Aligning South African Data and Cloud Policy with the PoPI Act


  • Emma Raaff University of Stellenbosch
  • Nicole Rothwell University of Stellenbosch
  • Aidan University of Stellenbosch



cloud data governance, cloud computing, digital security, the PoPIAct, data and cloud security


On 1 April 2021, the South African government released the Draft National Data and Cloud Policy for public comment. This policy aims to support the digital economy in South Africa by implementing initiatives to augment the development of digital infrastructure and skills, with a specific focus on cloud computing. The adoption of the policy would help position the country as a data-driven economy. However, the implementation of such a policy is predicated on the existence of supporting digital infrastructure and aligned inter-departmental goals. Currently, there are many technological and legal considerations that must be addressed in order for such a policy to be implemented successfully. One particularly important consideration is how this policy relates to South Africa’s Protection of Personal Information Act, which came into effect on 1 July 2021. The Act sets out legal imperatives for the collection, storage and use of personal information belonging to South African citizens. The aim of this paper is to analyze how the Draft National Data and Cloud Policy relates to the Protection of Personal Information Act in terms of what is proposed in the Policy and what is legislatively imperative in the Act. The overarching context for this evaluation is data governance in the cloud with an emphasis on the security of personal information. Macroeconomic threats and a shortage of critical ICT skills presupposes technical challenges for the implementation of a cloud service. Formal Concept Analysis is utilized to conceptualize and understand the relationships between the Draft National Data and Cloud Policy and the Protection of Personal Information Act. Classification, Confidentiality and Open Data are presented as technological challenges to cloud implementation. This paper aims to contribute towards an understanding of these challenges and how they are affected by South Africa’s legislation and policies. We therefore investigate how the Draft National Data and Cloud Policy is situated in the broader context of data protection in South Africa.