The South African Draft National Policy on Data and Cloud announced on 01 April 2021 has done more than startle the country.
It has presented company, individual, and analysts with some very important questions. How can the country grab all the data generated by all the people and companies within its remit? How can this be done securely, and managed intelligently?
According to Mark Walker, associate vice-president; sub-Saharan Africa at IDC Middle East, Africa, and Turkey, these are just some of the questions that government has to answer before the policy can even begin to gain validity.
“It is a lot of data. Varied in type, source, location, and structure. It is an incredibly wide scope that already introduces its share of concerns and limitations,” he says. “It’s also influenced by how it is classified, the regulatory elements that influence it – from GDPR to POPIA to the 150 other privacy protection regulations globally. This is not a task that can be easily achieved.”
The first step in making the policy possible would be to classify the data. Where specifically would this data be coming from – is it under the government domain, is it private data, or is it public data? This is a significant exercise that will cost the government both time and money. The right expertise would have to be pulled in to unpack how this data would be classified against individual privacy mandates and corporate privacy requirements, and then it would need to ensure that any data usage would conform to industry or societal acts.
“If you take a blunt reading of the policy, it is saying that all data has to pass through government data centres and it is tracked from there,” says Walker. “This is possible. The government can dig in and track data, but only if they get an order from a judge and there is good reasoning behind it. There’s a lot of legislation in place to protect data and privacy, dictating when information can be intercepted and used. A lot of legal potholes dodged to ensure that the law is conformed to put these plans in place.”
So, on the legal and social front, the proposed policy is already sitting up against a complicated wall that will cost to climb or tear down. But it is not the only complexity that has to be considered. The other is technology. If enterprises with big budgets and best-in-class technology are struggling to navigate the cybersecurity threat landscape, the government is not in an ideal position to suddenly store petabytes of delicate data behind its fragile walls.
“Enterprises get hacked, even with the latest tools, services, and technology at their disposal,” says Walker. “It means that government will have to invest in a security posture that is second to none. An impenetrable wall of security systems, training and access management designed to protect the tons of data generated by the country every day.”
Another challenge facing the government in the implementation of this policy is perception. Beyond the security, the current corruption shadow, and the logistics of structuring and storing the data lies the country’s questions around privacy. Why is this policy being put in place? What value does it deliver to citizens and companies?
“On the noble side, this policy is framed around the idea that the government can use the data to better care for its citizenry and deliver improved services,” says Walker. “The data could be used to improve everything from healthcare to education to social services. It is a great concept with solid, well-meant intentions, but the darker side is a concern. Surveillance of people’s movements, seeing what relationships exist – these are infringements on personal privacy so the government would need to agree to limitations on the data’s usage and access.”
The policy has raised more questions than it appears to answer at this stage. From the judicial aspect to ethics to technology to usage. Privacy and usage concerns are valid, and the data would have to pass through a legal filter to ensure that everything is above board, an expensive legal filter. The technology would have to be capable of managing the petabytes of information and ensuring it is classified and stored correctly. Security would have to be extraordinary, and capable of handling intense scrutiny. And there would need to be a line of sight into who would be in charge of the different elements of security, storage, and data dissemination.
“The tax base that would be used to fund this policy could be better used for improving society and the provision of basic infrastructure, healthcare, and education,” concludes Walker. “Because, for now, there are not enough mechanisms in place to ensure the security, privacy, and ethical use of the data if this policy were put in place today.”