MLA Ramesh Chennithala, Leader of Opposition has moved the Kerala HC challenging the agreement between the Kerala Government and US-based Sprinklr Company for processing medical data of COVID-19 patients in the state.
As per the Petitioner, vital sensitive data of more than 1.25 lakh individuals who were either under home quarantine or at various hospitals has already been collected and shared with Sprinklr, a US based IT Company. However, none of the data providers were informed about the involvement of the above by the Kerala Government and hence the Government has acted in excess of its powers as it failed to obtain prior consent from such patients.
The petitioner stated,
“It is trite that either the 1st Respondent [Government of Kerala] or any of its officials have no right or authority to execute any contract or agreement or other instruments with anybody corporate or any foreign nation waving any of the rights of a citizen, guaranteed under Constitution or under any laws and hence it is ultra vires.“
Moreover, the Circular (Exhibit Performa) issued by the Government does not provide any specific guidelines applicable to data providers, nor does it protect the patients from being exploited and misused by Sprinklr.
The plea contends,
“Absence of any column in the Exhibit Performa regarding the information consent would prove that no voluntariness has been prescribed as a condition precedent for giving sensitive data.The Exhibits are totally blank without any stipulations regarding the informed consent. Nothing has been provided for protecting any confidentiality in maintaining data. There is nothing in the Exhibit Performa for guaranteeing against any forseable risk, discomfort or inconvenience to the data providers.“
The Petitioner also pointed towards the fact that the agreement with Sprinklr was executed without seeking approval of the Council of Ministers or other concerned departments of the State including the Law Department, which prepared agreements on behalf of the government.
It added, “In the instant case, it is the admitted fact that the 6th respondent has executed Exhibit P-3 and Exhibit P-7 agreements without any authority as required under law and hence the failure to comply with the mandatory constitutional formalities required under Article 299(1) of the Constitution of India has nullified them and rendered void and unenforceable. Over and above, under Part XIX clause 2 (a) of the Rules of Business of Government of Kerala, it is by the Law Department to draft and approve every agreements by or in favour of the Government, without which no agreement could be prepared by any official without the knowledge and approval of the Law Department.“
Notably, M Sivasankar, the IT Secretary, appearing in media interviews on Saturday, admitted that the opinion of legal department was not taken before the contract, due to the emergency situation.
The petitioner has sought that the court quashes the circular issued by the government as ultra-virus and unconstitutional and further restrains the Government from further uploading any data on the servers of Sprinklr.
Petitioner has also sought compensation for all the patients who had parted such sensitive medical data without their voluntary consent.
The plea states, “Protecting the security of sensitive data of an individual, which is worth rupees crores, is very important because collection, storage and use of large amounts of personally identifiable sensitive data may be potentially embarrassing. If security is breached, the individuals whose health information was inappropriately accessed or altered may face a number of potential harms. The disclosure of sensitive data may cause intrinsic harm simply because private information is known by others. Individual could also experience social or psychological harm due to disclosure of personal health information to strangers. Protecting the privacy of those participants and maintaining the confidentiality of their data have always been a fundamental constitutional obligation of the State.“
A similar plea has also been moved earlier before the High Court by Advocate Balu Gopalakrishnan who questioned the decision of the government to entrust the job of storing and analysing COVID-19 patients data to a foreign company, overlooking state entities like the C-DIT and NIC.
The High Court has already sought an explanation from the State Government on the deal, addressing the issues like confidentiality of sensitive medical information shared with the New York based company .