Africa-Press – South-Africa. In terms of a new directive, the head of every government department is required to first explore cloud services before any on-premise infrastructure investment is made. On paper this sounds great. In practice it could have complications, say Faheema Rahim and Lwandise Mkam.
The Minister of Public Service and Administration, Ayanda Dlodlo, recently approved the Determination and Directive of the Usage of Cloud Computing Services in the Public Service.
The directive, which is addressed to the heads of all national and provincial departments, follows recent decisions by various countries across the globe including the United States of America to adopt cloud-based computing services in housing and processing government data and to outsource such services to central government-managed cloud service providers and/or private service providers.
The directive, which took effect on 2 February 2022, was issued in response to government’s desire to keep up to date with rapid developments in the information and communication technology sector, while recognising the need to ensure compliance with the Protection of Personal Information Act when processing personal information. The directive essentially seeks to provide guidance on the adoption and use of cloud computing services within national and provincial departments.
In terms of the directive, the head of every government department is required to first explore cloud services before any on-premise infrastructure investment is made. Furthermore, it provides that this option must be fit for purpose, and preference (not exclusive use) must be given to a private government cloud where the capability exists.
While this may seem like a great idea, it is important to consider whether adequate security measures can be implemented to protect personal information from “unauthorised” access and processing by foreign governments.
There is no doubt that when one considers which countries have the best technological expertise in the world, South Africa does not feature at the top of the list. Countries such as the US and China would feature amongst those with the best ICT sectors, with companies such as Huawei Technology Company Limited, International Business Machines Corporation at the forefront of digital transformation and offering top of the range bespoke information technology products and services. It follows that companies like Huawei and IBM would stand a good chance of being awarded tenders to provide cloud computing services to public entities.
However, one must take cognisance that although these multinational companies are able to meet client demands across the border in a seamless and effortless way, they may come with some issues related to the disclosure of personal information. The primary reason for this is that multinational companies are bound by laws of its own originating country, and must therefore comply with statutory obligations of their originating country when conducting business outside the borders of their country as well.
For example, the Foreign Intelligence Surveillance Act and the Clarifying Lawful Overseas Use of Data Act amongst others, permits the US government to compel US based electronic communications services providers and remote computing service providers (which include cloud computing service providers) to disclose its customers’ data where the data is in its possession, custody or under its control. Therefore, there is a risk that data containing personal information can be obtained upon compliance with certain procedural requirements contained in the underlying legislation.
Similarly, the Chinese 2014 Counter Espionage Law permits the Chinese government to compel any organisation or individual to provide information or evidence requested from them under the guise of maintaining national security and preventing espionage.
Having regard to the array of statutes that may compel multinational companies to disclose data which contains personal information of data subjects, it is prudent for South African government departments to ensure that the relevant departments push for the procurement of services where they are able to manage access to, and control the underlying cloud infrastructure including the network, server, operating system, storage and the individual application capabilities.
Although this is already contrary to what software as a service (or SaaS) encompasses. Further, government departments need to ensure adequate protection of personal information in circumstances where foreign governments are able to obtain data simply as a result of the service provider’s ownership structure.
The Directive does not adequately encapsulate how the above issues may be addressed and merely provides that the head of the relevant department must ensure that data always resides within the borders of South Africa, where that is not practically possible, that section 72 of the POPIA is complied with, which provides for the transfer of personal information outside of the Republic. It is hoped government departments will take into account the above issues and factor them in, in their contractual arrangements with third party international service providers.
Faheema Rahim is an Associate in the Corporate Commercial Department, and Lwandise Mkam is a Candidate Attorney in the Mergers and Acquisitions Department at TGR Attorneys.
For More News And Analysis About South-Africa Follow Africa-Press
