Real people. Woman and minority owned civil engineering firm with an expertise in storm water and runoff management. Services are provided for private contractors as well as government agencies.
South Africa: Cloud in public sector

South Africa: Cloud in Public Sector

An Interactive Guide for Legal and Compliance Professionals

DOWNLOAD OUR WHITEPAPER: Azure for Secure Worldwide Public Sector Cloud Adoption

Download now


The public sector1 currently faces a significant challenge to enable active citizenship, increase efficiency of service delivery, and facilitate inclusive economic growth and transformation and to do so cost effectively and securely with limited resources. To meet these challenges the National Development Plan envisages an ecosystem of digital networks, services, applications, content, and devices that will connect public administration to the active citizen; promote economic growth, development, and competitiveness; drive the creation of decent work; underpin nation-building and strengthen social cohesion; and support local, national, and regional integration.2

Cloud services will be at the forefront of the government's digital transformation. The cloud can provide cost effective access to unprecedented power to rapidly process and analyze vast quantities of data to produce actionable analysis, insights, and better decision-making. Easily accessible data storage and multiple access and communication channels provide a modern, consistent, and seamless experience for officials as well as the public, facilitating public participation and co-operative governance and inter-departmental collaboration and broadening social inclusion. The cost optimization, data security and potential for open government made possible by cloud services are far superior to manual paper-based processes.

In a highly regulated sector such as the public sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.


We believe that no cloud services provider has more experience of delivering compliant solutions to the public sector in South Africa than Microsoft. Microsoft is one of the first service providers to actively collaborate with the public sector in South Africa to find ways of optimizing government information and communications technology spend and maximizing the government's return on investment. South Africa's Chief Procurement Officer, Kenneth Brown, and the CEO of SITA, Dr Setumo Mohapi, have acknowledged Microsoft as a strategic partner of the public sector that is willing to provide innovative and unconventional solutions for the public sector's complex and diverse requirements that must be met to achieve our nation's developmental goals.3

Innovative public sector bodies who have already moved to Microsoft's cloud services have reported major successes. The City of Johannesburg piloted a cloud-based consumer engagement application called 'find and fix' that enabled residents to be the City's eyes and ears by reporting road problems such as potholes, faulty traffic lights and damaged manholes. The impact was a reduction in issue resolution times from 32.4 days to less than a day. This changed residents' perceptions of access to service delivery and government efficiency.

The Government Pension Administration Agency's (GPAA) migration to the Microsoft cloud enabled it to go paperless and introduce self service facilities to access data. This enabled the GPAA to address fraud and corruption and build more controls into their processes. It also moved its call centre to the cloud and within three days the new call centre was up and running. The outsourcing of the management of the call centre and the pay-as-you-use model offered by cloud computing has resulted in significant cost savings.

In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance combined with data residency to help enable the tremendous opportunity for economic growth, and increase access to cloud and internet services for organisations and people across South Africa, and the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organisation on the planet to achieve more in a safe, secure and legally compliant manner.

Microsoft stands ready to support our public sector customers in South Africa to achieve similar benefits. In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory, and practical aspects of any cloud project. This is all part of our commitment to helping our public sector customers smoothly navigate their way to the Microsoft cloud - including Microsoft Azure, Office 365, and Dynamics 365 - with confidence and enjoy the benefits of the digital transformation.


There is presently no uniform regulation for cloud services in South Africa. There are a number of laws that are relevant to any decision to move to cloud services, those that facilitate the use of cloud services and those that place constraints on the manner in which cloud services may be used.

  • The State Information Technology Agency (SITA) is the government agency responsible for providing centralised information technology, information systems, and related services in a maintained information systems security environment according to approved policy and standards.

    National and provincial government departments must procure cloud services through SITA and SITA must certify all services procured by national and provincial government departments for compliance with its standards. Public entities and municipalities may also make use of SITA's services but are not compelled to do so.

    SITA has recognized the need for cloud services across government to eliminate the unnecessary duplication of information technology goods and services and leverage economies of scale to provide cost effective services.4 As a result SITA is currently working with Microsoft to leverage the benefits of the cloud, amongst other things.5

  • Yes, cloud services are permitted. A move to cloud services would facilitate the achievement of a number of government policy objectives and regulatory requirements relating to co-operative governance, public participation and procedural fairness, information security, service delivery, rational decision-making, and administrative efficiency. However, certain processes may need to be followed and certain requirements may need to be met prior to migrating to cloud services.

    Microsoft is proud to confirm that it meets regulatory and compliance requirements for use of the cloud in some of the most highly regulated industries across the globe and can help you to achieve compliance with the regulatory and compliance requirements applicable in this sector.

  • A move to cloud services would require consideration of a number of regulatory regimes.

    (i) Public procurement
    A public sector body must ensure that when it contracts for information, communication, and technology services it does so in a manner that is fair, equitable, transparent, cost-effective, and competitive.6 This will ordinarily mean that a public sector body cannot contract directly with a supplier but instead must follow a competitive public tender process. National and provincial government departments must procure cloud services through SITA, while municipalities, public entities, and municipal entities may run their own procurement process.7 The procurement process must be evaluated in terms of the preferential procurement points system.8 It may be possible to deviate from a competitive public tender process and approach a supplier directly in circumstances where the procurement is urgent, takes place in emergency circumstances or involves a sole supplier.9 It is also possible in certain circumstances, through transversal contracting, for public sector bodies to opt in to contracts for cloud services procured by other organs of state without having to follow a separate tender process.10 Transversal contracting also allows organs of state to realise financial benefits through economies of scale.

