- Any data generated in South Africa is the property of South Africa, according to a new draft policy intended to guide legislation.
- Local copies must be kept of any exported data, the draft National Data and Cloud Policy holds, for purposes of law enforcement.
- Big data centres and critical backbone infrastructure should be declared national strategic assets, the document says, to ensure data sovereignty and to guard national security.
South African data belongs to South Africa, according to a new draft policy, and if any is legally exported, copies must remain in SA for use by the police.
The National Data and Cloud Policy, published last week for public comment, is not clear on exactly how government would enforce compliance with such rules. But national security and the need for data sovereignty demands changes to legislation, it says, in part to weaken the grip of foreign "mega technological digital companies".
A solid plan on data and its handling is also critical for "social and economic growth", holds the document, which is intended to influence policy and lawmaking in general into the future.
While it calls for specific action mostly by the government, the document is intended to apply to businesses and private individuals too.
The "data generated in Africa and South Africa is mostly stored in foreign lands and, where stored locally, is owned by international technology giant companies," says the document.
While exporting some types of data can be done legally, "a copy of such data must be stored in South Africa for the purposes of law enforcement".
But critical data, the draft demands, must be stored and processed only in South Africa, while "[d]ata generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled."
At the same time the document calls for "the South African Government to play a more central role in the collection, dissemination, and analysis of data, understanding that key economic advantages are contained within it".
That starts with the data the government owns and generates – but the private sector should also be made to share with the government data that "could enhance government’s planning and service delivery capability, without infringing on the rights of citizens".
Such data should be kept and processed in a government High-Performance Computing and Data Processing Centre (HPCDPC), the draft policy suggests, with double backups to the entire centre to guard against attack.
At the same time "digital infrastructure of critical scale should be declared a national strategic asset, and data centres hosting critical cloud computing (including core network points of presence) should be declared national critical information infrastructure."
The policy does detail what would happen to privately-owned infrastructure that falls under such a designation. Longstanding similar provisions for non-digital infrastructure designated national keypoints allows the government to review security arrangements, and demand that owners beef up security in specific ways, at their own expense.
(Compiled by Phillip de Wet)
