In response to concerns were raised in the Kerala High Court over the security of COVID-19 data due to the involvement of US-based company Sprinklr, the state government has now informed the Court that all such data is now exclusively accessible only by the State.
Submitting an affidavit for the same the State has submitted that the data is stored only on Amazon Web Services cloud servers being managed by the Centre for Development of Imaging Technology (C-DIT).
He affidavit about Sprinklr stated,
“… the complete application and data is being managed in the Amazon web Cloud Server instance of C-DIT and no employee of Sprinklr has any access to any data. The only support which Sprinklr is providing is for any updating of the application based on the functional requirements suggested by the State, if such occasion rises. Even for the same, it is only limited technical access to install and plug in to the software and there is no access to data.”
The Government has stated that while the Amazon Web Services cloud account did not initially have the capacity to host the large volume of data expected to be collected, the C-DIT’s Amazon cloud services account has now been upgraded and the COVID-19 data has been migrated to this space.
The affidavit adds that even though Sprinklr’s proposal included free hosting services, the State Government has decided to keep the data in its own account in spite of the additional cost involved.
Further, Sprinklr has created a separate instance of their application in the C-DIT Amazon Web Services Account meaning that the data collected will be processed only in the C-DIT instance using the Sprinklr application hosted therein, the Government has informed. Effectively, it stated,
“… the Govemnent has now full and exclusive ownership of the data and for analysis of the data, the software of the third respondent. now available with the C-DIT, will be used. Hence, there is no transfer of data to third parties.”
It further informed that the data collected is being stored in encrypted form.
Even prior to this, there was a conscious effort to limit the persons and kind of data being collected and the agreements between Sprinklr and the State contained sufficient measures to guard against any breach.
However, these safeguards are no longer as relevant since all data access now rests with the State of Kerala alone.
Why was Sprinklr approached?
The affidavit states that Sprinklr was engaged as there was a need from the support of a scalable Information Technology system/ SaaS to collect and analyse large volumes of data.
While this issue had to be resolved in the shortest time possible, as time was of essence in curbing the COVID-19 pandemic government owned or controlled entities such as the C-DIT and the Information Technology Kerala Mission were not technically equipped to manage such a large volume of data and issuance of tenders for technical solutions would have consumed more time.
In this backdrop, Sprinklr showed an interest in working with the Government. It is further stated that the company had experience and capability to process large volumes of data.
This association with the Kerala Government stemmed out of conclaves held in the area of technology after reaching out to the global Malayali diaspora, to attract investments to the State of Kerala. After a flagship event was held in 2018, several follow up meetings were conducted where Kerala Government came into contact with Sprinklr during these meetings, it is stated. The State emphasised,
“The offer by the third respondent (Sprinklr) was looked into and found reasonable (zero cost during COVID 19). It is submitted that that the third respondent is also a pro bono partner of the World Health Organisation in developing its COVID -19 Update dash board. There was no other nexus or reason for engaging third Respondent, save and except for the circumstances set out above.”
While stating that that the functions being performed by the Sprinklr application is not something that can be managed by the State Government’s institutions the affidavit added,
“None of the Government Institutions in Kerala are presently capable of doing big data analysis, particularly big data analytics with unstructured data’ or to offer solutions in the shortest possible time, that the (COVID-19) situation would demand.”
Engagement of Sprinklr was not a single-handed decision
The Government has submitted that the decision to procure Sprinklr’s SaaS application was based on clear consultation and scrutiny within the Electronics and Information Technology Department of the State.
A committee was also constituted for the process with concerned department heads and representatives of the Health Deparment, the Local Self Government Department and the State Disaster Management Authority. It stated,
“… the actions taken by the Principal Secretary, E&IT Department to sign the document and avail the SaaS application had sufficient scrutiny and consensus on technical and functional requirements being met. The IT Support Team was formed within the Department to take forward the necessary interventions with regard to supporting COVID 19 control activities during lockdown period when the Department Sections were not in the fully functional mode.”
Replying to the contentions that the decision to engage Sprinklr was made bypassing Law Department scrutiny, the Kerala Government highlights that Administrative Department heads are authorised to take decisions for procurement of goods or services where the cost is less than Rs 15,000.
In this case, Sprinklr have offered its application for free for a six month period. Since the cost involved was zero, there was no need for the purchase to be scrutinised by the Law Department, the affidavits states and “Hence, this is not bypassing of Law Department, but it did not require any consideration with the said (Law) Department at all.”
It is also pointed out that there was neither any drafting or executing of agreement involved nor any financial transaction done. Further, it is stated that the issue of a formal purchase order pertaining to a pro-bono service procurement is within the authority and responsibility of the administrative head of the department.
The affidavit added that the contention that the action taken is bound by Articles 298, 299 and 300 of the Constitution (which pertains to drafting and execution of contracts) does not have any standing
No scope for use of COVID-19 data collected once pandemic has subsided
The Kerala Government also argued that the concerns regarding the possible breach of COVID-19 data was misplaced for reasons connected to the kind of data collected itself.
In this regard, it is pointed out that five kinds of information have been collected for managing the COVID-19 pandemic in Kerala, i.e.:
- Data related to international travellers;
- Data related to domestic travellers;
- Data related to health workers or people who have contact with patients;
- Vulnerable people data,either self-reported or reported by relatives;
- Data collected by field worker when they visited homes to observe people in quarantine.
The first four kinds of data have been collected through voluntary self-reporting, wherein the persons had been properly informed of how the data would be used for COVID-19 management purposes only.
The contention that persons submitting data online did not have a choice is patently incorrect and misleading, the State asserted. Further, this data was primarily being collected as part of efforts to detect and guard against community transmission of COVID-19.
The Fifth kind of data collected by field workers is relevant to curb the spread of COVID-19 and to ensure that medical care reaches susceptible people. The information was collected only for such limited purposes from people in isolation who were high vulnerable to COVID-19, it is stated. Further, it was collected physically, and hence was not within the purview of the IT Act at the collection stage.
Highlighting that the data collected is of no long-term applicability, but rather only for the purpose of analysis and action during the pandemic.
The affidavit notes, “… there is no need to retain the data for a very long period, not definitely much beyond the quarantine period.The system has the capability to have the data purged/ destroyed at a specified time interval that can be prescribed.”
“… the data collected was relevant and necessary and does not pose any threat to the privacy or security of the individual. The first respondent (State of Kerala) has however taken note of the inherent privacy rights and limited its actions to reasonable and necessary requirements.”
It added that the allegations of ration card and aadhaar details being entrusted to Sprinklr are baseless.
Regarding venue of jurisdiction in case of data breach
It is stated that New York had been designated as the jurisdictional venue as part of the standard form of contract.
In any case, it is noted that the COVID-19 data lies in India on C-DIT servers and that “Any data breach or even apprehension pertains to occurrences in India.”
As such Indian criminal law and the Information Technology Act would apply, the State said and any breaches on the part of Sprinklr, being an “intermediary”, it is open to both the data principals and the Indian Government authorities to initiate action in India as “a restriction on jurisdiction for civil action does not limit criminal or regulatory prosecutions or jurisdiction.”
In view of these submissions the Government has also challenged the maintainability of the writ petitions filed on the issue that they have been moved based on “apprehensions, baseless and unfounded allegations, speculative conjectures and surmises and in some instances with vested interest.”
Read the Affidavit below: