While most of the public’s attention remains targeted at the Central Government’s push to drive adoption of the Aarogya Setu app, we must remain vigilant when it comes to state level uses of health data during COVID-19 as well. The controversy surrounding the contract between the Government of Kerala and Sprinklr Inc. is being addressed by the Kerala High Court in the ongoing matter of Balu Gopalakrishnan and Ors. v. State of Kerala and Ors. The main questions raised pertaining to there being no safeguards against the commercial and unauthorized use of the health data of the citizens of Kerala by Sprinklr Inc. While an interim order dated April 24, 2020 provides some relief, it fails to address certain key issues. IFF has shared a representation with the Government of Kerala and an Expert Committee formed on the issue. In it, we have pointed out the lacunae in the order and have made specific suggestions on how best to resolve them. Our main recommendation is, in keeping with the ideal of competitive federalism, the Government of Kerala should develop a state level framework to regulate the collection, processing, storage, and security of health and related data during epidemic situations under the Epidemic Diseases Act, 1897.
What was the issue with Sprinklr Inc.?
The Government of Kerala’s contract with Sprinklr Inc., a US based company, aims to create an online digital software/platform to process and analyse data of patients and those vulnerable/susceptible to COVID-19 in the State of Kerala. The arrangement aims to set up a Data Analytics Platform which integrates data from repositories across the Government, agencies and from the field so as to meet the exigency of a massive influx of data due to the pandemic.
The controversy arose when allegations were made that the government did not follow due procedures in appointing Sprinklr and thereby risked the transfer of crucial health data of thousands of people to pharmaceutical companies. While this is a valid concern, it also highlights the lack of governance discourse related to fundamental risks to people’s privacy which should have been a principal consideration while determining contours of the arrangement. The Contract between the two parties fails to address these risks.
More specifically, the accompanying Non-Disclosure Agreement between the parties, states that the purpose of the contract is that, “the parties wish to explore a business opportunity of mutual interest and benefit”. This demonstrates a desire to keep available an opportunity to commercially exploit people’s sensitive personal information like their health data. Any such commercial use however can only be done after a system of legislative and independent institutional oversight is put in place. Such institutional oversight is lacking currently.
What did the Kerala High Court do?
The Kerala High Court to its credit did highlight that maintaining data confidentiality is key when processing the health data of citizens of the State. The Court has issued an interim order dated providing some intervening relief to citizens even as it deliberates on the issue. These are:
- It mandated that a process of anonymisation be followed before sharing this data with Sprinklr Inc.
- The Order directed that such data be shared with Sprinklr Inc. only after informing every citizen from whom the data is collected and obtaining specific consent from them.
- The Order injuncted Sprinklr Inc. from breaching the data confidentiality of the data obtained from the citizens of Kerala and ordered them to not disclose the data to any third party.
- The Order instructed Sprinklr Inc. to transfer back the data once the term of their contract with the Government of Kerala is completed.
- The Court injuncted Sprinklr from advertising or representing or holding over to any third party/person/entity – of whatever nature or composition – that they are in possession or have access to any data regarding COVID-19 patients or persons vulnerable/susceptible to it.
However, there were some issues that the High Court failed to address, the most important of which is the auditability of their Order. In our representation, we have highlighted the lacunae in the HC order and in the Contract between the Government of Kerala and Sprinklr Inc.
The Situation in the United Kingdom is similar and we can look to how Civil Society Organisations have addressed this there to create a solution
On May 18, 2020 civil society organisations, privacy advocates and academic researchers including Article 19, Liberty, openDemocracy and Privacy International wrote a joint letter to the UK Health Secretary’s office. In particular the letter addressed a March 2020 announcement by the UK’s National Health Service to grant private-sector tech firms access to the aggregated health data of millions of UK citizens towards building a datastore collected to specifically respond to the coronavirus.
In it these disparate stakeholders urged the NHS to suitably clarify to the public, the following aspects, before commencing the development of the datastore:
- What is the need for such a solution? What problems does such an arrangement aim to solve by building the datastore? What alternatives have been explored?
