurisdictions where the use of AI and advanced technology is in the advanced stage), businesses, and other organizations. For example, there is a growing concern about the potential use of AI in the criminal justice system, and how it might decide about sentencing, parole, and other aspects of the justice system. To address these concerns, organizations such as the Partnership on AI have developed guidelines for the ethical use of AI in the criminal justice system.

Overall, AI governance is an important and rapidly evolving field focused on ensuring that AI is developed and used responsibly and ethically. By establishing frameworks, guidelines, and standards for the responsible use of AI, we can help to mitigate the potential risks and negative consequences of this powerful technology and ensure that it is used to benefit society.

Governance of AI needs to start from the very top of decision-making in Ghana. The government should encourage the Ministry of Communication and its agencies to think of developing policies, strategies, and a national AI Governance framework.

As a nation, we need guardrails on AI to ensure that it is developed and used responsibly and ethically. As AI technology continues to advance, it has the potential to bring significant benefits to society, but it also has the potential to cause harm if it is not carefully controlled.

Some of the potential risks and negative consequences of AI include:

• Bias in AI algorithms, which can cause unfair and discriminatory outcomes
• Losing jobs due to automation
• The potential for AI to be used for malicious purposes, such as hacking or cyber-attacks.
• The potential for AI to make decisions that have negative consequences for individuals or society

By putting guardrails in place, we can help to mitigate these risks and ensure that AI is developed and used in a way that is responsible and ethical. These guardrails can take many forms, including frameworks, guidelines, and standards for the development and use of AI. They can also include regulatory measures and oversight mechanisms to ensure that AI is used in a way that is consistent with ethical and legal norms.

Overall, guardrails on AI are important because they help to ensure that this powerful technology is used for the benefit of society, rather than causing harm. By putting effective guardrails in place, we can help to ensure that ethical and responsible principles guide the development and use of AI and that it contributes to a more just and equitable world.

This call for guardrails and AI governance might sound abstract to many in developing countries like Ghana, but we should all know that AI is here and is even embedded into most technologies we currently use. Yes, AI governance is important for both developing and poor countries. While AI can bring significant benefits to all countries, including those that are developing or poor, it also can cause harm if it is not carefully controlled. Therefore, it is important for all countries, regardless of their level of development, to have effective AI governance in place.

In developing countries like Ghana, AI governance can help to ensure that AI is used in a way that benefits the people of those countries. For example, AI can improve healthcare, education, and other essential services. It can also create new jobs and economic opportunities, which can help to reduce poverty and inequality.

However, without effective AI governance, there is a risk that AI could be used in a way that is unfair or discriminatory, or that it could have negative consequences for the people of developing and poor countries. For example, AI could automate jobs and replace workers in developing and poor countries, leading to job losses and economic hardship. Or it could make decisions that are biased against certain groups of people, leading to unfair and discriminatory outcomes.

By putting effective AI governance in place, developing and poor countries can help to ensure that AI is used in a way that benefits their people, and that it contributes to social and economic development. This can include establishing frameworks and guidelines for the responsible use of AI, as well as regulatory measures and oversight mechanisms, to ensure that AI is used in a way that is consistent with ethical and legal norms.

Overall, AI governance is important for both developing and poor countries, as it can help to ensure that AI is used in a way that benefits society, rather than causing harm. By putting effective AI governance in place, countries can help to ensure that the development and use of AI contribute to a more just and equitable world.

 Author: Samuel Hanson Hagan - Member, Institute of ICT Professionals Ghana (IIPGH)

For comments, contact the author via shhagan@gmail.com or Mobile (WhatsApp): +233507393640

The Institute of ICT Professionals, Ghana (IIPGH) is a professional association of members from various domains of Information and Communication Technology (ICT) practice. The Institute is a connector of ICT professionals from Government MDAs, educational institutions, corporate organizations, start-ups, investors, and the civil society organizations to create a vibrant ICT ecosystem. 

It aims at using its platform to equip professionals and students with skills in emerging technologies needed for entrepreneurship and employment in today’s fast-moving technological world. In addition, use the expertise at its disposal to advise stakeholders on best practices and public policies that would enable the use of ICT in achieving the Sustainable Development Goals (SDGs).

Source: iipgh.org

Responding to Data Breaches

Data breaches are a reality in today’s business world. Experiencing one or hearing about one is no longer a surprise to many, especially professionals in the security industry because there is no wholly secured system. The best line of defence is a thorough and ongoing data security program. Therefore, having the plan to respond to and recover from a security breach is essential for every organization of any size. No company, big or small, is immune to a data breach. Many small and medium companies falsely believe they can elude the attention of hackers or cybercriminals, yet studies have shown the opposite is true. According to the Symantec SMB Threat Awareness Poll Global Results, 40 percent of the data breaches in 2011 were at small to mid-sized companies.

What is a data breach?

