One of the biggest challenges in South Africa’s emerging digital identity system is fragmentation. In this opinion article, Mark Burke notes that this means that the policies, laws, institutions, and technologies involved have grown in disconnected ways over time. This fragmentation has a real impact on ordinary people, because it affects how well they can control how their personal information is collected, shared, and used.

This essay examines fragmentation across policy, law, institutions, and technology. It argues that South Africa’s current regulatory and institutional landscape, characterised by disconnected policy frameworks, overlapping legal mandates, uncoordinated institutional oversight, and technically incompatible legacy systems, systematically and structurally undermines the possibility of genuine citizen control over data in digital identity systems.

In this context, “fragmentation” does not refer merely to the presence of multiple policies, regulators, or information systems. A governance environment may include many components and nevertheless function coherently. Fragmentation arises when there are no effective mechanisms to align and cohere these components. Under these circumstances, accountabilities and responsibilities become unclear, institutions work at cross‑purposes, and important issues fall through the cracks. The result is that the rights of citizens may be formally recognised, but remain difficult to exercise in practice because the overall system lacks integration.

The urgency of this issue is heightened by the pace of current digital initiatives. The MzansiXchange pilot launched in October 2025, the planned 2026 rollout of the MyMzansi digital identity system, and the expanding use of biometrics through the Automated Biometric Identification System (ABIS) are advancing within a governance environment that remains insufficiently integrated and supervised. The risk is that the state’s ability to collect, process, and link personal data is growing much faster than the systems meant to hold it accountable and protect citizens’ rights.

Policy Fragmentation Through Competing Visions of Data Governance

South Africa’s policy environment for digital identity and data protection reflects material inconsistencies in vision and priorities. Although four major policy instruments address digital identity, they are based on very different ideas about how to balance government efficiency with citizens’ rights and autonomy.

The 2019 White Paper on Home Affairs sets the overall direction for modernising identity systems. It places biometric technology, such as fingerprints and facial recognition, at the centre of this effort. The approach is strongly state‑led, with the Department of Home Affairs described as the sole authority controlling citizens’ identity information. While privacy is mentioned, it is treated primarily as something to manage during implementation, rather than as a core principle shaping the system from the start. The policy does not clearly state that people should have control over their own data. Instead, the focus is on speeding up services, reducing fraud, and improving government performance. Digital identity is presented as something created and managed by the state, with citizens largely expected to use it, rather than control how their information is shared or accessed.

The National Data and Cloud Policy takes a different approach. It focuses on keeping government data physically stored inside South Africa, arguing that this is important for national security. While this may protect data from foreign control, it does not give people more say over how their information is used. Keeping data local does not stop state agencies from accessing it under South African law, including for surveillance purposes. The policy also says very little about people’s individual rights, beyond general references to existing data‑protection laws. This suggests that protecting national control over data and protecting individual rights are treated as separate goals, rather than being designed together. In addition, strict data localisation rules may clash with plans to link systems across borders, especially where services depend on sharing data with other countries.

The National AI Policy Framework (the Draft National AI Policy published for comment on 10 April was withdrawn on 26 April 2026 for, ironically, the use of AI in a manner that has undermined the “credibility and integrity” of the draft policy) adopts a risk-based approach that classifies many identity applications as “high-risk”, and accordingly envisages human oversight, explainability, and impact assessment. However, the Framework provides limited implementation guidance (though the withdrawn draft national policy offers more guidance on these issues). Providing for a regulator responsible for overseeing AI, requiring impact assessments by law, and granting citizens clear rights to challenge automated decisions should be integral to future policy.

South Africa’s Roadmap for Digital Transformation of Government, published in 2025, comes closest to bringing these ideas together. It sets out identity, data sharing, payments, and services as four connected building blocks, based on shared digital public infrastructure. The identity and data‑sharing parts of the Roadmap are more advanced, while plans for digital payments and services are much less detailed. The Roadmap also promises that “no one will be left behind,” but it does not yet clearly explain how people without reliable internet access, devices, or digital skills will be supported through offline options or alternative ways to prove who they are.

