Kerala Govt's Tie-Up With IT Startup For Covid-19 Management Raises Privacy Concerns

M. Sivasankar, the principal secretary of the IT department and CM Pinarayi Vijayan바카라�s private secretary, says, 바카라�I exercised my discretionary powers to enter into an agreement after examining it in minutiae. Among the various stakeholders, there was a consensus that a robust technology platform was the need of the hour. It was my decision to choose Sprinklr and I will rectify any error that is a result of my decision.바카라� He adds that the law department바카라�s permission was not required for the purchase order. Sivasankar did not disclose whether the CM, who also holds the IT portfolio, was aware of the details of the deal. Opposition parties, however, claim he possessed no such discretionary power. They allege that he is being made a 바카라�fall guy바카라� to shield the government, and the CM in particular, from further criticism.

On April 10, leader of Opposition Ramesh Chennithala raised concerns over privacy and ownership of data collected by healthcare workers from about 1.75 lakh people. He has since ramped up the rhetoric, going so far as calling Vijayan the 바카라�prime accused바카라� in the case. On April 16, BJP state president K. Surendran met governor Arif Mohammad Khan to seek his intervention in the row. Speaking to reporters later, he termed the deal a 바카라�Rs 500-crore scam바카라�. Chennithala바카라�s valuation differed slightly. Although he first pegged it at Rs 200 crore, he now claims the firm바카라�which, he alleges, is 바카라�blacklisted바카라� in the US due to an ongoing data theft court case바카라�could sell the information stored on its Mumbai servers to pharmaceutical companies for anywhere between Rs 10,000 and Rs 75,000 a person.

A senior IT professor from a reputed tech institution in the state says, 바카라�Neither has been especially successful in convincing the public. The layperson is likely to believe that the Opposition, in targeting the Malayalee-led unicorn (Sprinklr, valued at $1.8 billion in 2016, was founded by Ragy Thomas, a native of Alleppey), is simply making political hay out of something imaginary.바카라�

Vijayan, for his part, has been weathering a barrage of queries at his daily press briefs on the COVID-19 crisis. His decision on April 16 to hold the briefings every other day바카라�ostensibly a result of the improving situation in the state바카라�has the Opposition smelling blood.

Regardless, the government stands by the IT department바카라�s initial press note released on April 13, which states, 바카라�The huge amount of data being inputted on COVID-19 cases is unstructured and comes in a variety of formats. It needs to be analysed on the fly to ensure help is dispatched right away to where it is most required. Since Sprinklr offers an excellent SaaS (software as a service) application to handle this, the government had agreed to accept the software service. The government owns all the information collected through the application.바카라�

As to the type of data being fed into the software, the note states that the details of overseas arrivals to Kerala; domestic tourists and arrivals from other states; health workers interacting with patients and suspected cases; and those most susceptible to contracting the disease are being collected. Health workers were also entering updates about those under observation. The statement added that while all this information was initially passed on to the sub-domain, citizencentre.sprinklr.com, this later changed to citizencentre.kerala.gov.in.

In response to the Opposition바카라�s queries as to why the department-run Centre for Development of Imaging Technology (C-DIT) servers were not used, the statement notes, 바카라�While C-DIT has an Amazon web server cloud account, it is not equipped to handle such a large volume of data yet. Once it is upgraded, all the data will be transferred from Sprinklr바카라�s Amazon web server cloud in Mumbai. Currently, the SaaS app can work completely only on this server.바카라�

Besides the press release, the Kerala government has made public the order and purchase form, Sprinklr바카라�s master services agreement, a non-disclosure agreement, Sprinklr바카라�s service level agreement, its privacy policy and two versions of a letter of affirmation sent via email from Sprinklr바카라�s general counsel Dan Haley to Sivasankar. The media has picked apart these letters바카라� the 바카라�revised바카라� letter (dated April 12) is reportedly less assertive and more accessible in terms of legalese, language and tone than the letter dated April 11.

The revised letter also notes, 바카라�Kerala at all times retains all rights to and responsibility for customer data uploaded to or accessed by the Sprinklr platform. This means that any and all data used for provision of the Sprinklr platform that is obtained by Sprinklr, including all citizen data accessed or obtained by Sprinklr from Kerala or directly from citizens, belongs to the government and/or citizens. Upon termination of Kerala바카라�s use of the platform, or at any time upon Kerala바카라�s request, all customer data will be removed from the platform and retained by Kerala. Nothing in this relationship gives Sprinklr any rights to such data, other than to provide the platform as agreed with and instructed by Kerala.바카라�

A COO of a Kerala firm that works with healthcare tech says, 바카라�From a cursory reading, the terms of the agreement appear to be general clauses applicable to any SaaS-related activity requiring a degree of trade-off between user privacy and product viability and operability. How it will be enforced (the non-disclosure agreement states that any dispute would fall under the purview of a Manhattan court) is another matter. The language used is not exactly watertight. This is important because while issues of data ownership and privacy are enshrined in stringent laws overseas, the inside joke in tech circles here is that anything goes 바카라�kyunki SaaS bhi kabhi BAU (business as usual) thi바카라�.바카라�

In the absence of dedicated data protection legislation바카라�a joint parliamentary committee is still analysing the Personal Data Protection Bill 2019바카라�it remains to be seen how a PIL filed before the Kerala HC on April 17 seeking a probe and forensic audit by the Union ministry of electronics and information technology (MeITY) into the Sprinklr deal and collected data of COVID-19 patients will pan out. Among other concerns, the petition echoes the Opposition바카라�s charge that the Kerala government did not seek permission of patients as to who can access their data. Slated to come up for a court hearing, it is expected to further add to the wider dialogue on individual privacy vis-a-vis public interest바카라�besides the raging global debate on surveillance regimes바카라�rekindled by the Union government바카라�s 50-million-user-strong Aarogya Setu contact tracing app.

Among those closely following the PIL is Prem Kamath, a Kochi-based cyber-law consultant. Speaking to Outlook ahead of the PIL filing, Kamath said there existed sufficient grounds for an RTI query and PIL to be brought forward. 바카라�This is a transition period of data protection laws here. We have some checks and balances with the Information Technology Act, 2000, specifically section 43(a) that refers categorically to cases where there is failure to protect data. In addition, there are the MeITY바카라�s Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, that classify the types of sensitive personal data to rely on,바카라� explains Kamath. 바카라�In any potential court proceedings in this case, the Indian Contract Act (1872) would be in play since there is an agreement between the two parties, but the IT Act and Rules would play crucial parts.바카라�

바카라�Many high-profile lapses in data protection in recent years, such as the UIDAI leak, have dented the average citizen바카라�s confidence in data collection authorities바카라� says Kamath. 바카라�Data is volatile. It is the goldmine of the digital age. If citizens바카라� data isn바카라�t safe with the government, who is it safe with?바카라�

By Siddharth Premkumar in Thiruvananthapuram