Governments world over are looking at cloud environments not just as an alternative for on-premise structures, but as the only viable model. Given the context, is there anything wrong with Kerala government’s move to seek the services of the US-based Sprinklr to collate and aggregate Covid-19 data in the State?

The deal, which pertains to personal health data of nearly 1.75 lakh people categorised as ‘vulnerable and potentially exposed’ to the pandemic, has stirred up huge controversy. Unsurprisingly, it has acquired political hues with both the Opposition Congress and the BJP taking the Left Democratic Government to task. Sprinklr is a SaaS company owned by an expatriate Keralite that offers marketing, advertising and customer engagement services.

Due process not followed

Speaking to BusinessLine on condition of anonymity, a leading IT entrepreneur who has also served the government in various capacities on both sides of the political divide, said that there is no problem in taking the services of a foreign company, but it should have followed the due process. “As we know it, the date of engagement (of Sprinklr) was March 25 and the purchase order was signed on April 2. There was ample time to complete the due process, including legal and finance vetting, and also escalate it to the health and disaster management departments. Regretfully, this was not done,” he said.

“I don’t think the issue raised by the Opposition was either about a foreign company being given the work or about opting for a cloud-based environment to host sensitive data... it was about the way it was sought to be executed...unfortunately the whole issue has taken a political turn...and every time it was taken up for public scrutiny, there was a feeling that a cover-up was happening, which led to those in the government making even more mistakes.”

Master Service Agreement

Does the controversy provide a glaring instance of how a data sharing/processing agreement with a third party SaaS company should not be drafted? “Not necessarily. Actually, the government should have a policy on dos and donts for this type of an engagement. Also, the argument that, for a SaaS-based deal, there can be no change in their MSA (Master Service Agreement) is also not correct as is evident from the letters exchanged between the parties dated April 11 and 12.”

Do we need to fear about data privacy since we don’t have a data protection law in place? Did the government err by not insisting on hosting the data within the country? Personal data cannot be hosted anywhere outside India which is why Amazon and others now have India-based hosting, the IT honcho said. “In this case, I don’t think the data was initially hosted in country, but subsequently we were told that it would. On the privacy side, the problem is many of us don’t realise its importance as also the value of data.

Ignorance of value of data

Industries Minister EP Jayarajan’s statement summed up this ignorance like no other. The minister had said that there is nothing secret in the world now. “Sprinklr is a needless controversy. People’'s information will be available in public domain even otherwise. In today’s world, any information is available,” the minister had said.

Do the fresh non-disclosure agreement (signed separately) and the Affirmation Letter provided by Sprinklr offer us enough data security? It does to a certain extent but the indemnity clause protects the company and the government takes all the responsibility, the IT honcho said. On the question of capacity within the State to aggregate and process the voluminous Covid-19 data, he said this is not a very complex matter. “I am sure either the State government’s own agencies or some other Kerala-based company could have quickly come up with a solution.”

Related Topics
comment COMMENT NOW