The South African Department of Public Service and Administration (DPSA) has gazetted a directive on cloud computing in the public service.

In essence, the directive instructs government departments on adopting, using, managing, scaling, and terminating cloud services.

I’ve written this post for government departments and cloud service providers who need help complying with the directive. At the end of the post, you should know what the directive requires from you.

To whom does the directive apply?

The DPSA wrote this directive for all government departments and their personnel. They must follow the directive whenever they want to use cloud services to store or process government data.

It’s also valuable for cloud service providers. The reason is that the providers can gauge what departments would require from them when bidding to provide cloud services and negotiating the contracts that flow from a successful bid.

When does the directive start applying?

14 January 2022.

The directive’s general requirements

  • Departments must explore cloud services before considering on-premise alternatives.
  • If they want to use cloud services, they need to ensure that the service is fit for purpose and appropriate to the specific department’s needs. So, for example, if Home Affairs were to need cloud services to store and access records of death certificates, it would be inappropriate to use a provider that doesn’t offer these services. This example may seem silly, but the reality is that poor decisions have left departments without functional solutions and bled tax-payer money.
  • The relevant departmental head (HoD) must ensure that the department follows the proper procurement processes.
  • A department must base its need for cloud services on operational requirements.
  • Before acquiring and deploying cloud services, departments must submit an approved Business Case and Risk Assessment to the DPSA.

Before getting cloud services

Cloud Readiness Assessment

Departments must conduct a Cloud Readiness Assessment before moving to cloud services.

Data requirements

  • Departments must classify data according to the South African government’s national information security policy: Minimum Information Security Standards (MISS).
  • The type of data classification will determine the cloud kind (public/hybrid/community/private) a department can use.
  • Data must reside within South Africa. If this approach is not practically possible, cloud service providers must comply with section 72 of the POPIA.

Risk Assessment

A department needs to conduct a Risk Assessment for each cloud service it intends to utilise.

Business Case

Departments must develop a Business Case that at least includes:

  • The scope of the cloud services;
  • The budget over the short, medium and long term;
  • The total cost of ownership over the medium and long term;
  • The human resource skills needed to support the cloud services;
  • The infrastructure required to enable the proper operation of the cloud service (broadband connectivity, etc.);
  • The intended benefit to the department through the use of the cloud service; &
  • The detailed outcome of the Risk Assessment, a summary of the key risks, and the recommendations for mitigation.

Crucially, the DPSA must approve the Business Case before the department uses cloud services and the department needs to review the Business Case regularly.

The contract between a department & cloud service provider

At least, the contract must:

  • say the department owns their data;
  • provide that the service provider will maintain, back up, and secure all data until returned to the department;
  • stipulate that the parties will comply with POPIA;
  • identify where the provider will store and process data;
  • confine data storage and processing to locations that will empower the department to keep adequate control over the data;
  • set out governing law and jurisdiction;
  • deal with the safe return or transfer of data should the provider be the subject of a takeover; &
  • stipulate what will happen with the data when the contract ends.

While using cloud services

  • Information security. A department must secure data in line with its information security policy.
  • Access rights. A department must review data access rights regularly.
  • Scaling cloud services. Departmental officials may only scale cloud services with proper authorisation.
  • Asset inventory. Departments must develop and maintain an asset inventory of data or applications.
  • Business continuity plans. Once a provider implements cloud services, departments must update their business continuity plans and conduct regular business continuity testing.
  • Backups. The HoD must put mechanisms in place to back up departmental data. And departments must review backups regularly.

After terminating cloud services

Departments must ensure that the service provider transfers all departmental data and applications to the new provider. Alternatively, depending on what the department decides, the provider needs to return or destroy the department’s data or applications.

Download the Directive

Actions you can take