The two-member expert panel constituted to look into the Kerala government's controversial deal with Sprinklr Inc. has, according to a Manorama News report, said that the deal was struck without taking the Law Department's counsel and revealed that the company had access to the personal data of 1.8 lakh people.
The two-member panel, with the former Chief of National Cybersecurity Gulshan Rai and former Civil Aviation Secretary M Madhavan Nambiar as members, submitted its report to the government on October 21, 10 days after the deadline of October 10.
The first charge that the IT Department, then headed by the Chief Minister's former secretary M Sivasankar, had not taken the Law Department into confidence was accepted by the government right at the start of the controversy.
The government's reasoning, articulated by Sivasankar himself, was that it would have been self-defeating to take the usual long-winding bureaucratic route during a time of an unprecedented public health emergency. “Even a day's delay would have been fatal,” the government had said in the High Court in April.
The two-member panel, however, terms the bypassing of the Law Department as an administrative failure.
Sprinklr getting access to personal data was also acknowledged by the government in court, though no numbers were given. The two-member panel now gives the exact number of people whose personal data had been handed over to Sprinklr: 1.8 lakh.
Nonetheless, the report says that the data handed over were not sensitive ones. It has information about illnesses like fever and vomiting, the two-member panel reportedly concluded.
Sprinklr's Malayali CEO Ragi Thomas was also interrogated and he said that citizen information was not tapped for commercial purposes. Further, the CEO said all the data accessed by the company were transferred to the Amazon Web Services cloud of government-run C-DIT.
The panel also noted that the government had no means to check data breach. It also made some recommendations on how to prevent such a situation in future. The strengthening of C-DIT and the IT Department, and regular training for C-DIT employees were some of the recommendations.
The panel had also laid down certain guidelines on how to protect data.
The government had initially said that the Sprinklr software could pick up COVID trends in the community and therefore would help in formulating quick disease prevention strategies. As it turned out, the software was unsuitable for COVID-19 response and was, therefore, left unused. The government also decided not to extend the contract with Sprinklr.