Print Friendly, PDF & Email

Kerala govt. issues data security guidelines

Topics Covered: Cyber security related issues.

Kerala govt. issues data security guidelines

What to study?

For Prelims: Overview of the guidelines.

For Mains: Need for and significance, why data privacy needs protection?

Context: Kerala government issues guidelines on COVID-19 data collection, processing. This is in the wake of the Sprinklr controversy.

What’s the issue?

The government had engaged the U.S.-based data analytics firm in collecting data. It ran into a controversy.

  • The government had said it had contracted Sprinklr as an emergency measure to crunch the health data of citizens to understand how the pandemic would behave in Kerala.
  • However, the Opposition had dragged the government to the High Court, accusing it of having used the outbreak as a cover to allow the U.S.-based firm to “harvest and monetise” the medical information of the State’s population.

Key guidelines:

  1. Consent: If any sensitive personal data is breached, explicit consent should be obtained from the data principal.
  2. Anonymity: Officials should ensure that all the data collected and collated from Kerala on COVID-19 containment activities should be anonymised so that unique identification of the data principal is not possible.
  3. Access to third party: Every citizen who has provided data will be informed that it is likely to be accessed by third party service providers.
  4. Format: Specific consent has to be obtained in the requisite format. The privacy policy illustrating the compliance in Malayalam and English forms will be included. The privacy policy will also be explicitly specifying the purpose for which data is collected and the data should be used only for the purpose for which it has been collected.
  5. Storage of data: The data collected will be stored in encrypted form. If data is stored in Cloud, the Cloud service provider will be approved by the Central Government and the guidelines issued for procurement of cloud by government departments should be strictly followed.
  6. If data is collected from a data principal involuntarily using an automated device like GPS and Bluetooth, it will be done on prior explicit consent of the data principal.
  7. Security audit: Any software or application to be hosted in the SDC will be subjected to security audit before hosting it.

What’s the reason behind bringing of these guidelines?

Recently, Kerala High Court had expressed its concern over the confidentiality of information gathered from COVID-19 patients.

The Court asked the state government to anonymize all data collected from citizens before allowing access to US company Sprinklr Inc.

The Court had also asked the state government to explore the Central Government’s submission that it’s the Ministry of Information and Technology that is capable of providing a service similar to Sprinklr which later saw them informing that it will be done through State Data Centre (SDC).

Sources: the Hindu.