IDENTIFYING CRITICAL DATA AND DATABASES – A PROPOSAL FOR A RISK-BASED THEORY OF IMPLEMENTING CHAPTER IX OF THE ECT ACT
DOI:
https://doi.org/10.17159/obiter.v34i1.12091Keywords:
ECT Act, identify and classify critical data and databasesAbstract
South Africa adopts meaningful measures to prevent and/or alleviate attacks to its critical data and databases. The measures are embodied in Chapter IX of the Electronic Communications and Transactions Act 25 of 2001.1 The Chapter IX measures encumber the Minister of Communications to perform innumerable functions, inter alia, to identify and classify critical data and databases. However, this article submits that the Chapter IX measures are founded and places (unlimited) reliance on a stagnant or inflexible approach. Such an approach assumes that a process to identify and classify critical data and databases is a product of guesswork. Put differently, the Chapter IX measures uses a common-knowledge or one-size-fits all approach as an aid to identify and classify critical data and databases. By so doing, Chapter IX of the ECT Act fails to recognize that a holistic and flexible approach or framework is indispensable in a process to identify and classify critical
data and databases.