RWANDA: Cloud in Public Sector

The primary agency is the Ministry of Information Technology & Communications with the mission to address national priorities for economic growth and poverty reduction through the development and coordination of national policies related to Information & Communication Technology policies. It also has a vision to accelerate socio-economic development, improving productivity of the private sector and developing the growth of ICT and to foster ICT development and diffusion in the Rwandan Society and Economy.¹¹

Another relevant authority is the Rwanda Information Society Authority (RISA)¹² which is an affiliated institution to the Ministry of Technology that is responsible for the implementation of government projects that aims at digitizing services in Rwanda. RISA’s role includes: implementation of national Information and Communication Technologies (ICT) policies and programs in order to fast-track socio-economic growth; to implement strategies which expand the access and affordability of Information and Communication Technologies; acceleration of community development through mainstreaming Information and Communication Technologies in national socio-economic sectors; preparation and coordination programs that increase the required skills in the field of Information and Communication Technology in order to achieve a knowledge-based economy; and to strengthen programs on Information and Communication Technology innovation.

The National Cyber Security Authority (NCSA)¹³ is another relevant agency in Rwanda. The mission of NCSA is to build skills and capacities in cyber security with a view to ensuring the protection of the national integrity and security in order to achieve economic and social development. Some of the responsibilities include¹⁴:

1. to advise the President of the Republic and other public and private institutions on strategies to defend Rwanda’s interests in cyberspace; and
2. to conduct cyber intelligence on any national security threat in cyberspace and provide information from such intelligence to the relevant organs.

Yes, cloud services are permitted in Rwanda for the public sector, subject to compliance with certain rules (see below).

A move to cloud services would require consideration of a number of regulatory regimes.

(i) Public procurement: A public sector body must ensure that when it contracts for information, communication and technology services it does so in a manner that is fair, equitable, transparent, cost-effective and competitive. Law No.12/2007 of 27/03/2007 on Public Procurement as modified and complemented to date has been enacted to guide the tender process. This will ordinarily mean that a public sector body cannot contract directly with a supplier but instead must follow a competitive public tender process.¹⁵ In this regard, the procurement process must be evaluated in terms of the preferential procurement points system. However, it may be possible to deviate from a competitive public tender process and approach a supplier directly in certain circumstances, such as where the value of the tender has not reached a certain threshold, or takes place in emergency circumstances. According to this procurement law, Information Communication Technology (ICT) may be used in public procurement and should be consistent with the standards set forth in the law. The activities within which ICT will be applied shall be determined by public procurement regulations.¹⁶

(ii) Access to information, transparency, and public participation: The Rwanda Access to Information Law¹⁷ provides a comprehensive framework for access to information in Rwanda. The purpose of the law is to enable the public and journalists to access information held by public organs and some private bodies. The law was seen by many external observers as “a signal of government’s intention to entrench transparency and enhance public participation in governance.” ¹⁸

Every person in Rwanda has the right of access to information held by a public organ and some private bodies for example accessing activities, documents or records, obtaining information stored in any electronic form or through print-outs, copies of information stored in a computer or in any other device, among others.

Rwandan Access to Information Law broadens the scope of the organs to which the law applies. All public and private organs “whose activities are in connection with public interest, human rights and freedoms” have to comply with the Law and are requested to appoint an information officer to deal with information requests from persons.¹⁹ The Rwandan Access to Information Law also provides for a broad list of exemptions where access to information can be restricted to material of public interest in certain instances.²⁰

The Rwandan Access to Information Law helps to promote transparency and more budgetary accountability within the country. The right to access of information is associated with democratic values within the country. Furthermore, the Law is expected to help journalists keep the public better informed and citizens gain more knowledge on their rights.

(iii) Data security: Rwanda, like many African countries, has enacted ICT law governing information and communication technologies.²¹

This ICT law applies to electronic communications, information society, broadcasting sector, and postal sector. It outlines strategies that are intended to ensure information security, data protection, network reliability and integrity of electronic communications.

(iv) Co-operative governance and interoperability: According to the preamble of the Constitution of Rwanda of 4 June 2003 as revised in 2015²², the people of Rwanda are committed to building a State based on consensual and pluralistic democracy founded on power sharing, national unity and reconciliation, good governance, development, social justice, tolerance and resolution of problems through dialogue.

The Government of Rwanda has made several strides towards developing Rwanda into one of the ICT leaders of Africa.²³ The government is looking to follow very ambitious plans to accelerate Rwanda into this role, with the dedication of government leaders.

The Rwandan Government released a plan for Rwanda’s social and economic development, with the ultimate goal of being a prosperous nation by 2020. The Vision 2020 plan is centered on “a prosperous knowledge-based economy.” The plan contains six “pillars” and four “cross-cutting domains,” one of which is “science and technologies, including ICTs.” ICTs are mentioned as crucial components of the development of the education system in Rwanda.²⁴

Personal information and privacy are generally protected in Rwanda, including under the Constitution of the Republic of Rwanda²⁵ and the law instituting offences and penalties in general²⁶ (which creates certain offences, including for collection of individuals’ personal information in computers).

It is permissible in Rwanda to transfer personal data and information if consent is sought and the data and information is not used to adversely affect the dignity or the privacy of the people. Hence, the main requirement is consent and making sure the data is not misused as provided for by the law.

Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, will likely provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018. Footnotes