Innovation and growth at a crucial time

South Africa published the National Cloud and Data Policy on 30 May. This follows the April 2021 controversial draft policy and written submissions from a range of stakeholders that criticised the conflation of infrastructure, data and digital economy issues and implications of the regulatory recommendations. The policy represents a turn from the draft policy, and offers a reasoned strategic framework for managing, storing, and utilising data across government agencies, private sectors, and other stakeholders.

The policy emphasises data-led innovation and growth at a time when the country looks to grow its stake in regional and international digital trade. It comes at a crucial time of transition and opportunity for South Africa.

Amongst the pronouncements is that government departments shall prioritise cloud services as the primary option for new ICT procurement and that data security and data protection policies and laws will be revised to respond to emerging digital harms. The implications are wide ranging, the policy calls to action all sectors to contribute to South Africa’s data led future including sector led approaches to data governance, data access and infrastructure regulation.

According to the policy ‘South Africa must develop the capacity to fully exploit the opportunities presented by a data-driven economy. To fully benefit from the digital economy, investment in broadband infrastructure, data centres, and associated technologies such as cloud computing is necessary.’

Significance of the policy

Policy Ambitions

• Data Driven Growth: It looks to harness the economic and social potential of data and cloud computing by promoting data-driven decision-making and creating data-based tradable goods and services, in an emerging digital economy in South Africa.
• Open Data Infrastructure: It requires South Africa’s data infrastructure be based on open standards and systems, including open-source frameworks, rather than closed and exclusive systems.
• Policy and regulatory measures to build confidence and trust: It intends to usher investments in data infrastructure through confidence in IT security protocols, cybersecurity measures, and a data governance framework that supports an open data approach. The policy advocates a sharing economy that benefits data ecosystem partners while protecting citizens, customers, and partners.
• Private and Public Sector Data Driven Innovation: It looks to catalyse the development of a data-driven ‘ecosystem’ recognising dependencies across the public and private sector to achieve the digital economy, digital trade and digital society and delivers benefits across the ecosystem.
• International and Regional Digital Trade enabled by data free flows across borders: It is a turn from the draft with a firm recognition that data-sharing across different jurisdictions is beneficial to country economies referencing regional initiatives such as the African Continental Free Trade Area (ACfTA) and the African Single Digital Market that will rely significantly on data-sharing within different jurisdictions. Under the policy: these initiatives must be supported by a regulatory regime that creates confidence, consistency, certainty and reliability. South Africa’s data sovereignty must be balanced with a cross-border data transfer regime that enables collaborative partnerships with regional, continental and other global partners.

?4 Levers:

The policy prioritises 4 levers to achieve its objectives. These will be the primary points of engagement for government’s partners.??

1. Accelerating the rollout of digital infrastructure to ensure fast, secure, and reliable broadband connectivity.
2. Ensuring data privacy and security.
3. Promoting open data and data interoperability.
4. Adopting a cloud-first approach. The policy calls for collaboration among multiple stakeholders, including government agencies, the private sector, civil society organisations, and international partners. Critical enablers are qualified as: adequate funding, stakeholder engagement, and capacitation of the State Information Technology Agency (SITA).

?4 Key Institutions:

The policy names the following as the prominent institutions for implementing its recommendations:

• SITA
• Information Regulator
• Cybersecurity Hub
• Competition Commission

The State Information Technology Agency (SITA) is named as the responsible authority to source data infrastructure and cloud services for the government. SITA will ensure the development and monitoring of service level agreements that guarantee consistent, reliable, and secure data and cloud services for the government. To align with the policy and for regulatory certainty the SLAs will likely require:? Data centres to display or be able to provide verifiable certification credentials to all potential customers. Data centres used by the government comply with a fault-tolerant design that provides a minimum uptime of 99.995%. Data centres can self-provision electricity and water for continuous operation and reduce their dependence on the national grids.

4 Key Regulations:

The policy names the following as the key regulation for amendment to deliver on the policy levers:

●?????? SITA Act

●?????? Data Protection Act

●?????? Competition Act

●?????? Minimum Information Security Standards

Outlook: Credibility and Future Direction of the Policy

SITA: The policy assures that SITA will be adequately capacitated and resourced to fulfil its responsibilities. It’s a promise the government will need to make good on as the primary dependency of this policy is now the institutional strengthening of SITA. Confidence in the state IT agency has declined over time and SITA will need to demonstrate a significant turnaround.

Regional Influence: The policy signals regional collaboration with and influence from initiatives such as the African Continental Free Trade Area, (AfCFTA), the African Single Digital Market. Developments in digital trade protocols will impact South Africa’s stance, regulation and standards setting and will need to be monitored closely for impacts. This is a positive alignment in the regional digital trade reform agenda and affirms South Africa’s regional commitments.

PAIA: The policy signals the Promotion of Access to Information Act (2000), PAIA, as ‘a pivotal shift’ for open societies. This Act empowers citizens to scrutinise government decisions, ensuring accountability and fostering an open society. Whilst the policy does not enter discourse on data infrastructure, digital divides and digital rights - PAIA is the law at the intersection of data accountability and transparency and PAIA must be reviewed for its powers to facilitate transparent and accountable data access and reuse.

PAMA: The policy refers to the 2014 Public Administration Management Act of (2014) (PAMA) as the law for integrated information management and to enhance interoperability across government systems, fostering seamless information sharing and collaborative governance. Revisiting PAMA’s relevance in the age of autonomous, algorithmic and automated decision making and understanding the governance of government’s use of emerging technologies including artificial intelligence will be key.

Security Standards: ?The policy recognises the need for cybersecurity-by-design that engenders digital trust and encourages and supports investments needed for a robust and sustainable digital economy.?It points to the Minimum Information Security Standards (MISS) as the guiding framework for access to government data, subject to updates. There is a misstep in the appointed institutional leadership of this process. SITA is tasked to monitor access to government data through the MISS and drive the implementation of the government's e-Strategy. This policy overlooks existing capability in the Cybersecurity Hub, the Public Service Administration and does not reconcile the Communications and Digital Technologies Department mandate.

Data Governance: ?Here the policy is near the mark but misses the opportunity to reference SA’s open government commitments and does not commit government to an intervention that is time based or measurable. Which departments will pilot? The policy clarifies that South African Revenue Services and Statistics South Africa shall retain their data access governance requirements in accordance with their legislation, but both institutions will need their data access and governance powers to be expanded if they are to be the data intermediaries needed in the data driven sharing economy. While the policy calls on the DPSA to develop norms and standards and a Data Advisory Council, a comprehensive Data Governance Framework is needed to deliver the open data, data for development and data driven ambition of this policy.

Opportunity for Sectors: Sector specific regulators, supported by policy from relevant departments, are called on to develop regulatory frameworks to support the cloud and data-based digital technologies and technology adoption in their specific sectors. This is an excellent opportunity for sectors to define their digital opportunity and conducive digital governance approach.

Green Data Centres: The policy appoints significance to sustainability in its diagnostic approach and permits data centres to self-provision energy and water to reduce reliance on the national grid. There is an opportunity to develop this diagnostic into a host of 'green' engineering and construction decisions beyond permission to self-provision electricity and water. South Africa must build momentum in operationalising sustainable data infrastructure including building alignment between digital infrastructure policy and energy policy: recognising the inherent dependencies and the crucial need to incentivise green infrastructure.

Our Digital Policy and Regulation practice is leading our sectoral engagement on the National Data and Cloud Policy.? Please address your queries and requests for analysis of policy impacts to: Email: [email protected]

?

?

?