The state’s Amazon cloud services account was upgraded and the data subsequently migrated there.

Kerala Chief Minister Pinarayi Vijayan
Coronavirus Privacy Thursday, May 21, 2020 - 19:12

Weeks after controversy erupted over the Kerala government's data deal with US-based company Sprinklr, the state government told the High Court on Thursday that its COVID-19 database has been transferred from the firm’s cloud to its own. In a submission to the Kerala High Court, the state said that no data has been shared with Sprinklr since April 20. 

In light of the COVID-19 pandemic, the state government entered into an agreement with the American company to use its software to analyse the data of people under observation for coronavirus in the state. 

On April 10, Opposition Leader Ramesh Chennithala alleged a breach of citizens’ privacy, alleging that the data was stored in the company’s server in the United States. On April 21, the Kerala High Court ordered the state to anonymise the data of citizens and allow the company access only after the process of anonymisation was complete.

“It is submitted that the entire data and application has been transferred to Government owned cloud web space in Amazon web service (AWS) managed and controlled by CDIT by 20th April 2020 itself. Further, Sprinklr Inc has been directed to destroy all residual data, if any, with them immediately. Sprinklr Inc has submitted that the company would comply the aforesaid directions,” said the government. 

CDIT to which the data has now been transferred is a Kerala government owned organisation.

The Kerala government said that Sprinklr did not have access to the system. “In case any data needs to be shared, which is not envisaged, a detailed protocol including anonymisation shall be followed,” the government said.

In keeping with the court's directions that consent be taken from citizens, the government said that it has directed all heads of departments/ agencies engaged in data collection to inform every citizen from whom data is to be collected, that such data is likely to be accessed by Sprinkly or other third party service providers and to obtain their specific prior consent to such effect in necessary forms or formats.

These agencies include Local Self Government Department, Health Department, Revenue and Disaster Management Department, Social Justice Department, NORKA Department, Kerala State Disaster Management Authority, Kerala State IT Mission and the Centre for Development of Imaging Technology (CDIT). 

Use of Amazon’s cloud services

Stating that the data needs to be housed in a cloud for ‘better configurability and scalability’, the state government reiterated that the data was with the CDIT's Amazon Web Services account in Mumbai and not abroad. 

The submission said, “The Government had examined feasibility of using the State Data Centre (SDC) for the above. [Sprinklr’s] software require Amazon tools for its processing and since SDC uses VM ware web services, this was not possible.”

Thus, the CDIT’s Amazon cloud services account was upgraded and the data subsequently migrated there. Sprinklr has created a separate instance of their application in the CDIT's Amazon Web Services account. This means that the data collected is being processed only in the CDIT instance using the third party application hosted therein, said the Kerala government.

“It is submitted that the Government has now full and exclusive ownership of the data and for analysis of the data, the software of [Sprinklr], now available with the C-DIT, will be used. Hence, there is no transfer of data to third parties.” the government said.