The central inconsistency across these policy instruments concerns the locus of control. The White Paper on Home Affairs treats identity data primarily as a state asset subject to centralised custody. The Data and Cloud Policy frames government data as a strategic resource to be secured through sovereignty. The AI Policy Framework approaches data as an input to algorithmic systems that require risk management. The Roadmap treats data as enabling infrastructure for service delivery and therefore prioritises integration. None of these instruments treats data as subject to individual direction and control. This conceptual fragmentation means that, where citizen control is acknowledged, it appears largely as rhetorical commitment rather than as a structural design and organising principle.

Across all these policies, the biggest difference is how control over data is approached. The Home Affairs White Paper treats identity data as something owned and controlled by the state. The Data and Cloud Policy treats data as a national asset that must be protected within borders. The AI Policy Framework views data as an input to algorithmic systems that require risk management. The Roadmap focuses on data as infrastructure that supports service delivery. None of these approaches clearly treats personal data as something that individuals should actively control, except for the Roadmap noting this as an aspiration.

Legal Fragmentation From Divergent Priorities

South Africa’s laws around digital identity and data protection are also fragmented in key ways. First, there are gaps between general laws and those aimed at specific sectors or technologies. Second, there is tension between laws that allow surveillance and those meant to protect privacy. Third, the law changes slowly, while digital systems and technologies evolve very quickly. Together, these mismatches make it difficult for the legal system to keep up, and even more difficult for citizens to fully understand or enforce their rights in practice.

The Protection of Personal Information Act (POPIA, 2013) establishes the baseline requirements for lawful processing of personal information and is substantially influenced by the EU’s General Data Protection Regulation (GDPR). Its eight conditions for lawful processing include accountability, processing limitation, purpose specification, and data subject participation. However, POPIA largely reflects a 2013 conception of data processing and provides limited accommodation for contemporary digital identity architectures, including real-time data exchange, biometric identification at scale, and credential-based models of selective disclosure.

South Africa’s main data‑protection law, the Protection of Personal Information Act (POPIA), sets the basic rules for how personal information may be collected and used. It was strongly influenced by Europe’s General Data Protection Regulation (GDPR) and includes principles like fairness, accountability, and people’s right to access their own information. However, POPIA was adopted in 2013, before today’s complex digital identity systems became common. As a result, it does not deal very well with modern realities such as large‑scale biometric use, constant data sharing between systems, or digital IDs that allow people to share only selected information.

One of the main concerns for ordinary people is that POPIA allows many situations where personal data can be used without permission. These include broad reasons such as “public interest,” “legal obligation,” or what government considers “necessary” for carrying out its duties. There are also exceptions for research and statistics that can allow data to be reused for new purposes over time. Taken together, these exceptions often mean that POPIA focuses on procedures, such as having policies in place, without giving people real, practical control over how their data moves between systems.

POPIA also assumes a fairly simple relationship where one organisation collects data from a person for a specific purpose. That model does not match systems like MzansiXchange, where many organisations will exchange data continuously and automatically. For example, POPIA requires people to be notified when their data is collected, but this becomes unclear when data is constantly created, inferred, or shared behind the scenes. The law also allows organisations up to 30 days to respond to data access requests, which makes little sense in systems that make decisions in real time. Similarly, while people are meant to be able to withdraw consent, POPIA does not provide tools for managing consent across interconnected systems.

The Cybercrimes Act (2020) introduces surveillance and investigative powers that intersect directly with digital identity governance. These include judicially authorised interception of communications, access to stored data on the authorisation of designated officials, and the compelled disclosure of decryption keys, subject to oversight that varies by power and circumstance. In the context of digital identity systems, such powers provide the legal basis for extensive state visibility into identity verification activity and service access patterns. In particular, the Act’s provision for “real-time collection” of traffic data (with judicial authorisation) could, in principle, be applied to identity-related transactions across government and participating service providers. While these powers may be justified for specific criminal investigations, their interaction with centralised identity repositories and interoperable exchange infrastructure increases the structural risk of surveillance expansion beyond narrowly defined purposes.

The Cybercrimes Act gives the state powers to monitor communications and access stored data under certain conditions. These powers include intercepting data with a court order, accessing stored information with official authorisation, and requiring access to encrypted data. When combined with digital identity systems, this law enables the state to gain broad insight into how people use services and to verify their identities.

