South Africa’s newly released national cloud and data policy has moved away from the idea that all spheres of government should use a single, government-owned data centre for their IT needs.

This marks a shift in approach from a draft version of the policy, which was published in 2021.

The new policy document, believed to be final and which was published on Friday, still advocates for government to adopt a cloud-first data strategy, but gives public sector institutions the leeway to choose their own private cloud vendors. The State IT Agency (Sita) will, however, serve as a facilitator that will “ensure the development and monitoring of service-level agreements” between various arms of government and private service providers.

Moving all government’s IT services to the cloud is a key tenet of the national cloud and data policy, as its authors believe it should create the platform for interoperability between various government entities, providing a richer set of digital services to citizens. “South Africa must develop the capacity to exploit fully the opportunities presented by a data-driven economy,” the policy document reads.

Livia Dyer, regulatory specialist and partner at DLA Piper, has commended the final version of the policy, saying government has taken note of the inputs by various stakeholders and adopted a more “practical” approach in this version compared to 2021’s draft.

“Clearly, they’ve taken a lot of input and the ideas that were criticised around data centres and data sovereignty have been walked back. They acknowledge they don’t have the expertise or the money to hire the expertise required, but that private data centre service providers do have these resources,” said Dyer.

‘Sensible’

“There is a provision, however, that data centre infrastructure used by government entities must be in-country. But this is sensible.”

Other areas the policy is focused on include:

Enhancing government data security through “the establishment of data protection protocols in terms of the Protection of Personal Information Act”;
Digital transformation of state entities;
Improved public service delivery;
Economic growth; and
Enhanced collaboration between government entities.

The policy is wide-ranging in its application and will affect legislation — everything from Popia to the Minimum Information Security Standards Act to the Electronic Communications Act and the Cybercrimes Act. The Competition Commission and its guiding legislation, the Competition Act, are given special mention in the document in relation to the state of competition in the cloud services market.

Read: Minister sets new dates for 2G, 3G shutdown in South Africa

“The Competition Commission shall consider reviewing and potentially augmenting the Competition Act in relation to the data and cloud market, where empirical evidence indicates that the current law is inadequate to address competition issues in these markets,” said the document.

However, Dyer said that the policy document is a representation of government’s intended direction and is not binding on any regulatory body. When making a decision, she said, regulators may decide to go in a different direction, but they would have to deliberate on that and give reasons explaining the diversion from the official policy.

According to Dyer, the policy doesn’t require regulatory changes to be made. “Better implementation of current legislation and a rationalisation of resources is what is important,” she said.

One of the policy’s directives, relating to research and development by the state, raises questions about its practicality given South Africa’s weak fiscal position.

The national fiscus is under severe strain, while government debt continues to climb, yet the policy proposes that government increases R&D spending “with a focus on supporting innovation and technology development”.

According to the policy, this will be done by ensuring the Technology Innovation Agency is “adequately funded and capacitated to support South African innovators”.

Details of the size of these proposed allocations and where the money is going to come from are not set out.

The policy also proposes the creation of additional bureaucratic structures, including a data advisory council consisting of “public and private representatives including academia” to advise the communications minister on data-related issues. A Data and Cloud Technical Implementation Task Team, made up of representatives from various government entities, will also be formed.