The South African National Policy on Data and Cloud was published in May 2024. Data is at the heart of everything and so it is hard to imagine a more important government policy. If South Africa gets its government policy right it can have an enormously positive impact on the country – get it wrong and the opposite will be true.

Unfortunately, the national data and cloud policy is not in plain language and is difficult to read. Everyone should be able to read and understand government policy. The purpose of this article is to help you understand what it says by writing it in plain language. This is often hard because it is so poorly written. Once you can understand it, you can take action. We have also added some of our comments and insights.

The national data and cloud policy of South Africa is really important because government policy sets the agenda for the legal and regulatory landscape. It contains high-level government strategic policy decisions and statements. It impacts everything and is the highest level of regulatory instruments. Policy leads to white papers and discussion documents, to bills and finally to laws or Acts passed by Parliament. A change in policy often leads to a change in existing laws (like POPIA, the ECT Act and others). Don’t confuse government policy with an organisation’s policies and procedures.

Insights

Overall, the South African National Policy on Data and the Cloud is a forward-looking initiative that seeks to harness the power of data and cloud technologies for national development. By addressing key areas such as economic growth, public service delivery, data security, and regulatory compliance, the policy aims to create a thriving digital environment that benefits all South Africans.

The history of the national data and cloud policy of South Africa

The minister had initially invited you to comment on the draft policy by 18 May 2021, but this has now been extended to 11 June 2021. If this policy impacts you, accept the invitation and comment. The Minister of the Department of Communications and Digital Technologies (DCDT) invited stakeholders to comment on the draft policy by 18 May 2021, with the deadline later extended to 11 June 2021. Following this consultation period, the final policy was published in May 2024. If this policy impacts you, it is important to review and determine the impact of the final version on your organisation.

The purpose of the National Policy on Data and Cloud

The policy aims to enable South Africans to realise the socio-economic value of data. It outlines the government’s position on cloud-based, long-term, data storage and compute requirements while establishing the governance mechanisms needed to support these initiatives. The policy seeks to ensure that we use data to drive innovation, economic growth, and improved public services, all while maintaining strict standards for data security and privacy.

“The policy aims to create an enabling environment for the use and provision of data and cloud services to ensure socio-economic development and inclusivity. The specific objectives of this policy are to:

  • Promote connectivity and access to data and cloud services.
  • Address the government’s long-term data storage and processing requirements.
  • Create a Data Trust environment through data privacy protection and cybersecurity measures.
  • Promote standardisation of compliance in respect of data and cloud computing.
  • Provide clarity on cross-border transfers and data sovereignty.
  • Ensure consumer protection in the use of data and cloud services.
  • Establish institutional mechanisms for the governance of data and cloud services.
  • Support the development of Small, Medium, and Micro Enterprises (SMMEs).
  • Facilitate capacity development to enable and expand the use of data and cloud services.
  • Encourage research, innovation, and human capital development.” (point 10)

Who does the National Data and Cloud Policy apply to?

The policy applies to everyone – all three levels of government, organisations of state, public enterprises, the private sector and the general public and individual citizens. It impacts everyone in the country.

The biggest impact will be on the IT sector, network operators, electronic communications providers, data centres, data service providers and cloud services providers.

The difference between a policy intervention and proposal

A policy intervention refers to an active measure or action that is currently being implemented or enforced by a government, organization, or institution to address a specific issue or achieve a desired outcome. A policy proposal is a suggested plan or idea for a policy that is being developed, debated, or considered but has not yet been approved or implemented. A policy intervention is something already in motion, while a policy proposal is an idea waiting to be put into action.

What is the government setting policy on?

Below is a plain language summary of the policy interventions and proposals found in section 15 of the policy. Our comments are in [square brackets].

