As we approach the end of the first quarter of 2021, it has become abundantly clear that the Covid-19 pandemic is not over. By the time we can achieve some normalcy in day-to-day living we will have been in COVID-19 mode for between 18 – 24 months. For many people working from home will have become the norm. It is highly likely that the option to work from home will remain a permanent feature in the post covid-19 working paradigm. A recent survey conducted of Microsoft identified that “almost 9 out of 10 leaders expect hybrid working is here to stay”.
We are already seeing governments creating legislation for remote working. For example, the Irish government intends to enact legislation to allow employees to work from home permanently. In the Caribbean, the Barbados’ Ministry of the Public Service issued a policy document which provides for flexible working arrangements including allowing employees to work from home.
Given the extended period of time that this “forced experiment” of remote working has now been in operation, the indications are that productivity has not suffered. What is becoming clear are the long term benefits for allowing employees to work remotely on a full or part-time basis, for example, less traffic, less pollution (important for climate change action), better work/life balance, etc.
Many governments and commercial enterprises in the Caribbean are still operating in the “crises” mode where decisions around ICT deployment were taken in a “forced haste” environment due to Covid. The implementations associated with the need to address operational requirements during the Covid crisis are still in place. It is also a period where a number of Caribbean countries are embarking on digital transformation projects. Rather than continue with the same hastily implemented modus operandi, now is the opportunity to elaborate to a more long-term strategic approach to digital transformation. While there are many facets that impact the sustainability of digital transformation projects and the ability to growing a digital economy, this article will look at one critical aspect : “Where’s your data?”
“Where’s your data?” is a critical strategic question that must be considered at the outset of national digital transformation strategic planning. This is particularly critical in the context of national data privacy legislation, which the majority of CARIFORUM countries have or are in the process of enacting. Data protection legislation fundamentally deals with data privacy particularly with regard to the processing and/or storage of personal data (also known as Personally identifiable information (PII) ).
The European Union’s General Data Protection Regulation (GDPR) is generally regarded as the “gold Standard” for data privacy and protection legislation. It has a very strong component on the storage and processing of PII data in non-EU jurisdictions. Currently only twelve (12) jurisdictions are recognized as having adequate legal provisions for the processing and storage of European PII data. It should be noted that the USA is not one of recognized countries.
Why is this important for governments in the Caribbean? According to a United Nations Economic Commission for Latin America and the Caribbean (ECLAC) publication they state:
“Due to its extraterritorial scope and influence, the GDPR is prompting the harmonization of data protection legislation around the world and a number of Caribbean countries and territories are following suit. The study concludes that implementing data protection legislation aligned with the GDPR across the sub-region will not only guarantee individual privacy rights but also help to create an enabling environment for data sharing and e-governance and facilitate data and trade flows within and outside the Caribbean.”
“The COVID-19 pandemic has demonstrated the urgent need to facilitate better access to e-government in the sub-region and to digitize government transactions with the customer experience in mind. However, risks to the right to privacy and other human rights must be anticipated and managed to ensure that digitization does not result in breaches of individual rights.”
As Caribbean countries rapidly expand the usage of ICT, predominantly due to Covid-19, the critical issue must be “Where’s my data?”.
The three largest international cloud services companies are Google, Amazon (AWS) and Microsoft Azure. They may process and store PII data of Caribbean citizens. For example, using Microsoft Office 365, PII information may be contained in documents, email etc. which would be processed and stored in Azure. Currently, due to Covid-19, many schools in the Caribbean are using Google Classroom or Microsoft Teams as their virtual classroom platforms. This will have PII information on students and teachers. The following three figures show the location of data centres for each of Microsoft, Google and Amazon.
Microsoft Azure data centre locations
Figure 1: Microsoft Azure Geographies
Google Data Centre Locations
Figure 2: Google Data Centers- Discover our data center locations
Amazon Data Centre Locations
Figure 3: AWS- Global Infrastructure Map
The reader will note that not one of these companies has infrastructure in the Caribbean. This means that the processing and cloud storage of off-the-shelf products such as Microsoft 365, MS Teams and Google Classroom is done outside the Caribbean, most likely in the USA.
Why is this significant? Well, in simple terms it could be in contravention of national data privacy and protection laws. As already indicated a number of Caribbean countries have or are implementing data privacy legislation following the EU GDPR model. As also indicated earlier in this article, the EU does not currently allow PII data of EU citizens to be stored in the USA due to the fact that the USA does not have equivalent legislation. The focus on USA legislation is ensuring access to PII data by various government agencies rather than protecting access for citizens. A detailed review of data protection laws in the Caribbean is beyond the scope of this article but given the above scenario it should be assumed that Caribbean governments processing or storing their citizens PII data outside the region and particularly in the USA may be in contravention of their own laws. It is important to re-emphasize that data privacy is not just where the data is stored but also where and how it is processed.
In short, public sector entities (e.g. Ministry of Education, Public Sector IT Departments, etc.) who have implemented off-the-shelf external cloud-based solutions that are not located within their jurisdictions could be in contravention of their own national data protection/privacy legislation.
How can Caribbean governments overcome this potential conflict between national data privacy legislation and the need to maintain cloud-based systems? The answer is to implement equivalent cloud applications that are, or can be, based within a national or common regional jurisdiction. For example, implementing a local version of the LMS platform Moodle for online schooling; a localized version of Microsoft 365 (available from Cloud Carib as Carib365); utilizing the on-premise version of Cisco Webex or open-source solutions such as Jitsi for video conferencing and online collaboration. Just like other discussions on societal and economic sustainability, Caribbean governments should address the sustainability of their ICT environments, particularly as they strive for digital transformation. Digital data is at the heart of growing digital economies. Without guaranteed access and jurisdictional control over this crucial national and regional digital asset the digital economies of the Caribbean cannot flourish.
The security, availability and sovereignty of digital data assets will be critical to the growth and sustainability of digital economies in the coming years. Laying the foundations now, by placing a premium on determining “where’s my data?” and implementing core strategies which can answer that question with “Its right here in my jurisdictional space” will the a defining feature of Caribbean digital transformation.