Following directions from the Kerala High Court, the state has mandated that explicit consent be obtained for collection of sensitive personal data for COVID-related activities. It has also mandated that such data be anonymised before it is shared with any third-party, as part of guidelines released on May 18. This will apply retroactively to all COVID-related data already collected.

The Kerala High Court had on April 28 directed the state government to anonymise the COVID-19 related data it has collected so far through software provided by US-based Sprinklr, which was at the heart of a privacy-related furore when opposition leaders in Kerala questioned the basis of the government’s deal with the company. The opposition had accused Chief Minister Pinarayi Vijayan of sharing personal medical details of people placed under COVID-19 surveillance with Sprinklr.

The guidelines, discussed in detail below, are applicable to tools developed by government agencies and any third party entities. The definition of sensitive personal data is as per the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which categorises physical and mental conditions, and medical records, among others, as sensitive personal data. The provisions in the guidelines are largely in line with the Kerala High Court’s directions issued in April.

The state government has also reportedly told the High Court that Sprinklr no longer has access to any COVID-related data and all of it stored only on Amazon Web Services’ servers being managed by the Centre for Development of Imaging Technology (C-DIT), a state government body.

Guidelines for COVID-related data collection and processing in Kerala

  • Explicit consent necessary, even for involuntary data collection: Explicit consent Explicit consent of a data principal is necessary if their sensitive personal data is collected for COVID-related activities, and it is also mandatory to inform them that such data is likely to be accessed by third party service providers, and consent be obtained for that as well in “necessary forms or formats”. If data is collected from a data principal involuntarily using automated devices such as GPS, Bluetooth, it should be done on prior explicit consent of the data principal, per the guidelines.
  • Anonymisation to be ensured: Data anonymisation will be ensured before sharing it with any third-party service provider for processing so as to avoid “unique identification” of a person. Data collected prior to the guidelines issuance will also have to be anonymised.
  • Privacy policy should specify purpose and scope of data collection: Any data collection device, including apps, webapps, or webforms, should have a privacy policy illustrating compliance with the guideline’s provisions. The policy should explicitly specify the purpose for which data is collected and that the data will be used onlv for the purpose for which it has been collected.
  • Data transfers to be encrypted, can be stored on cloud only if authorised by the centre:  Data transmission shall be encrypted as per “approved encryption protocols”, and collected data collected will have to be stored in an encrypted form at the State Data Centre. Data can also be stored on the cloud, but only if that particular cloud service provider is approved by the central government, the guidelines said, and added that government departments procuring cloud services will have to follow government guidelines.
  • Third-party’s software will be audited: Third party systems used in this process will have to be ISO27000 compliant, any software or application will be security audited before they are hosted on the state’s data centre.