Days after the Kerala government was questioned about its tie-up with American company Sprinklr, over sharing data of people under observation for COVID-19, the state government has released documents related to the contract. Eight documents uploaded on the state government’s website include the purchase order form, the service agreement, Sprinklr's privacy policy, the non-disclosure agreement and two letters of affirmation written on April 11 and 12.
On April 10, Ramesh Chennithala, Leader of the Opposition, levelled allegations against the government, accusing it of breaching the privacy of people under observation for or susceptible to coronavirus in the state. The Congress leader alleged that the data was being hosted in the servers of a foreign company as opposed to the government's own.
Both the Kerala Information Technology Department and Finance Minister Thomas Isaac responded to the allegations, stating that the information being collected is owned by the government. The government further said that the data was stored in the company’s Amazon web server in Mumbai until the state data centre was equipped to handle such a large volume.
The purchase order released on Wednesday mentions that the agreement is effective from March 25 till September 24 or the end of COVID-19 pandemic, whichever is earlier. The two affirmation letters, however, written on April 11 and 12 have some stark differences and change in tone as far as the date is concerned.
Data protection
In the non-disclosure agreement, which the government had earlier cited as proof of privacy safeguards, a section marked ‘Confidentiality’ states:
The receiving party will maintain the confidentiality of the disclosing party’s Confidential Information with at least the same degree of care that it uses to protect its own confidential and proprietary information, but in no event less than a reasonable degree of care under the circumstances. The receiving party will not disclose any of the disclosing party’s Confidential Information to employees or to any third parties except to the receiving party’s employees and subcontractors who have a need to know such information in connection with the Purpose and have agreed to abide by non-disclosure terms at least as protective of the disclosing party’s Confidential Information as those set forth herein.
A relevant portion of the agreement with Sprinklr addresses data protection.
“Every employee participates in mandatory data protection and information security trainings and is formally obliged to data secrecy. Sprinklr established a data protection steering committee of key functional leaders throughout the company and Sprinklr also appointed an experienced Data Protection Officer,” it says.
It adds that the data will be transferred back once the agreement expires or is terminated.
“Within thirty (30) days after the effective date of termination and upon request Sprinklr will extract customer’s available content from the Platform. Both parties will agree to an acceptable transfer methodology,” reads the agreement.
This is reiterated in the letters of affirmation exchanged between Sprinklr and the IT Department on April 11 and 12, following Chennithala’s allegations.
The letter makes clear that the data belongs to the Kerala government and or its citizens.
“Kerala at all times retains all rights to and responsibility for Customer Data uploaded to or accessed by the Sprinklr Platform. This means that any and all data used for provision of the Sprinklr Platform that is obtained by Sprinklr, including all citizen data accessed or obtained by Sprinklr from Kerala or directly from citizens, belongs to the Government and/or the citizens. Upon termination of Kerala’s use of the Platform, or at any time upon Kerala’s request, all Customer Data will be removed from the Platform and retained by Kerala. Nothing in this relationship gives Sprinklr any rights to such data, other than to provide the Platform as agreed with and instructed by Kerala,” says the letter, written by Dan Haley, General Counsel of Sprinklr.
However, another difference in the two letters is the clause on royalty. The April 11 letter says, "Customer grants to Sprinklr during the term of this Agreement a royalty-free, non-exclusive, non- transferable, worldwide right and license: (i) to copy, cache, store, reproduce, perform, display, use, distribute, transmit and generally make available the Customer Content in electronic form via the Internet, through wireless communications services and social media through the Platform in order to provide the Sprinklr Services to Customer in accordance with this Agreement; and (ii) to access Customer’s accounts on the Connected Services in order to provide the Sprinklr Services." This paragraph has been left out in the April 12 letter.
Chennithala unhappy
Shortly after the documents were uploaded on the government’s website, Ramesh Chennithala said that the letters of affirmation the government had released were written only after he raised his allegations.
He claimed all the data collected by the government for COVID-19 still went to the server of Sprinklr. Chennithala also accused the government of handing over the ration card data of 87 lakh people to Sprinklr.