Sprinklr Deal Ensures Data Security; COVID-19 Exigency Necessitated Extraordinary Steps : Kerala Govt To HC [Read Statement]

Defending the controversial Sprinklr deal to process COVID-19 data, the Kerala Government has filed a statement in the High Court of Kerala stating that the contract with the US-based tech company has adequate provisions to ensure data security.

The Government has also explained that the contract was entered into a situation of health emergency created by apprehensions of large outbreak of COVID-19 cases in Kerala. Referring to a study report released by health experts of John Hopkins University on March 24, it is stated that there was an estimate of about 80 lakh COVID-19 cases in Kerala between March 28 and April 24.  The assessment by the State Disaster Management Authority also endorsed such estimate.

"The crisis management group of the Government was faced with a dangerous situation like never before, unique by the sheer volume of threat", said the statement filed by V Manu, Senior Government Pleader.

Explaining the need for the software services, it was stated that during crisis times, there will be multiple SOS calls through various channels, leading to data duplication which makes relief work delayed and difficult.

"In these circumstances, a multichannel communication network, which could handle volumes of structured and unstructured data and pass on to supporting information technology systems, was necessitated", the affidavit stated. The Government entities were not equipped to deal manage such large volumes of data.

"The issue had to be resolved in the shortest possible time and the circumstances necessitated extraordinary steps on behalf of the government. Any invitation for tender would have been time consuming in so far a technical committee ought to have ascertained the pre qualification criteria, for which at least two weeks would have been necessary; then a pre-qualification bid had to be called for, then technical bidding process would have to be undertaken; then pre-bidding would have to be held, and then selection would have to be made, all these processes consuming another month. Time would have taken for grant of administrative and technical sanction. The Government, on account of the alarming situation, had no time to spare. Even a day's delay would have been fatal", the 83-page statement read.

As regards Sprinklr coming into picture, the Government said that it was already in talks with the company since 2018, as part of its initiative to reach out to Global Malayalee diaspora. It was stated that during the early COVID-19 days, the company offered to help free of cost, and the offer was found to be reasonable and suitable, having regard to the company's association with several global players. It was highlighted that Sprinklr was a pro bono partner of the World Health Organization in developing its COVID-19 update dash board.

"In these emergent circumstances, where time was of the essence, the third respondent was chosen. It will not be feasible for a Government agency to develop such scalable platforms and solutions in a very short period of time. Further, the Government is not in a position to carry out any experiments or take any risks on account of the extra ordinary situation prevailing due to the pandemic. The need of the hour has necessitated the steps now taken by the Government".

"Policy decisions taken by the executive in such a dire situation with the help of experts cannot be said to be arbitrary or subjected to the same level of scrutiny as in ordinary times, as long as the action was necessary and proportionate to achieve the intended purpose", the Government asserted.

On data protection

The Government asserted that data of COVID-19 patients and their primary contacts in surveillance collected by field level workers was safe and secure within the services offered by Sprinklr.

During initial testing, the data was stored in the subdomain of Sprinklr, and was later migrated to the subdomain of Kerala government. The data is stored in encrypted form in the Amazon Cloud Server located in Mumbai in the account maintained by C-DIT, which was upgraded to handle the huge voluminous data. Amazon Cloud Server services are approved by the Union Ministry of Electronics and Information Technology.

"It is submitted that the Government has now full and exclusive ownership of the data", the statement said.

The Master Services Agreement has standard clauses for data security as per established industry practices.

"The above clauses indicate that there are sufficient protections with respect to any data that the third respondent may have access to. It not only gives the Government, as opposed to the third respondent, full control and right over the data of the people, but also obligates the third respondent to take appropriate measures to protect such data. There is a prohibition on the third respondent for using the data for purposes other than for the need intended and from sharing it with third parties without consent. It is also envisaged that no data will be available to the third respondent after the termination of the agreement. Hence, there are adequate protections to ensure that there is no possibility of any misuse or commercialization of the data by the third respondent", the statement said.

Big Data Analysis necessary even now

Responding to the query raised by Justice Devan Ramachandran on Tuesday regarding the necessity of using Big Data anaylsis tools after the COVID-19 cases in the state coming low, the Government stated that it was "wrong and premature" to conclude that the pandemic has abated.

The Government said that any "complacency will prove dangerous and incalculably costly to the State" and stressed on the need to maintain constant vigil.

"It will be suicidal to think that the flattening of the curve of the epidemic incidence has stabilized", said the government to buttress the need for continuing Big Data analysis.

Jurisdiction of New York courts

The Government stated that the choice of jurisdiction as New York was a standard form of contract of the company.  The terms were agreed keeping the best interest of the State, i.e the urgent need for effective IT tools to combat pandemic.

It was further stated the criminal jurisdiction under Information Technology Act 2000 does not stand excluded due to the foreign jurisdiction clause, as the data resides in India. Section 75 of the IT Act was referred in this connection. Hence, the Government claimed that the data principals (the individuals) and the state government have penal remedies available within India in case of any breach by the company.

On bypassing law department's sanction

As regards this query, it was stated that the arrangement was akin to the issue of a purchase order to avail the service of a ready made software application.  As per rules of procedure of the government, the head of the administrative department has full authorization to issue a purchase order for goods and services with price less than Rs. 15,000. Since there was no cost involved in the Sprinklr deal, there was no requirement to seek the sanction of law department.

Reasonable restrictions on right to privacy

Referring to K S Puttaswamy judgment, the Government stated that the right to privacy can be subjected to reasonable restrictions to achieve a "legitimate state object".

Reference was also made to Section 12 of the proposed Personal Data Protection Bill, which empowers state to process personal data without consent of the individual to respond to any medical emergency.

The data collection is also justified as per the emergency provisions of the Disaster Management Act 2005 and the Kerala Epidemic Diseases Ordinance 2020.

The Government also cautioned that any interference with the data processing tools at this juncture might endanger the pandemic control situation.

"Any restraint or delay in deploying the Information Technology tools or methodologies being formulated by the first respondent will materially and irreversibly harm the health, well-being and lives of the citizens and residents of Kerala", the statement said.

The Court was also told that the Government has constituted a two-member expert committee to examine the concerns over the Sprinklr contract.

Click here to download statement

Read Statement