- How is the datastore financed? Has the NHS considered the trade-offs? What do these considerations look like?
- How does this proposal shift the balance of power from the public to the private sector?
- Who has control over the data in these public private partnerships ? Who is most at risk and how are they protected?
- What is the exit strategy? For what duration is the data collected and what happens when that period ends?
- If the exit strategy depends on the pandemic ending, then what criteria are used to determine when the pandemic is indeed over? (i.e. when is the promised destruction of the datastore triggered?)
- What public facing documentation do you intend to provide describing this datastore and the various data sources?
- Will further use of the datastore by the Department of Health Care Services, or its partners, outside the scope as currently defined, be communicated with the public?
- What party do you intend to use for privacy compliance and security auditing of the system
The situation in the UK is similar to the current situation in Kerala where Sprinklr Inc. has been entrusted with the health data of the citizens of Kerala. In particular, in the current instance data has been shared with a private party, not even located within Kerala, towards building an unknown software/analytics platform, which may even be leveraged for commercial use.
Constitutional Federalism is the need of the hour
In an op-ed, Mr.Raman Jit Singh Chima, who is also the Chair of the IFF Board of Trustees, has pointed out that the ideal of federalism which is enshrined in the Constitution of India is being undermined by Disaster Management Act, 2005 notifications being issued by the Ministry of Home Affairs. “Much of what the Ministry of Home Affairs is issuing in its orders under the Disaster Management Act impacts the powers of states and local bodies, as well as the fundamental rights of citizens.”
“Among the exclusively delineated areas of legislative and executive competence of States is the power and responsibility of public order and police.” Additionally the competence to legislate on matters relating to public health including collection and processing of health data is contained in the State List under the Seventh Schedule of the Constitution of India. Keeping these factors in mind, we believe that the Government of Kerala should create a state level framework to regulate their collection, processing, storage, and security of health and related data during epidemic situations passed through Epidemic Diseases Act, 1897. This may be done by issuing regulations on the same under the state government’s powers under the same act.
We believe this presents the Government of Kerala with an opportunity to pass a framework which can allow for the responsible use of health data through ICT systems during epidemics/health crises. The framework may be applicable to both government actors and private parties as well. It would allow for adequate legal and institutional safeguards which suitably protect people’s privacy, whilst creating a legal pathway for data-side and tech based interventions as well.
Final recommendations by IFF
Finally, aside from the urgent need for a regulatory framework as indicated above, we urged the Government of Kerala to suitably address our various concerns with its arrangement with Sprinklr Inc. as detailed throughout the representation. In particular we urge them to:
- Application of the Kerala HC order should be verified by creating transparent systems of audit.
- The Kerala Government should prescribe a clear date of termination of the Contract with Sprinklr. They should also prescribe clear guidelines which can act as Standard Operating Procedure upon termination of Contract for complete extraction of data from Sprinklr.
- Adherence to best practices principles for collection and processing of health data which include currently existing frameworks such as the GDPR and the Supreme Court’s decision in Justice K.S. Puttaswamy vs Union of India.
- Finally, the Government of Kerala should use the questions asked in the open letter shared with the UK’s NHS vis-a-vis its datastore, as a template to deepen public engagement, understanding and dialogue on the project. Such engagement will help reduce privacy and security concerns and would also help people to share insights and suggest measures which may be taken for course correction on an immediate basis.
- IFF’s Representation to the Government of Kerala and the Expert Committee formed on the Sprinklr Data Confidentiality Issue dated May 21, 2020 (link)
- Order of High Court of Kerala in Balu Gopalakrishnan and Ors. v. State of Kerala and Ors. dated April 24, 2020 (link)
- Open Letter to UK Health Secretary by Civil Society Organisations dated May 18, 2020 (link)
- “How the lockdown is triggering a constitutional crisis” by Raman Jit Singh Chima in Mumbai Mirror dated May 3, 2020 (link)
- “Towards cooperative federalism” by Aymen Mohammed and Malavika Prasad in The Hindu dated February 4, 2020 (link)