V 0_1 This is a new service, help us improve and give your feedback by email.

Privacy and Data Localisation

[CITY] will implement data localisation and privacy practices by aligning with national regulations while identifying secure, ethical data-sharing alternatives.

Regulatory environment

Managing privacy and data governance challenges should be approached by understanding existing regulations and principles for data sovereignty. Data regulations exist to protect personal information from inappropriate uses and to advise governments on how to establish data governance practices that protect the right information while also allowing them to publish public information for public benefit. As such, regulations often provide classifications or distinctions between data that should remain private (for example, personally identifying information like name, address, or health status) and data that can be considered public domain to allow for free flow of information and freedom of expression.

Data localisation is an aspect of data governance wherein many countries representing the Global Majority seek control over data infrastructure in order to reclaim economic power generated by digital platforms. Data localisation requires national and local governments to invest in local alternatives to multinational tech providers for issues of data storage, processing, and analysis. Data localisation practices also involve clear rules and guidance around the sharing of data across international borders. As a framework, it aims to protect governments’ rights to regulate tech issues within their borders, to direct support to domestic platforms, and to encourage continuous transfers of technology toward local infrastructure.

Additionally, policymakers should ensure that these policies do not result in increased surveillance, disinvestment or rendering local firms more vulnerable to cyber attacks. Regardless of these challenges, incorporating data localisation as a data strategy goal helps to catalyse a long-term shift toward building up tech workforces, infrastructure, and ecosystem locally and nationally.

Relevant regulations related to privacy and data localisation are:

  • [RELEVANT REGULATIONS]

Protection of Personal Information Act (POPIA)

POPIA legislation provides guidance around lawful handling of personal data, with specific focus on conditions like government accountability, processing for specific purposes, managing quality information, openness and transparency, cybersecurity, and data subject participation in governance. POPIA provides a broad understanding of personal information, including information relating to the biometric information, employment history, personal correspondence, personal opinions, pregnancy, mental health, and even a person’s spoken language.

Elements of POPIA specifically related to data localisation include the following stipulations:

“All data classified/identified as Critical Information Infrastructure shall be processed and stored within the borders of South Africa. Cross-border transfer of citizen data shall only be carried out in adherence with South African privacy protection policies and legislation (POPIA), the provisions of the Constitution, and in compliance with international best practice. Notwithstanding the policy intervention above, a copy of such data must be stored in South Africa for the purposes of law Enforcement.

To ensure ownership and control:

  • Data generated in South Africa shall be the property of South Africa, regardless of where the technology company is domiciled.
  • Government shall act as a trustee for all government data generated within the borders of South Africa.
  • All research data shall be governed by the Research Big Data Strategy of the Department of Science and Innovation (DSI).
  • All data generated from South African natural resources shall be co-owned by government and the private sector participant/s whose private funds were used to generate such, and a copy of such data shall be stored in the [High Performance Computing and Data Processing Centre] HPCDPC.
  • Ownership and control of personal information and data shall be in line with the POPIA.
  • The Department of Trade, Industry and Competition through the Companies and Intellectual Property Commission (CIPC) and the National Intellectual Property Management Office (NIPMO) shall develop a policy framework on data generated from intellectual activities including sharing and use of such data.”

Convention on Cyber Security and Personal Data Protection (Malabo Convention)

At a regional policy level, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) was adopted in 2014 and entered into force after 15 African countries ratified the convention on 8 June 2023.  South Africa signed the African Union Convention on Cyber Security and Personal Data Protection (the Malabo Convention) on February 16, 2020. The Convention does not mandate any practices at the municipal level but can serve as a helpful benchmark for good privacy practice.

According to research published by the Mozilla Africa Mradi Programme, the Convention mandates states to develop legal frameworks for the protection of personal data, the promotion of cybersecurity, the combating of cybercrime, and standards for e-commerce. The Convention ensures that data protection standards will be translatable across African states to ensure that economic benefits gained through stronger data sovereignty and data protections will effectively result in a reclamation of digital infrastructure across the African continent, due to the fact many multinational companies operating on the continent are headquartered in the United States or China.

The Convention mandates that every member state should establish domestic laws on the policy’s criteria, aligning to principles of consent, lawfulness, confidentiality, and transparency. Finally, the Convention mandates that states develop policies and legal frameworks governing cybersecurity and criminal offenses related to each state’s domestic measures. These regulations are to be enacted while protecting freedom of expression and free flow of information within privacy protections.

Data protection standards

Any efforts to implement privacy policies that protect personal information and structure local data governance should be attached to sufficient authorities, roles, organisational structures, policies, and resources. Local policies related to data protection may choose to highlight aspects of federal or regional policies, for example:

  • Requiring that data subjects must give consent before their data is processed;
  • If data is reused, requiring data subject’s subsequent consent;
  • Mandating a specific timeline when collected data should be destroyed;
  • Creating rules for sharing data with third parties that align to local data protections;
  • Limiting data collection, use, and retention of personal data to necessary functions
  • Other priorities mandated by federal data protections;

Data owners and local decision makers should also work together through local data governance processes to establish categories for datasets that contain different levels of privacy risk. Categories may be as follows:

  1. Restricted Confidential data shall be secured by encryption and by additional safeguards such as digital certificates for integrity and non-repudiation. Sharing of Level 4 data to other agencies shall not occur unless it is approved in advance by the department head and legal counsel. Disclosures will be documented by a governing body. Level 4 datasets shall not be accessible to the public in any way.
  2. Confidential data shall be secured by encryption and by additional safeguards such as digital certificates for integrity and non-repudiation. It may be accessed and used by internal parties only when specifically authorized to do so in the performance of their duties. External parties requesting this information for authorized public body business must be under contractual obligation of confidentiality with the public body before receiving it. Information at this level or above shall not be accessible to the public in any way.
  3. Data for government use and not already public shall not be posted online or exposed to search engines. It will be made disclosed directly to a requesting entity upon request. The data may be distributed without special security controls between government agencies and other public bodies.
  4. Open data shall be distributed publicly pursuant to the provisions of the municipality’s data policy.

Action Items

  • Develop a protocol to categorise data by level of privacy risk to govern data-sharing access
  • Set standards for consent, opt-out, and data destruction and incorporate into a data policy
  • CDataO appoints roles responsible for overseeing privacy and sovereignty issues

References:

  1. Van der Berg, Shanelle. “Data protection in South Africa: The Potential Impact of Data Localisation on South Africa’s Project of Sustainable Development”, Mandela Institute, School of Law, University of the Witwatersrand. December 2021. https://www.wits.ac.za/media/wits-university/faculties-and-schools/commerce-law-and-management/research-entities/mandela-institute/documents/research-publications/800429%20PB2%20Data%20localisation%20and%20sustainable%20dev_REV%20Dec2021.pdf
  2. Ayalew, Yohannes Eneyew. “The African Union’s Malabo Convention on Cyber Security and Personal Data Protection enters into force nearly after a decade. What does it mean for Data Privacy in Africa or beyond?” June 15, 2023. https://www.ejiltalk.org/the-african-unions-malabo-convention-on-cyber-security-and-personal-data-protection-enters-into-force-nearly-after-a-decade-what-does-it-mean-for-data-privacy-in-africa-or-beyond/
  3. District of Columbia Data Policy. Office of the Mayor. April 27, 2017. https://opendata.dc.gov/pages/data-policy