The Department of Public Service and Administration has published a Determination and Directive on the Usage of Cloud Computing Services in the Public Service. This provides guidelines to public bodies on the use of cloud computing services and applies to cloud services where government data is either stored or processed.
Before 13 July 2022, the head of departments of all public bodies must ensure that all requirements in the Determination and Directive are met. These include:
- Where a cloud service has been implemented, a risk assessment must be conducted and tabled at the departmental risk committee.
- In general, a public body must explore the use of cloud services before investing in any on-premise infrastructure.
- The Determination and Directive provides that preference should be given to private government cloud where available. Further, general guidance is provided regarding the procurement process to be followed.
- Before transitioning to a cloud computing service, a public body must utilise the Cloud Readiness Assessment Checklist found in the Determination and Directive in order to ensure that it is ready to make the transition.
- Before entering into agreements with cloud providers, the head of department of a public body is required to draft a business case for the outsourcing project.
- Public bodies must take steps to classify data and ensure where practically possible, data reside within the borders of South Africa. Where not possible, public bodies must ensure that section 72 of the Protection of Personal Information Act, 2013 (“POPIA”) is complied with.
- The head of department must also ensure that all medium-term contracts (contracts of three to five years) entered into between the public body and cloud service providers include provisions for early termination by the public body.
- In addition, the contracts should include provisions around data ownership rights, the maintenance and back-up of data, compliance with POPIA, identify the actual geographic locations where data storage and processing will occur, the governing law, and the safe return/transfer of data.
- It is also important for public bodies to ensure that the security of data in cloud computing services is in line with existing departmental information security policies. Access rights should be regularly reviewed, data must be backed-up regularly and reviewed to ensure minimal data loss, an inventory of assets must be developed and maintained, and business continuity plans must be updated and tested.
This Determination and Directive will encourage public bodies to use cloud computing services while also establishing proper protocols and standards for public bodies to follow.