CLOUD COMPUTING AND POPI | WHAT YOU NEED TO KNOW
'Cloud computing' is a term commonly used to describe the practice of using a network of remote servers hosted by third-parties ("Cloud Providers") on the Internet to store, manage, and process data, rather than a local server or a personal computer.
The purpose of this article and the instalments that follow is to provide a proper understanding of the legislative environment governing the processing of clients' personal information by organisations using Cloud computing ("Cloud Users").
In doing so, I hope to resolve the concerns traditionally held by potential South African Cloud Users (and their clients) as to the cloud environment and promote a wider acceptance to adopting Cloud computing, thereby creating new economic opportunities for Cloud Users, Cloud Providers and the South African economy as a whole.
2. The Global Experience
Since the adoption of Cloud computing by organisations ("Cloud Users") to process the personal information of their clients has become more widely accepted it has gained global recognition for its significant economic and operational benefits. These benefits, specifically the opportunity to outsource costly infrastructure and services, become more relevant for SMEs operating in developing countries, such as South Africa. However, these benefits are only attainable if the Cloud computing services are rendered in a cloud environment which is secure and trusted by the Cloud Users.
3. The South African Experience
In South Africa potential Cloud Users (and their clients) do not trust the cloud environment. For clients, the thought of losing their ability to protect the confidentiality, security, and availability of their data, which occurs as data is transferred to Cloud Providers and stored and processed all over the world, is enough to deter most. Whilst for potential Cloud Users, the potential (uncertain) liability associated therewith is enough to do the same.
If one looks at the laws which traditionally regulated the protection of data, it is clear that they are based on the premise that it is always apparent:
Data entrusted to Cloud Providers can be stored and relocated anywhere in the world and processed by anyone, depending on where the requisite capacity lies. Consequently, traditional laws are unequipped to regulate Cloud computing and the concerns of potential Cloud Users and clients were well founded.
In November 2013 the legislative landscape of the cloud environment changed. The Protection of Personal Information Act, No. 4 of 2013 ("POPI") was signed into law with the aim of addressing the concerns of potential Cloud Users (and their clients) and promoting the adoption of Cloud computing. POPI transformed the proper processing and correct protection of information from being a vital function of an organisation, to a legal requirement. It establishes a truly secure cloud environment.
However, adoption of cloud-based services in South Africa remains unreactive and lags behind the rest of the world, as potential Cloud Users remain distrustful of the cloud environment. The question is, why?
The answer is that potential Cloud Users (and their clients) do not perceive the cloud environment to be secure (and therefore trustworthy). It is my opinion that this perception is not the result of a lack of security in the cloud environment created by POPI, but stems from a deficient understanding of the legislation itself.
It is crucial that potential Cloud Users fully understand POPI and the legislative environment it creates. If this can be achieved I believe that adoption of cloud-based services in South Africa will become widely accepted.
POPI, signed into law in November 2013 and expected to become fully effective by the end of 2016, applies to the processing of personal information of data subjects (clients) by responsible parties (the Cloud Users), or on their behalf, by operators (Cloud Providers).
In essence the purpose of POPI is to give effect to the constitutional right to privacy, by safeguarding client's personal information when processed by Cloud Users and/or Cloud Providers, subject to justifiable limitations that are aimed at:
To this end, POPI imposes a number of duties on Cloud Users and Cloud Providers in relation to processing individuals' personal information, and provides individuals with concomitant rights in respect of their personal information.
Importantly, POPI applies to the operation or activity of processing personal information. It is not concerned with the juristic nature or identity of the person processing the information. Therefore, if you process a client's personal information, you are required to comply with the provisions of POPI.
POPI is about much more than just compliance. if Cloud Users (and Cloud Providers) can protect the client's data they can establish trust, gain a reputation and take advantage of the economic and operational benefits of this arrangement.
4.2 Commencement, Enforcement and what this means
Only a limited number of relatively insignificant sections have commenced. The sections that create compliance requirements have not yet commenced. However, the President is expected to proclaim the date upon which the remainder of POPI's provisions will commence later in 2016. Once these provisions have commenced, there will be a one year grace period before the Information Regulator will enforce POPI.
POPI both creates the Information Regulator and provides it with extensive powers. Clients will be able to complain to the Information Regulator and the Information Regulator will be empowered to investigate and fine Cloud Users and Cloud Providers found to be in contravention of POPI's provisions.
Cloud Users and Cloud Providers must comply with POPI and the time to begin to begin ensuring compliance is now.
4.3 Conditions, Duties and Measures
POPI prescribes a number of fundamental conditions for the lawful processing of personal information and requires Cloud Users to implement measures to give effect to, and maintain compliance with, such conditions at all times during processing. The conditions are:
It is essential that the abovementioned conditions, and the concomitant measures employed to satisfy such, are understood by Cloud Users as they form the basis of the legislative environment within which they must operate.
4.3 Transfers of personal information outside Republic
POPI prohibits the transfer of personal information outside the Republic. There are however five useful exemptions, namely:
Exemptions are thus a critical consideration when a Cloud User wishes to process clients' personal information using Cloud computing and or Cloud Providers who are either based or Process information offshore. Maintaining compliance with the provisions of selected exemptions is similarly critical to ensuring the continued lawful processing of personal information offshore.
In the next instalment I will begin to unpack the rights and duties which define the cloud environment created by POPI. Specifically, I will be examining the duties, measures and rights relating to the condition of Accountability.
 Deloitte, Cloud Computing in a South African business context [Online]. Available: http://www.itweb.co.za/index.phpoption=com_content&view=article & id=33683.
 The term 'processing' applies to a definitive range of operations and activities, including the collection/receipt, storage, use, access, disclosure and disposal of personal information.
 "personal information" is defined by POPI as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person"
 "responsible party" is defined by POPI as "a public or private body or any other person who determines the purpose of and means for processing personal information"
 "operator" is defined by POPI as being "a person who processes personal information for a responsible party in terms of a contract or mandate"
 Section 2(a)(i)&(ii) of POPI
 D Taylor, POPI: More Than a Compliance Issue, [Online]. Available: http://www.saipa.co.za/articles/416310/popi-more-compliance-issue
 Section 8 of POPI
 Sections 9-12 of POPI
 Sections 13 & 14 of POPI
 Section 15 of POPI
 Section 16 of POPI
 Sections 17& 18 of POPI
 Sections 19-22 of POPI
 Sections 23-25 of POPI
 Section 72(1) of POPI
 Section 72(1)(a) of POPI
 Section 72(1)(b) of POPI
 Section 72(1)(c) of POPI
 Section 72(1)(d) of POPI
 Section 72(1)(e) of POPI