There is currently no legislation, or even a code of conduct, in SA to regulate cloud services and cloud service providers. The result is that there are no effective guidelines for how service providers should handle personal information.
So says Tammy Bortz, director of Werksmans Attorneys, who spoke at ITWeb's Virtualisation and Cloud Computing Summit yesterday about the current state of cloud regulation as well as the pending legislature that will regulate the processing of personal information.
According to Bortz, the US is another country that does not have legislation in place to govern cloud services, while the European Union has proposed regulation, in the form of the EU Data Protection Directive.
Bortz pointed out, however, that some countries have legislation in place that regulates the processing of personal information, for example, the UK Data Protection Act.
In Africa, countries that have data protection laws include Angola, Mauritius and Zimbabwe, said Bortz, adding that Namibia, Lesotho, Swaziland and Botswana have ICT policies that recognise the need for regulation of data protection.
Bortz also pointed out that, currently, there is an international call for cloud computing to be legislated in order to protect customers, while a number of organisations have proposed guidelines around cloud computing.
In Africa, one such movement is the Harmonisation of ICT Policies in Sub-Saharan Africa (HIPSSA). Bortz explained that this document recognises the need to protect personal data, and also sets out rules for cross-border data transfer within Africa. HIPSSA is not yet in force.
Locally, the Protection of Personal Information (PPI) Bill, which strives to protect the personal information of individuals when this information is in the hands of a third party, is expected to come into effect this year. Once implemented, organisations will be given one year to comply with the legislation.
Bortz stressed that the Bill will impact all entities that process personal information. She explained that the definition of processing is broad enough that all businesses will likely be affected - especially cloud providers. According to Bortz, businesses will not only need to comply with the PPI Bill, but the onus will be on businesses to ensure third parties to whom they outsource data processing, such as cloud providers, also comply with the Bill.
Furthermore, says Bortz, the PPI Bill places more obligations on the business, or “responsible party”, than it does on the “operator”, such as the cloud provider. The Bill defines the responsible party as the entity that determines the purpose and means of the data process, while the operator is defined as the entity that processes data for the responsible party, in terms of a contract or mandate.
Bortz concluded that businesses must carry out a thorough assessment of a cloud provider's policies before entering into a contract. She said this should include a review of the providers' terms and conditions, their security and data privacy policies, service levels, disaster recovery policies and their termination policies.

