Leader of Opposition in the Kerala Legislative Assembly, MLA Ramesh Chennithala has moved the Kerala High Court challenging the agreement between the Kerala Government and US-based Sprinklr Company for processing of data related to COVID-19 patients.
Chennithala has alleged that the Field Visiting Team of the Local Self Government Institutions are collecting sensitive personal data of all those who are under quarantine at their homes or at various hospitals and is uploading the same on the web servers of Sprinklr, a US based IT Company.
As per the Petitioner, vital sensitive data of more than 1.25 lakh individuals has already been collected and shared with the US Company however, during the process, the Kerala Government suppressed the involvement of Sprinklr from the data providers. Thus it is alleged that the Government has acted in excess of its powers inasmuch as the above exercise has been undertaken without obtaining prior informed consent from such patients.
"It is trite that either the 1st Respondent [Government of Kerala] or any of its officials have no right or authority to execute any contract or agreement or other instruments with any body corporate or any foreign nation waving any of the rights of a citizen, guaranteed under Constitution or under any laws and hence it is ultra vires," the Petitioner contends.
Moreover, it is alleged that the state has omitted to prescribe proper guidelines applicable to data providers and there is nothing in the Circular (Exhibit Performa) issued by the Government in this behalf, to protect the patients from being exploited and misused against their wishes for commercial gain of Sprinklr.
"Absence of any column in the Exhibit Performa regarding the information consent would prove that no voluntariness has been prescribed as a condition precedent for giving sensitive data.
The Exhibits are totally blank without any stipulations regarding the informed consent. Nothing has been provided for protecting any confidentiality in maintaining data. There is nothing in the Exhibit Performa for guaranteeing against any forseable risk, discomfort or inconvenience to the data providers." the plea states.
The Petitioner has further pointed out that the agreement with Sprinklr was executed without seeking approval of the Council of Ministers or other concerned departments of the State including the Law Department, which is empowered to prepare agreements on behalf of the government.
"In the instant case, it is the admitted fact that the 6th respondent has executed Exhibit P-3 and Exhibit P-7 agreements without any authority as required under law and hence the failure to comply with the mandatory constitutional formalities required under Article 299(1) of the Constitution of India has nullified them and rendered void and unenforceable. Over and above, under Part XIX clause 2 (a) of the Rules of Business of Government of Kerala, it is by the Law Department to draft and approve every agreements by or in favour of the Government, without which no agreement could be prepared by any official without the knowledge and approval of the Law Department," the plea states.
Notably, M Sivasankar, the IT Secretary, appearing in media interviews on Saturday, admitted that the opinion of legal department was not taken before the contract, due to the emergency situation.
Through this petition, Chennithala has urged the court to restrain the Kerala Government from uploading any further data on the servers of Sprinklr, apart from quashing the Circular issued to effectuate the agreement, as unconstitutional and ultra vires.
Additionally, the Petitioner has sought that since the COVID-19 patients had to part with their vital sensitive data without their voluntary consent, they are legally entitled to get adequate compensation for the impairment and loss suffered by them.
"Protecting the security of sensitive data of an individual, which is worth rupees crores, is very important because collection, storage and use of large amounts of personally identifiable sensitive data may be potentially embarrassing. If security is breached, the individuals whose health information was inappropriately accessed or altered may face a number of potential harms. The disclosure of sensitive data may cause intrinsic harm simply because private information is known by others. Individual could also experience social or psychological harm due to disclosure of personal health information to strangers. Protecting the privacy of those participants and maintaining the confidentiality of their data have always been a fundamental constitutional obligation of the State," the Petitioner submits.
A similar plea has also been moved before the High Court by Advocate Balu Gopalakrishnan, alleging foul play in the decision of the Pinarayi Vijayan-government to choose the services a foreign-based private company for storing and analyzing COVID-19 data. He questioned the decision to entrust the job with a foreign company, overlooking state entities like the C-DIT and NIC.
The High Court has already sought an explanation from the State Government on the deal, addressing the issues like the foreign jurisdiction clause in the IT contract and the omission to seek sanction from the law department before finalizing the deal.
Meanwhile, the Government has constituted a two-member committee to examine the issues in relation to the deal.
Click Here To Download Petition