Understanding Sensitive Personal Data in Kerala context of Operation Twins and Sprinklr controversy
CPI (M) Polit Bureau member MA Baby alleged that the Kerala Opposition Leader Ramesh Chennithala leaked sensitive information via the Operation Twins website — which has its server allegedly in Singapore. “This is a serious issue, as the Opposition Leader has encroached on the privacy of the citizens. The information was not published with the consent of the people in the list, and it is a grave legal issue,” said Baby.
After Ramesh Chennithala alleged widespread double votes in the state, the Kerala Election Commission admitted to it but corrected that the total numbers were only less than 40,000. However, Ramesh stuck to his guns and launched a website (www.operationtwins.com) where he released documents relating to his claims of over four lakh double votes in the state. That’s where it ends. The problem with Baby’s claim is that it doesn’t make sense that an esteemed individual doesn’t understand the difference between personal information and sensitive personal information.
The easiest way to compare is with two examples. This one and the Sprinklr row where the LDF government has been the perpetrator. The data available on the Operation Twins website is a condensed form of the data available on the Election Commission’s website. The Google sheets detail the serial number in the electoral roll, booth number, name, and voter ID card number. The sheets do not reveal the photograph, age, address, or any other personal information. The data on the site is a reference for people to verify the claims on the official EC website and rolls. Moreover, the EC website has the same information and more on its website, accessible to all, from anywhere in the world.
“We haven’t collected any new information for the website. We have only compiled the information publicly available on the Election Commission website, which the commission collected to issue voter ID cards,” said Ramesh Chennithala, adding that there is no legal block to analysing EC data, copying the same from other countries and storing it there.
According to the IT Act, sensitive personal data exists as the concept of sensitive personal data or information under the Rules. It means personal information consisting of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information. Moreover, it also includes any detail relating to the above items provided to a body corporate for providing services; and any of the information received under the above items by a body corporate for processing, that is stored or processed under lawful contract or otherwise. Importantly, sensitive personal data or information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other applicable law.
The Sprinklr controversy is the perfect example to explain the illegal practice of using sensitive private information. The Kerala government allowed US-based tech firm Sprinklr access to the health information of 1.75 lakh people under quarantine without their consent. The data included details of the unknowing participants’ symptoms and underlying health conditions. If you look at the aforementioned criteria of sensitive personal information, the collated data is both (iii) and (v). The same data hadn’t been available on the Health department’s website but was collected specifically for the study and handed over to Sprinklr.
Moreover, the opposition had also asked why the data was handed over to Sprinklr when there were C-DIT (Central for Development of Imaging Technology) and Kerala State IT Mission. Following the public outrage, the government asked Sprinklr to move the data from their servers to the C-DIT servers. However, the expert committee of Madhavan Nambiar and Gulshan Roy claimed that while the leaked data reportedly returned to C-DIT servers, “the state machinery is incapable of identifying data leaks and so cannot confirm if there aren’t copies out there”.
The Kerala government started a “study” giving health-based sensitive information of 1.7 lakh people without their consent to a US-based corporate body and due to a dearth of proper IT infrastructure, the state cannot confirm if there aren’t any copies out there in the US servers, in the possession of an American company. On the other hand, the UDF’s website uses public data available and compiles it into an analytical form to root out lakhs of fake votes in the state, without using any sensitive information.