More questions than answers around the draft national policy on data and cloud


Legal, ethical and technological factors are paramount in handling petabytes of information

The South African Draft National Policy on Data and Cloud, which was announced in April 2021, has raised some important questions for individuals and companies.

“It is a lot of data. Varied in type, source, location, and structure. It is an incredibly wide scope that already introduces its share of concerns and limitations,” says Mark Walker, associate vice president for Sub-Saharan Africa at IDC Middle East, Africa, and Turkey. “It’s also influenced by how it is classified, the regulatory elements that influence it – from GDPR to Popia to the 150 other privacy protection regulations globally. This is not a task that can be easily achieved.”

According to Mark, the first step in making the policy possible would be to classify the data and its origin, for example government, private or public data. Such an exercise requires a fair amount of investment of money and time as well as the right expertise to ascertain how the data can be classified against individual privacy mandates and corporate privacy requirements, and then it would need to ensure that any data usage would conform to industry or societal acts.

“If you take a blunt reading of the policy, it is saying that all data has to pass through government data centres and it is tracked from there,” says Mark. “This is possible. The government can dig in and track data, but only if they get an order from a judge and there is good reasoning behind it. There’s a lot of legislation in place to protect data and privacy, dictating when information can be intercepted and used.”
Technology is another factor that needs to be considered.

“Enterprises get hacked, even with the latest tools, services, and technology at their disposal,” says Mark. “It means that government will have to invest in a security posture that is second to none. An impenetrable wall of security systems, training and access management designed to protect the tons of data generated by the country every day.”

Another challenge facing the government in the implementation of the policy is perception and the expected value to people and companies.

“On the noble side, this policy is framed around the idea that the government can use the data to better care for its citizenry and deliver improved services,” says Mark. “The data could be used to improve everything from healthcare to education to social services. It is a great concept with solid, well-meant intentions, but the darker side is a concern. Surveillance of people’s movements, seeing what relationships exist – these are infringements on personal privacy so the government would need to agree to limitations on the data’s usage and access.”

The policy brings a number of considerations to the fore, covering judicial aspects, ethics, technology and usage. Privacy and usage concerns are valid, and the data would have to pass through a legal filter. The technology would have to be capable of managing the petabytes of information and ensuring it is classified and stored correctly. Security would have to be capable of handling intense scrutiny.

Taking these factors into consideration, Mark says that there are currently not enough mechanisms in place to ensure the security, privacy, and ethical use of the data if this policy were put in place today.

Related articles

How and where will the future CIO work?

What is the workforce of the future? Who will be doing the work? And where will you be doing work? During a discussion with Eskom CIO Faith Burn at the 2024 CIO Day, Investec CIO Shabhana Thaver discussed the role of IT in shaping future work.

Warren Hero joins SARS as new CDO

The 2023 CIO Awards winner will be responsible for designing the South African Revenue Services’ business model for antifragile digital transformation.