In theory, these powers are meant to support criminal investigations. In practice, when they operate alongside centralised biometric databases and systems that link identity across services, they increase the risk of wider surveillance. For example, the Act allows for real‑time collection of digital traffic data, which could be used to monitor identity‑related transactions across government systems and service providers.

The Cybercrimes Act was not designed with citizen‑controlled digital identity in mind. People are generally not notified when their identity data is accessed for investigations. There are no clear limits on how identity data can be reused once accessed, and there is no dedicated oversight body focused specifically on identity systems. These gaps make it difficult for people to know when their data is used and even harder to challenge misuse.

The Promotion of Access to Information Act (PAIA) gives people the right to request information from government bodies. In theory, this could allow citizens to find out what identity data the state holds about them, how it has been used, and whether it has influenced decisions. In reality, PAIA offers limited protection in a digital identity context.

There are broad exceptions that allow information to be withheld for reasons such as national security, law enforcement, or commercial confidentiality. Responses are often delayed far beyond legal deadlines, and appeals can take a long time. Most importantly, PAIA works after the fact. People must already suspect something is wrong before requesting information. It does not offer ongoing visibility into how data is used in real time.

This stands in contrast to countries like Estonia, where citizens can log into a system and see which government officials have accessed their data. Laws designed for paper files and slow processes simply do not work well for fast, automated digital systems where decisions are made continuously.

Institutional Fragmentation Through Overlapping Mandates and Accountability Gaps

South Africa does not have a clear, joined‑up system for overseeing digital identity. Several regulators are involved in privacy, cybersecurity, finance, and technology, but their roles do not fit together neatly. Coordination between them is weak, and no single body oversees digital identity across its life cycle.

The Information Regulator is central to any serious account of privacy governance in South Africa, but its capacity remains materially constrained. With a budget of about R110-million a year and fewer than 120 staff across all its functions in the 2024/2025 financial year, the regulator is inadequately resourced and unable to build the organisational capacity required. For a national digital identity ecosystem involving biometrics, cross-departmental exchange, and potentially private-sector relying parties, which represents very limited oversight capacity. Specific capacity gaps relevant to digital identity oversight include cryptographic systems auditing capacity, expertise in AI and algorithmic systems, and capability in distributed system oversight, thereby reducing the Regulator’s ability to guide alignment with eIDAS 2.0 and other emerging global standards.

The Information Regulator lacks the capacity to oversee complex systems involving biometrics, artificial intelligence, and large‑scale data sharing. It also struggles to develop specialist skills in areas like encryption, AI auditing, and modern digital infrastructure.

The Financial Sector Conduct Authority (FSCA) and the National Credit Regulator (NCR) already manage identity verification rules for banks and credit providers. However, how these systems connect to newer platforms like MyMzansi or MzansiXchange remains unclear. As a result, the most advanced uses of digital identity may remain disconnected from broader governance structures.

This landscape exhibits three interrelated patterns of fragmentation. First, overlapping mandates create grey zones in which no regulator has uncontested authority. Second, even when authority is broadly identifiable, effective oversight may still fail due to resource constraints and limited expertise. Third, formal coordination remains underdeveloped relative to the complexity of the system being built. A digital identity ecosystem is not effectively governed simply because several institutions can each cite a relevant mandate. It is governed effectively only when those mandates are aligned and backed by operational coordination.

Technical Fragmentation From Legacy Systems and Interoperability Challenges

South Africa’s technical systems for identity and data sharing have grown over time, often separately. Connecting them can improve services, but it also increases risk if rules about access and accountability are not agreed first.

The National Population Register (NPR) remains under the exclusive custodianship of the Department of Home Affairs, with the Director-General exercising broad discretion over access and limited statutory avenues for individuals to contest access decisions. The planned upgrade from older systems (HANIS) to the new biometric database (ABIS) may improve technical capabilities, but governance arrangements that place data control in citizens’ hands have not kept pace.

The Smart ID card, introduced in 2013, provides foundational hardware for the digital identity credential. Its technical features include near-field communication, chip-based authentication, and the potential for cryptographic credential storage. However, the governance layer has not developed at a comparable pace. There is no statutory right for citizens to obtain records of who has queried their identity, no mechanism for selective disclosure, and limited recourse where identity data is inaccurate or misused. As a consequence, the Smart ID’s privacy-by-design potential remains largely unrealised. The system is oriented toward security and verification, rather than toward autonomy-enhancing control by individuals.

