When the Protection of Personal Information Act (PoPIA) came into effect last year, organisations had a year’s grace to become compliant. This grace period ends on June 30, 2021, leaving the public sector with a looming deadline it will find hard to meet, says Gomedi Makhongoana, Public Sector Director, Oracle South Africa.
“The public sector holds large volumes of data, much of it extremely sensitive, but lacks many of the resources needed to protect that data in line with PoPIA’s requirements,” he says. “The impact of Covid-19 on the state’s readiness for PoPIA also cannot be underestimated. Personnel have been diverted to the immediate task of getting more business processes online and enabling people to work from home. Budgets have also been adjusted substantially to accommodate Covid-19 relief spending.”
He says that technology, and particularly the cloud, is the enabler that will help the government overcome its challenges. “The smart thing to do is leverage the experience and skills of vendors like Oracle.”
A widely held misconception about data sovereignty has played a role in the initial reluctance of public sector organisations to use the cloud, adds Sandhya Ramdhany, Legal Director, Oracle South Africa. “PoPIA does not prohibit sensitive personal data from being held in datacentres out of the country. Section 72 of the PoPI Act explicitly allows it, subject to certain safeguards. Provided the data is held in a jurisdiction that has similar (or stronger) legislative protection for data, there is no problem,” she says.
For example, European Union (EU) data centres can safely and legally hold sensitive South African data because the EU’s General Data Protection Regulation (GDPR) was, in fact, the basis for PoPIA. The cloud can help South Africa’s public sector meet its PoPIA obligations “The public cloud offers government entities a cost-effective way to manage large amounts of data in a PoPIA-compliant environment,” she adds.
Key steps to PoPIA compliance
When it comes to protecting sensitive data, the first challenge is to evaluate what data is stored by the organisation, and identify what the sensitive data is and where it can be found, says Makhongoana. Once that primary analysis is completed, the next step is to protect the sensitive data through data anonymisation.
The remaining steps are detection, which will require centralised monitoring to identify suspicious activity and alert the responsible individuals, and access control so that individuals can only access the data they need to do their work.
According to Makhongoana, the government can take up to 180 days to realise it has had a personal information breach, whereas customers in Oracle Cloud are notified of a confirmed breach without undue delay, and at the latest within 24 hours.
“When it comes to PoPIA, the ability to be proactive is critical. Getting early alerts of a breach is essential, but knowing where your data is and protecting the sensitive data is even more important,” he points out.
Ramdhany believes that one of the unexpected benefits of Covid-19 has been to force a change in government’s attitude towards the cloud and to forming public-private partnerships with leading technology vendors—just as it has done with the private sector.
“One thing the government must guard against is trying to adopt a shortcut like, for example, trying to encrypt everything. That approach will make the data inaccessible and prevent organisations from using data analytics to improve business processes. The hard work of classifying the data and managing access rigorously has to be done, and Oracle can help,” concludes Makhongoana.