    (ii) Access to information, transparency, and public participation
    The public sector is required to be accountable, responsive, and open.11 As a result it is obliged to make information publically accessible to allow the public to participate in government processes.

    The public has the right of access to records of public sector bodies and the information officer of public sector bodies must consider the request and, where it is granted make the documents available within 30 days of the request being made.12 Public sector bodies may be faced with requests for a significant number of records. Storage of information on the cloud will ensure that all information held by the public body is accessible, searchable, and easy to find with minimal effort to ensure that access to information requests can be addressed timeously.

    South Africa is also a founding member and the current chair of the global Open Government Partnership. As signatory to this partnership, the South African Government has committed to making key non-personal public information and data freely available for everyone to use, reuse, and republish as long as certain conditions are met.13

    Microsoft's cloud solutions offer significant data storage capacity and multiple access channels to facilitate the achievement of South Africa's commitment to open data.

    (iii) Data security
    Each government department is required to implement a department-specific information security policy, and the establishment of an information security function and staff to provide for the protection of classified information.14 These policies must be consistent with the Minimum Information Security Standards policy approved by Cabinet. Thus before making a decision to move data to the cloud, a public sector body should consider what types of data will be stored in the cloud, the manner in which the information will be stored (using private cloud infrastructure, including on-premises, or hyperscale cloud infrastructure) and whether the cloud service provider meets the relevant security and other requirements15 for the type of information that will be stored.

    In additional all cloud services procured by national and provincial departments must be certified by SITA for compliance with its comprehensive information security environment standards.16 SITA has already certified Microsoft's Office 365 solution, and Microsoft is engaging with SITA to ensure that its other solutions, which meet the highest international standards (as set out more fully in the Recommended Resources below), are also so certified.

    (iv) Co-operative governance and interoperability
    All spheres of government and all organs of state within each sphere are required to act in accordance with the principles of co-operative government which include co-operating with one another in mutual trust and good faith by informing one another of and consulting one another on matters of common interest and co-ordinating their actions and legislation with one another so as to avoid wasteful duplication and ensure coherent government and effective provision of services.17

    The heads of national departments, provincial departments, municipalities, and national or provincial government components will soon be required to acquire and use information technology in a manner that:

    • leverages economies of scale
    • ensures interoperability of information systems with information systems of other institutions
    • eliminates unnecessary duplication of information and communication technologies
    • ensures security of information systems18

    In addition, they will be required to use information and communication technologies to develop and enhance the delivery of its services, align the use by staff of information and communication technologies to achieve optimal service delivery and promote the access to public services through the use of information and communication technologies.19

    All of these obligations can be met cost effectively and comprehensively through the use of cloud services.

    In additional all cloud services procured by national and provincial departments must be certified by SITA for compliance with its interoperability standards.20

  • Under the Protection of Personal Information Act (POPIA), personal information may be transferred out of South Africa as long as the requirements of POPIA are met. POPIA permits the transfer of personal information to a third party who is in a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection as contemplated in POPIA or with the data subject's consent.

    Microsoft holds itself accountable to and is subject to laws of regions in which it maintains data centres, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

    • 1In this document we use the term public sector to include national government, provincial government, municipalities, public entities, municipal entities and constitutional institutions.
    • 2National Development Plan: Our future - Make It Work, 2030 at 190.
    • 3National Treasury Media Release entitled 'Office of the Chief Procurement Officer joins forces to reduce costs and enhance efficiency in the public sector' dated 9 December 2016.
    • 4
    • 5National Treasury Media Release entitled 'Office of the Chief Procurement Officer joins forces to reduce costs and enhance efficiency in the public sector' dated 9 December 2016
    • 6Section 217 of the Constitution of the Republic of South Africa, 1996
    • 7Section 7(4) of the State Information Technology Agency Act, 88 of 1998.
    • 8Preferential Procurement Policy Framework Act 5 of 2000
    • 9National treasury SCM Instruction Note 3 of 2016/17 entitled "Preventing and Combating Abuse in the Supply Chain Management System".
    • 10Regulation 16 of the General Regulations made under the SITA State Information Technology Agency Act, 88 of 1998, Regulation 16A6.5. of the Treasury Regulations made under the Public Finance Management Act, 1 of 1999 and regulation 36 of the Municipal Supply Chain Management Regulations made under the Local Government Municipal Finance Management Act, 56 of 2003.
    • 11Section 1(d) of the Constitution of the Republic of South Africa, 1996.
    • 12Section 25 of the Promotion of Access to Information Act 2 of 2000.
    • 13Paragraph 10.4.4 of the National Integrated ICT Policy White Paper.
    • 14The Minimum Information Security Standards, 1996.
    • 15Such as requirements arising under the National Archives and Record Service of South Africa Act, 1996.
    • 16Section 7(6)(b) of the SITA Act.
    • 17Section 41 of the Constitution of the Republic of South Africa, 1996 and sections 5 and 6 of the Intergovernmental Relations Framework Act, 13 of 2005.
    • 18Section 14 of the Public Administration Management Act 11 of 2014, which is expected to come into force in 2018.
    • 19Section 14 of the Public Administration Management Act 11 of 2014.
    • 20Section 7(6)(b) of the SITA Act.
    • 21Section 72 of POPIA




We build our services from the ground up to help safeguard your data

Learn more


Our policies and processes help keep your data private and in your control

Learn more


We provide industry-verified conformity with global standards

Learn more


We make our policies and practices clear and accessible to everyone

Learn more











*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.