Policy interventions

  1. Government will galvanize resources towards achieving 100% broadband coverage by 2030 to ensure broadband access for all South Africans.
  2. Government will store its data in unified, cloud-enabled data centers (including redundancies) to facilitate data-sharing, interoperable systems, scalability, and cost optimization.
  3. SITA will source data infrastructure and cloud services for the government, including SLAs. Government will capacitate and resource SITA.
  4. Minimum Information Security Standards (MISS) will guide access to government data. Government will update MISS. Organisations (such as the South African Revenue Services (SARS) and Statistics South Africa (StatsSA)) must also govern access to their data following their legislation.
  5. SITA will drive the adoption of digital government, with respective national and provincial departments running and managing their applications. [See the Digital Government Policy Framework]
  6. Data centres must:
    1. be built and operated in adherence to environmental legislation and building by-laws,
    2. not be built in restricted areas,
    3. not be located in areas prone to natural disasters or social disturbances,
    4. have verifiable certification credentials,
    5. have a minimum uptime of 99.995% for government,
    6. prioritise their own electricity and water supply.

Policy proposals

  1. Government and private infrastructure providers must provide universal access to connectivity and not discriminate.
  2. [This proposal is a duplicate of the second intervention.]
  3. In addition to the interventions, SITA will monitor access to government data through MISS and drive the implementation of the government’s e-Strategy.
  4. Government must prioritise cloud services as the primary option for new ICT procurement.
  5. Data centre operators shall provide their own electricity and water supply as backup for their energy and cooling requirements.

Policy interventions

  1. Government should primarily procure services from SMMEs to capture or convert all government data to digital format.
  2. Government must develop an Open Data Framework to enable access to government data by everyone, whilst still complying with existing data protection policies and legislation. [Similar to Ireland’s Open Data Strategy.]
  3. Government will establish a Data for Development Framework for timely, accurate, private sector data that’s accessible to SMMEs, startups, and citizens.
  4. Government shall provide resources and capacity to promote digital economic inclusion.

Policy proposals

  1. Government must classify their digital data into categories. public or open data, confidential or sensitive data, secret and top secret.
  2. Government will ensure access to data does not expire and all public or open data remains accessible.
  3. The public will enjoy on-demand access to data stored in the cloud.
  4. The private sector must make data available for development whilst complying with applicable data protection legislation (like POPIA).
  5. Any regulations Government proclaims to promote digital inclusion must consider social obligations, including free data for indigent persons and households.

Policy interventions

  1. Government must resource and capacity data protection authorities (like the information regulator) to perform their functions.
    1. Investigate, charge, and prosecute individuals involved in data breaches.
    2. Conduct awareness campaigns to help citizens understand and assert their rights concerning their data.
    3. Review and adapt data security and data protection legislation (like POPIA) and policies.
    4. Conduct periodic assessments of organisations.
  2. The Minister must adequately capacitate and strengthen the Cybersecurity Hub to respond to threats and risks associated with digitisation. [Cybersecurity Bill is relevant.]
  3. Government must use digital technologies that incorporate cybersecurity-by-design principles over the full data lifecycle.
  4. Government must prioritise signing and ratifying treaties and conventions that combat cybercrimes, guided by the Framework Document on South Africa’s National Interest and its advancement in the Global Environment. [Cybercrimes Act is relevant]

Policy proposals

  1. Government and private sector must take appropriate security measures and uphold South African data protection laws (like POPIA) and protocols regards data and cloud services.
  2. Government, along with data and cloud service providers, must ensure robust data and cloud security measures are in place to mitigate cyber-attacks and data privacy violations. [Cybercrimes Act is relevant]
  3. All public bodies responsible for protecting personal and government data must conduct public awareness campaigns.

Policy interventions

  1. Anyone processing data collected within the borders of South Africa must comply with South African data protection (like POPIA) and security laws (like the Cybersecurity Bill) and policies. [See our post on who must comply with POPIA.]
  2. Everyone must only store government data related to national security or sovereignty on digital infrastructure in South Africa. [This is effectively a data localisation or data sovereignty law]
  3. Government must pursue cross-border data transfers and sharing agreements that achieve certain outcomes.
    1. Promote national interests, including socio-economic development, security, and sovereignty.
    2. Comply with the data protection (like POPIA) and security laws (like the Cybersecurity Bill) and policies of South Africa.
    3. Enhance mutually beneficial cooperation for all parties.
    4. Give effect to the African Continental Free Trade Area (AfCFTA), Southern African Customs Union, Single Digital African Market, and AU and SADC protocols.

