Amidst the ongoing fight against the coronavirus across the country, the Kerala government is in the dock for breaching the privacy of 1.75 lakh people under quarantine in the state by striking a deal with a US-based tech firm to handle the data compiled from them.

Here are the details regarding the controversial Sprinklr deal, which has caused a huge political row in Kerala:

What is Sprinklr deal controversy?

The Communist-ruled Kerala government had inked a deal with a SaaS (Software as a Service) company named ‘Sprinklr’ owned by a Kerala expatriate Ragi Thomas. The company offers various marketing, advertising and customer engagement services to its clients.

The current controversy pertains to the personal health data of people of Kerala, where the first novel coronavirus case was reported in the country. The data of more than 1.75 symptomatic patients were allegedly collected and was transferred to a private company – Sprinklr.

- Advertisement -

The data collected had personal information of 1.75 lakh people of the state under quarantine, including details of their symptoms and health conditions. The data was compiled by the grassroots level workers of the state using a tool developed by Sprinklr. The data was supposed to be used to assist doctors and medical officials in making an informed choice about possible hospitalisation.

Allegations of data scam

The Congress party, which is the opposition party in the state, had accused Pinarayai Vijayan government of indulging in a data scam by pointing out that this data transfer to Sprinklr had no clearance from any state government department

Congress leader Ramesh Chennithala, the Leader of the Opposition in Kerala, had accused Pinarayi Vijayan of allowing Sprinklr to collate and handle the health data of around 1.75 lakh people under quarantine without taking their consent.

According to the veteran Congress leader, the government did not follow due procedures in appointing Sprinklr. Chennithala alleged that the Kerala government risked the transfer of crucial health data of the citizens to pharmaceutical companies.

He had questioned the intent of the government to take services of a US-based private firm when there were institutions like the Centre for Development of Imaging Technology (CDIT) and Kerala State IT Mission to do the same work. Chennithala had said the decision was taken unilaterally by chief minister Pinarayi Vijayan without obtaining clearances from departments like law, local self-government, health and finance.

Kerala govt’s poor defence

The chief minister, who handles the IT department, which signed the deal with Sprinklr, initially declined to react to the issue. However, as the opposition parties began to protest, the government defended the decision by claiming that the company offered the tool for free as SaaS.

The Pinarayi Vijayan government claimed that the firm was owned by a Keralite who wanted to give back to the state for the service offered by the state to his father who is in Kerala. The IT department said the data was being collected on a massive scale and therefore needed the intervention of an app which can collate it quickly and help analyse it.

Later, due to the public pressure, the government released documents in connection with the contract it signed with Sprinklr on April 2. The documents included the purchase order form, service agreement, privacy policy of the company and a non-disclosure agreement. According to the documents the data belong to the Kerala government.

Sprinklr controlled the data

Initially, the Sprinklr company had control over the data collected from the citizens of the country. The data was stored on the website ‘citizencenter.sprinklr.com’ at first. As allegations of a data scam emerged, the Kerala government changed the domain named for the entry of data to ‘citizencenter.kerala.gov.in’.

One of the main criticism against the Kerala government is that there was adequate time for the government to complete the due process, including legal and financial vetting, and also escalate it with the health and disaster management departments. However, the government did not do it.

Most importantly, there was not even a tender called, instead, Sprinklr was singularly appointed for the task. Since the exercise involves confidential data of thousands of people, questions are being raised regarding the lack of transparency of the deal.

Petition in Kerala High Court

A PIL was filed in the Kerala against the Sprinklr deal. Congress leader Ramesh Chennithala had filed a plea alleging that the contract that the Kerala government entered in with the American company has little or no safeguards against the commercial and unauthorised exploitation of the data.

In his plea, Chennithala had alleged that a large amount of private data of citizens of Kerala was handed over to a foreign company, thus amounting to a breach of privacy.

Responding to Chennithala’s concerns on privacy, the Kerala government stated that the government takes full responsibility for the protection of data. The councel had added that the available protective systems make it impossible for Sprinklr or anyone else to breach confidentiality or to deal with the data “surreptitiously or maliciously,” and that control of all the data has been given to the Kerala government.

High Court’s direction Kerala government

After hearing the petition, the Kerala High Court had stated that it will not be issuing any orders to obstruct the government’s efforts against tackling corona. However, the court stated that since no data is currently available with Sprinklr, all remaining or secondary data should also be entrusted back to the Kerala government.

Issuing an interim order, the two-judge bench ordered the Kerala government to anonymise all the data that have been collected from the citizens with respect to the coronavirus epidemic. It also ordered that Sprinklr shall be allowed to have access to this data only after the process of anonymisation is completed.

The court said that every citizen, from whom data is to be taken in future, must be informed that their data has been collected and is likely to be accessed by Sprinklr or any other third party and their specific consent must be taken.