Kerala Government put up a stout defence of the Sprinklr deal in the High Court on Thursday arguing that it had strong data protection clauses. The government once again emphasised that no sensitive information was being collected.
The government, in an affidavit filed in the High Court, also said the government had roped in a big data analytics company like Sprinklr in late March, just when it looked like things would go out of control. Now with more than quarter of non-resident Keralites about to return after May 3, the government said Sprinklr's services had to be persisted with.
It was also submitted that there was no need to go to New York if at all there was data breach. Since the data is stored inside the country, the government said all data protection laws in the country would be applicable to the deal.
Sprinklr deal flawed, no protection to data privacy: Central Govt
Despite Kerala government's strong defence, the Centre has come heavily of them citing that the deal was flawed and that data privacy could not be ensured.
In an affidavit submitted to the High Court, the Union IT department questioned the state government's decision to overlook several government-owned and government-controlled entities like the C-DIT and Information Kerala Mission. It also pointed out that there were central agencies like National Informatics Centre capable of handling the task that was entrusted to the US firm.
The affidavit also indicates that the agreement Kerala government made with Sprinklr dilutes the rights of the people. It said that the contract does not specify the amount of compensation that individuals should receive in case of breach of privacy or misuse of information.
The affidavit also says that it was not clear whether the information was collected and handed over to the data analytics firm with the full consent of the patients (suspected and otherwise). It said that it was advisable to always analyse confidential data through government agencies rather than private firms.
Why was Sprinklr chosen
Scary prognosis by the middle of March was one of the reasons. By March 16, when worldwide deaths crossed 6,600, the crisis Management Group of the government found that there was a possibility of a sudden spike in the numbers in Kerala. By then various study reports were putting out explosive numbers worldwide.
The first Kerala-specific study, which was done by a group of experts associated with the Centre for Disease Dynamics, Economics and Policy, John Hopkins University and Princeton University, was released on March 24. According to this report, about 80 lakh people in Kerala would be affected with COVID-19 between March 28 and April 25.
The daunting nature of data collection was revealed when traveller lists were sought to be compiled. The physical handwritten forms collected from passengers were one source of data. But the government argued that this was insufficient as there were data gaps with respect to port of origin and residential address. So, passenger manifest from Airline companies were requested. But, each airline had a different format and data aggregation was difficult.
Though, finally, information was obtained from Bureau of Immigration, cross checking the same with passenger manifest or the arrival forms was virtually impossible with around 1.5 lakh records to verify. “This was a instance where it was felt that the situation could be handled efficiently and speedily by a big data handling framework which can be quickly customised,” the government said.
There was also the SoS calls from various channels of communication – chats, sms-es, emails, WhatsApp and Twitter – to be made sense of. The government said at least 30 per cent of distress calls came from the traditional land phones. “Such duplication of communications creates confusion and makes tracking the needy difficult,” the government said.
At this point, a multichannel communication network, which could handle volumes of structured and unstructured data and pass on to supporting Information Technology systems, was necessitated. There were no available alternatives within the government framework. “ The government owned and controlled entities like the C-DIT and Information Kerala Mission are not technically equipped to manage such large volume of data,” the government said.
And the issue had to be resolved in the “shortest possible time”. The government said any invitation for tender would have been time-consuming. Even ascertaining the pre-qualification criteria would have taken two weeks. “Even a day's delay would have been fatal.”
Sprinklr, it was said, was selected primarily to ensure support under two scenarios. One, a large inflow of people from other parts of India and abroad once the lockdown is relaxed, and two, in case there is a sudden spurt in the virus spread.
Why is data collected not sensitive
Four types of data - related to international travellers, domestic travellers, health workers or people who have contact with patients, and vulnerable people - are collected through an online voluntary self-reporting process. The user is properly informed in the terms and conditions that the data will be used for COVID purpose only, the government submitted.
The fifth set of information, data collected by field workers, is collected only from people in isolation who have high vulnerability for COVID-19. This is taken manually, and therefore does not fall under the Information Technology Act physically.
“Information regarding medication for other illnesses such as blood pressure, diabetes is taken because it has been empirically established that the virus has a high morality rate among persons with such pre-existing diseases,” the affidavit said.
Further, it was submitted that questions regarding diseases were intended to gather only generic names of diseases and not the degree of severity. It also wanted to know what aspects of these information were “sensitive”.
There are sufficient data protection clauses in the agreement that will give the government complete control and right over the data, the affidavit said. “No data will also be available to Sprinklr after the termination of the agreement,” it said.
The government further submitted that data would be protected in all stages; during transit, storage and processing.
It was also said all data were now uploaded on citizencentere.kerala.in, though it was initially in citizencentre.sprinklr.com. The data is stored in Amazon Cloud in Mumbai, and is also in encrypted form.
The data is also kept in C-DIT's Amazon cloud server after its capacity was augmented to handle large volumes of data. Even though Sprinklr had offered to host the data free in its server, the government submitted that it had decided to keep the data in its own server even though additional expenditure was involved. Sprinklr's platform is also now hosted in C-DIT's cloud server.
Why big data analysis persisted with even now
The government argued that it was too early to conclude that the worst is over. “Any sense of complacency will prove dangerous and incalculably costly to the state,” the affidavit said. I was submitted that the real figures would be known only after the lockdown was lifted and international and domestic flights and trains were allowed.
The government said Kerala now has to prepare for triple issues: one, another phase of COVID-19 outbreak when the lockdown is relaxed; two, seasonal infections during the imminent monsoon like fevers and flu; and three, possibility of a third consecutive flood.
Jurisdiction of New York courts
The government said the choice of jurisdiction, in New York Courts, is a standard form of contract for companies like Sprinklr based in the US. “The government has negotiated a very viable agreement ensuring both legal and technical security of the data being collected and processed,” it said.
Further, it was stated that penal action could be taken if there was a breach of contract as the deal fell within the purview of the IT Act. It was argued that in the event of a violation, it was open to both the public whose data had been collected and also the government to initiate action in India.
“A restriction on jurisdiction for civil action does not limit Criminal prosecutions or jurisdictions,” it said. Meaning, Kerala has to approach a New York court only to settle civil matters, and not for criminal prosecution.
It was also contended that since the data was localised (kept in the Amazon web Services (AWS) servers in India) all the laws of protection of data in the country was applicable to this deal with Sprinklr.
Why was the Legal Department bypassed
The government argued that this was just a purchase order related to the buying of a readymade software. “The head of the Administrative Department has the full authorisation for issuance of a purchase order for goods or services with price less than Rs15,000. In this case the service is offered on pro bono (done for free) basis and hence there is no cost involved,” the government submitted.