wordpress blog stats
Connect with us

Hi, what are you looking for?

Explicit consent, anonymisation of personal data collected for COVID-related activities must: Kerala govt

Following directions from the Kerala High Court, the state has mandated that explicit consent be obtained for collection of sensitive personal data for COVID-related activities. It has also mandated that such data be anonymised before it is shared with any third-party, as part of guidelines released on May 18. This will apply retroactively to all COVID-related data already collected.

The Kerala High Court had on April 28 directed the state government to anonymise the COVID-19 related data it has collected so far through software provided by US-based Sprinklr, which was at the heart of a privacy-related furore when opposition leaders in Kerala questioned the basis of the government’s deal with the company. The opposition had accused Chief Minister Pinarayi Vijayan of sharing personal medical details of people placed under COVID-19 surveillance with Sprinklr.

The guidelines, discussed in detail below, are applicable to tools developed by government agencies and any third party entities. The definition of sensitive personal data is as per the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, which categorises physical and mental conditions, and medical records, among others, as sensitive personal data. The provisions in the guidelines are largely in line with the Kerala High Court’s directions issued in April.

The state government has also reportedly told the High Court that Sprinklr no longer has access to any COVID-related data and all of it stored only on Amazon Web Services’ servers being managed by the Centre for Development of Imaging Technology (C-DIT), a state government body.

Guidelines for COVID-related data collection and processing in Kerala

  • Explicit consent necessary, even for involuntary data collection: Explicit consent Explicit consent of a data principal is necessary if their sensitive personal data is collected for COVID-related activities, and it is also mandatory to inform them that such data is likely to be accessed by third party service providers, and consent be obtained for that as well in “necessary forms or formats”. If data is collected from a data principal involuntarily using automated devices such as GPS, Bluetooth, it should be done on prior explicit consent of the data principal, per the guidelines.
  • Anonymisation to be ensured: Data anonymisation will be ensured before sharing it with any third-party service provider for processing so as to avoid “unique identification” of a person. Data collected prior to the guidelines issuance will also have to be anonymised.
  • Privacy policy should specify purpose and scope of data collection: Any data collection device, including apps, webapps, or webforms, should have a privacy policy illustrating compliance with the guideline’s provisions. The policy should explicitly specify the purpose for which data is collected and that the data will be used onlv for the purpose for which it has been collected.
  • Data transfers to be encrypted, can be stored on cloud only if authorised by the centre:  Data transmission shall be encrypted as per “approved encryption protocols”, and collected data collected will have to be stored in an encrypted form at the State Data Centre. Data can also be stored on the cloud, but only if that particular cloud service provider is approved by the central government, the guidelines said, and added that government departments procuring cloud services will have to follow government guidelines.
  • Third-party’s software will be audited: Third party systems used in this process will have to be ISO27000 compliant, any software or application will be security audited before they are hosted on the state’s data centre.

Advertisement. Scroll to continue reading.
Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