Kerala High Court raps state govt on IT deal with US firm for processing COVID-19 patients' data

Kochi: The Kerala High Court on Tuesday took potshots at the state government’s IT contract with a US firm for processing data related to COVID-19 patients and directed it to file a statement by April 24 on the details of the deal.

Considering a plea seeking quashing of the state government’s contract with the US-based IT firm Sprinklr, the High Court sought to know as to why foreign jurisdiction was included as a clause in the deal for adjudication of possible disputes.

Expressing concern over the confidentiality of the citizen’s data processed by a third party, a division bench comprising Justices Devan Ramachandran and T R Ravi also sought to know why the sanction of the law department was not taken before finalising the agreement.

The court hailed the state government’s fight against the pandemic but said it was concerned about the data confidentiality.

It also directed the government to explain the reason for engaging a foreign firm for such works when there are government IT wings to do such jobs.

Noting that a citizen is not privy to the deal signed between the state government and the foreign company, the court observed that the state government will be held as responsible, if the firm misused the data.

The court also asked why the contract was not referred to the law department before signing it.

When state government counsel said the data collected did not constitute sensitive personal information, the bench said data confidentiality in the present world is the most important.

The state government said the agreement with the Sprinklr has safeguards for data protection in accordance with the standard practices of software as a service models.

In his plea, petitioner Balu Gopalakrishnan said he was concerned about the manner in which the data regarding the COVID19 patients in the state are collected, stored, analysed and retrieved.

The state government had entered into a contract with the IT company based out of the US, owned by a non resident Keralite, wherein the data of suspected and actual patients of the COVID-19 virus will be collected using government machinery and is uploaded to the foreign firm’s web server on a daily basis.

The IT company in turn will provide actual data to the State machinery after analysis, for better understanding and treatment of the pandemic.

The petitioner said only concern is whether the data stored in the web server of company is safe and whether it can be used by the company for monetary gains.

“Even if there is a non-disclosure agreement between the parties, how can a violation of the agreement be penaly enforced upon a foreign company and whether it will be effective.

The IT department of the state cannot feign ignorance of the perils of data theft and answer questions flimsily and callously,” the petitoner said.

More than 1.5 lakh sensitive medical information of the COVID-19 patients are uploaded on a daily basis, till today, the petitioner alleged.

Noting that the government agencies are well equipped to deal with the storage of data, the petitioner sought to know why did the state prefer the foreign company for storage of sensitive information.