A data breach is unauthorized access to, disclosure of, or loss of the personal, health, and sensitive information that an organization holds or processes. This definition, therefore, brings to our knowledge that some organizations may have experienced, for example, losing a USB with copies of personal data without recognizing that was a data breach. Most organizations have only considered hacking or ransomware attacks as data breaches, but it goes beyond just that.

Below are some potential data breach examples: 

• Losing a portable storage device (USB, flash drive, external hard disk, etc.), laptop, or other personal devices.
• Loss of hard copy files or papers containing personal details, or disclosure of these files to the incorrect recipient.
• Email errors–emails sent to incorrect addresses, the disclosure of the email addresses of large groups of recipients via carbon copy or attaching personal information inadvertently.
• External attack, access, loss, or disclosure on a third-party vendor implicating personal information for which the organization is responsible.
• Phishing, hacking, or other external attacks on an organization's information repositories.
• Unauthorized access by a staff member to files containing personal, health, or sensitive information.

Whatever the cause of the data breach, some form of harm can cause the organization’s employees and customers or clients. The harm may include financial, social, reputational, psychological, or physical impacts on an individual and reputational or financial damage to the organization itself.

Since data breaches are becoming more common, how a company responds to one can go a long way to maintaining its business reputation and keeping it from losing the trust of its customers, and avoiding or reducing hefty fines by regulatory authorities. As with any crisis, a quick and decisive response is critical. But here is the problem: most breaches go undetected for a long time. According to FireEye’s 2016 Report, it took organizations across the world an average of 146 days to detect a data breach. A separate report found 81 percent of data breaches are not detected until news reports, law enforcement notifications, or external fraud monitoring. The longer a breach goes undetected, the more harm it can do to your business.

Security breaches committed against you or an organization with access to your personal information are serious crimes and are understandably stressful to the victims. Most data protection laws require private organizations and government entities, which have access to or process personally identifiable information, to notify affected individuals in the event of a security or data breach. So, if you read about a data breach in a news report and are unsure if you are affected, you will probably be notified in the event of an emergency.

As stated clearly by VISA: “Because data compromises are often complex, it is challenging to make the rapid communication decisions needed to mitigate the potential harm of a breach. These situations are often further complicated by the reality that every data breach is different and there may be no precedent within your organization for responding. But the stakes for handling a breach effectively could not be higher, and the impact on your businessdepe - nding on a variety of factors - can be huge. The impact of a poorly handled breach can reach throughout your business in both the short and long term: bad press, lost sales, mitigation, and litigation, as well as the uphill battle to rebuild your reputation”

The first step is to identify the type of attack that occurred and which aspects of your data - personal information or organizational data - were potentially affected. If, for instance, the theft was to a company's payment system, then it is highly likely personal payment information would be at risk. Suppose a security breach got access to personal identification information, such as accessing ID-based information or details – such as passport, Ghana Card, Voter’s ID Card, or driver's license number. In that case, you could be the potential victim of identity theft.

According to the Cost of a Data Breach Report, data breach costs surged 13% from 2020 to 2022. You cannot afford to be unprepared for a data breach's aftermath. It is up to you to control the situation and protect your brand in the wake of a data breach’s potentially devastating hold on reputation and also to avoid hefty penalties by regulatory authorities or supervisory agencies.

Data breach response policies are essential for organizations of any size. A response policy should outline how your company will respond in the event of a data breach and lay out an action plan that will investigate potential breaches to mitigate damage when a breach occurs.

When an organization realizes a data breach; whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company’s website, you need to be strategic and tactical in dealing with the incident.

The following are some suggested steps elicited by The Federal Trade Commission (FTC) to take in dealing with a data breach:

1. Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take steps so it does not happen again.
2. Secure physical areas potentially related to the breach. Lock them and change access codes, if needed.  
3. Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the breach and the structure of your business.
4. Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal information security, information technology, operations, human resources, communications, investor relations, and management.
5. Stop additional data loss. Take all affected equipment offline immediately - but don’t turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach.
6. Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation. 
7. Do not destroy evidence. Do not destroy any forensic evidence during your investigation and remediation.
8. Have a communications plan. Create a comprehensive plan that reaches all affected audiences - employees, customers, investors, business partners, and other stakeholders. Do not make misleading statements about the breach. And do not withhold key details that might help consumers protect themselves and their information. Also, do not publicly share information that might put consumers at further risk.
9. Anticipate questions that people will ask. Then, put top-tier questions and clear plain-language answers on your website where they are easy to find. Good communication up front can limit customers' concerns and frustration, saving your company time and money later.
10. Notify all appropriate authorities. Notify law enforcement agencies, Computer Emergency Response Teams, Cybersecurity Authorities, Data Protection Regulators, or authorities. The sooner law enforcement learns about the breach, the more effective and helpful they can be.

Author: Emmanuel K. Gadasu

(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions)

For comments, contact the author ekgadasu@gmail.com  or Mobile: +233243913077

Source: www.iipgh.org