Policy proposals

  1. Anyone processing (including cross-border data-sharing) national data must comply with South African data protection (like POPIA) and security laws (like the Cybersecurity Bill) and  policies. [It is not clear what national data is]

Policy interventions

  1. Government must develop skills and retain people in the changing digital and technology environment. [Michalsons has been increasing the legal ICT skills of people for years through its legal training and programmes. And would love to partner with government to do more.]
  2. Schools must incorporate digital literacy and technologies across the learning ecosystem, and government will ensure adequate funding.
  3. The Media, Information and Communication Technologies Sector Education and Training Authority (MICT-SETA) must consistently conduct skills surveys in the sector.
  4. The National School of Government and other identified partners should develop and adapt digital skills programs.
  5. Memoranda of Understanding (MOUs) with international partners must prioritise unemployed youth and graduates, women, and people with disabilities.
  6. The Minister must support only those Equity Equivalent Investment Programmes skills interventions that are accredited and prioritise these groups.

Policy Proposals

  1. Government and private sector must provide skills and capacity development programmes to equip individuals and organisations with the knowledge and expertise to leverage cloud-based technologies.
  2. The private sector should provide support and assistance.

Policy Interventions

  1. The Competition Commission may review and augment the Competition Act regarding the data and cloud market.
  2. The Competition Commission must conduct studies in the data centre and cloud services markets to identify potential anti-competitive trends and behaviour.
  3. Cloud service providers must be transparent about data portability, interoperability costs, and technical implications to help customers make informed decisions and promote fair competition.
  4. Everyone must encourage competition among data and cloud service providers to foster competitive and innovative offerings and reduce consumer costs.
  5. Providers must support different architectures and operating systems to offer a variety of options for the public.

Policy proposal

  1. Government must encourage more investment in data centre and cloud services.

Policy Interventions

  1. The Department of Science and Innovation (DSI) and the Department of Communications and Digital Technologies (DCDT) are responsible for R&D on big data and cloud computing, in line with the business model for data and cloud research in the White Paper on Science, Technology, and Innovation.
  2. Government must increase R&D spending with a focus on supporting innovation and technology development.
  3. Academia, research institutions, and innovation hubs must collaborate with the government to use new technologies to build world-class data centres and cloud capabilities.

Policy proposal

  1. South Africa must continue to encourage investment in R&D.

Policy Interventions

  1. The DCDT Minister must establish the Advisory Council consisting of private and public representatives to take action.
    1. Ensure collaboration among the different initiatives and investments in data centres and cloud technologies.
    2. Enhance data management standards, guidelines, best practices, and the use of data for innovation and economic activities.
    3. Provide technical support and assistance, including awareness programmes.
    4. Provide input in the development of a regulatory framework for managing data and cloud services.
    5. Advise on strategic data sets that support innovation, the economy, and service delivery.
    6. Develop an Interoperability Framework between government and other key stakeholders.
    7. Advise on any other matter relevant to implementing or reviewing this policy.
  2. Sector-specific regulators must develop regulatory frameworks to support cloud and data-based digital technologies and technology adoption in their sectors.
  3. The Department of Public Service and Administration (DPSA) must develop norms and standards for data and cloud services in public service.
  4. SITA shall develop guidelines and technical standards to ensure the government gets the best, affordable data centres and cloud service in the market.

Policy Proposal

  1. Government and relevant regulators must develop specific regulatory frameworks, guidelines, norms and standards in support of this policy.

Actions you can take

  • Determine how the National Data and Cloud Policy impacts your organisation by asking Michalsons for advice.
  • Know more about cloud compliance by reading about it.
  • Govern cloud computing, manage associated risks and comply with laws that apply to cloud computing by reading about how we can help.
  • Find out more about it by attending a public webinar specifically on the topic or asking us to present a private version just for your organisation.
  • Read the full text by downloading the National Policy on Data and Cloud.