The Smart ID card introduced in 2013 could support privacy‑friendly features such as selective data sharing. However, there is still no legal right for people to see who has checked their identity, limit what information is shared, or quickly fix errors. As a result, the system focuses on security and verification rather than personal control.

MzansiXchange may help departments work better together, but it also makes mistakes more serious if governance fails. Estonia’s X-Road model demonstrates that secure exchange can coexist with distributed stewardship, logging, and strong agreement-based access rules. But Estonia’s experience also makes clear that this works because data exchange occurs within a settled legal and institutional framework, not because the technology alone guarantees trust. South Africa’s problem is not whether interoperability is desirable. It is about whether interoperability is embedded in a regime that clearly allocates responsibility, defines rights, and gives individuals usable visibility into their data, including access to and misuse.

Comparative Insights for Coherence

Comparative experience indicates that fragmentation is not inevitable, though it is also not solved by importing foreign models wholesale.

Estonia illustrates the value of coherence by design. Its exchange architecture is built around distributed stewardship, logged access, and a governance culture in which citizens can inspect certain forms of official access to their data. The transferable lesson for South Africa is that this kind of data-sharing technology works best when legal clarity, institutional responsibility, and transparency for users are established together rather than sequentially

The European Union offers a different lesson. Even highly developed regulatory systems can become too complex, and coherence must be actively maintained. The 2025 Digital Omnibus proposal explicitly aims to simplify overlapping digital legislation, reduce the administrative burden, and harmonise provisions across a wide set of EU instruments. South Africa should take seriously the insight that where multiple digital rules accumulate without careful alignment, both compliance and protection of rights suffer.

The Missing Governance Layer

South Africa’s most important challenge is not merely fragmentation. It is the absence of an integrating governance layer that can align and cohere policy, law, institutions, and technology around clearly stated public values.

System governance would perform four core functions. First, it would provide strategic coordination, ensuring that identity, data exchange, AI, and sectoral reform do not proceed on divergent assumptions. Second, it would provide legal coherence, ensuring that rights recognised in one framework are not hollowed out by exceptions and ambiguities. Third, it would provide institutional clarity by designating lead authority for defined areas and establishing formal arrangements where there are overlapping mandates. Fourth, it would provide technical governance by specifying baseline requirements for logging, access control, data sharing, independent audit, and redress by citizens.

The current development path reflects the opposite dynamic. Strategic fragmentation persists, with policy instruments proceeding from divergent assumptions. Legal fragmentation persists because the general privacy framework has not been translated into identity-specific design rules. Institutional fragmentation persists because oversight capacity is limited and authority is dispersed. Technical fragmentation persists because legacy systems are being connected faster than governance safeguards are being standardised. The result is a structural bias in favour of state control over citizen data.

Addressing Fragmentation

If South Africa wants digital identity to enhance citizen control rather than merely upgrade state capacity, several reforms should accompany its rollout.

First, government should publish a binding digital identity governance framework that sits above individual measures and clarifies the relationship between identity, exchange, cloud, AI, and sectoral compliance.

Second, citizen-facing transparency should be built into the system itself through access logs, clear notice rules, and contestation pathways, rather than left primarily to PAIA-style after-the-fact requests.

Third, institutional roles should be formalised by publicly defining, at a minimum, the lead authority for privacy, identity governance, interoperability assurance, and AI-related oversight in identity use cases.

Fourth, oversight bodies, especially the Information Regulator, need substantially greater technical and organisational capacity if they are to supervise a system of this complexity.

Fifth, the Roadmap’s “no one is left behind” principle should be converted into operational requirements for non-digital channels, assisted access, and alternatives for those who cannot rely on a digital access model.

Fragmentation in South Africa’s regulatory and institutional regime does not just complicate governance. It shapes outcomes. In the end, digital identity reform should not be judged only by faster services or better technology. It should be judged by whether people gain real, enforceable control over their personal information. Without that, promises of citizen control, as set out in the Roadmap, will remain an aspiration rather than become a reality.

Written by Mark Burke, a researcher and advisor with expertise in digital governance, and a focus on public-sector digital transformation. His research interests are digital identity, privacy, and citizenship in the digitalisation of public services.