Johannesburg — Team to assess whether data critical to national security are being held

A TEAM of consultants has been appointed to scrutinise every database being used in SA to determine which of them holds critical information that government needs to know about.

The monitoring process was decreed by the controversial Electronic Communications and Transaction Act of 2002.

That gave Communications Minister Ivy Matsepe-Casaburri the power to declare certain databases critical and subject to stringent rules regarding the way their content is treated.

The communications department has awarded a tender to consultants from KPMG, Gobodo, ICT Works and Sizwe Ntsaluba VSP to compile an inventory of all major databases in the country, including those operated by banks, medical companies and other private firms to assess whether the information they hold is relevant to national security.

The inventory will be used to help the minister put regulations in place dictating how those databases must be developed, maintained and secured.

The owners of those databases will have their progress and compliance reviewed regularly to ensure that data that could negatively impact on companies and citizens is stored securely.

The consultants will begin contacting companies and organisations soon to begin examining their data.

When the Electronics Communications and Transaction Act first gave the minister the power to monitor private databases it raised questions about privacy infringement and how much right the government should have to oversee private business. One fear was the question of who would be given the right to access medical records to check somebody's HIV-status.

Yesterday Mike Silber, an independent consultant on IT regulatory affairs, said he welcomed the move to monitor the content of databases, as long as the government took a light touch to that control.

But it had taken so long to begin compiling an inventory that the report from the consultants may by superseded by new privacy and data protection laws being drafted by the Law Commission, he said.

"The point is to make sure that a business holding confidential data puts in place measures to make sure hackers can't get in easily and the data isn't sold to anyone else," said Silber.

"This was designed as a temporary measure until we had proper data privacy legislation. Now the Law Commission is also looking at database confidentiality, security and the treatment of data, and we will probably have more legislation put forward pretty much as soon as these consultants have made their final report."

Silber said he hoped the final rules setting out minimum standards for certain databases would be reasonable and would not force companies to implement needless and expensive technologies or pay a fee to be registered as compliant.