Kerala HC directed the State Govt. to inform the Court on steps taken to ensure that the confidentiality of sensitive medical information shared with New York-based software company Sprinklr is maintained. Kerala govt. used this software to manage COVID-19 data of a person in quarantine.
The petition through Adv. Jaykar KS was filed citing data privacy concerns and it was told to the court that the data is collected by Asha workers on mobile applications, and that the information thus pooled is sent to the servers of Sprinklr, which is a private entity.
He also argued that the information is being shared without taking consent of people and till now data of 1.5 billion people has been shared; the data is not being stored on a Government portal. He queried “Why don’t we keep the data with us (on Government servers)?”
The State counsel submitted “That is a dangerous submission. The medical data is certainly covered… (as sensitive data) …”
The Bench proceeded to opine that the plea raised a serious issue of whether the data collected by the private entity would be kept confidential. The bench also asked “How do you guarantee that the data collected remains confidential in the hands of the third respondent (Sprinklr)?” though the credit for handling COVID-19 will not be taken from Kerala Govt.
The Court also opined,
“We do not want you (State) to upload data unless you can tell us that data is confidential from the third Respondent (Sprinklr) also. We cannot accept a submission that the data collected is not sensitive. If the Kerala Government thinks that the informaton is not sensitive, something is amiss…”
What is the need of using SAAS software when the number is low in Kerala? HC asked
“But Kerala does not have that kind of numbers now”, “What is the purpose of requiring a third party server at this time? Why do you require an SAAS, when the numbers are so low?” The Court queried.
The Court also said:
“We are only concerned with data remaining confidential. How will you guarantee us that? Every day you are putting in information…”
The Court thereafter directed the State to obtain instructions and respond later in the day itself on how the confidentiality of the data uploaded would be maintained.
In reciprocation, State Counsel S Kannan told that engagement of SAAS is required to maintain large amount of data. He also submitted that around 80 lakh people were being screened, and that it was partly because of such data management that the State was able to control the spread of COVID-19 in Kerala.
It was also submitted that the software was used to analyse the data and private entity is barred to access that data.
The High Court was not satisfied with the submissions and the Court proceeded to direct the State to file a response on these issues and other queries concerning the confidentiality of the shared information, emphasising that these concerns must be taken seriously.
The Court said:
“We do not want the COVID epidemic to be substituted by a data epidemic.”
The matter has been posted to be taken up next on April 24.
