The Kerala government’s procurement of a smart tool for data management from a US-based software company, to help the fight against Covid-19, has prompted Opposition allegations of a breach of data privacy.

Chief minister Pinarayi Vijayan has defended the move, saying US company Sprinklr had offered the data analytics service free of cost since its founder and CEO Ragy Thomas is a native of Kerala.

Kerala’s IT department has struck a no-cost deal for the software-as-a-service (SaaS) tool, which helps analyse the data gathered by health workers to identify those most vulnerable to the coronavirus infection.

This is done through a government website that can be accessed through a mobile phone OTP. It first asks four questions relating to whether the respondent is above 60 years, has come from abroad, has travelled in India, or has had contact with Covid-19 patients at their workplace.

After the respondent clicks one of the four buttons, he or she is asked another 20 questions about their health conditions.

Such details are also collected through community health workers. The tool, which can help structure unorganised data like Facebook messages, tweets or even phone calls to the health desk, analyses and structures all the information.

“SaaS is like using a cloud-based Photoshop package or Microsoft 365 and the information being collected is owned by the Kerala government under the agreement,” a senior official in Kerala told The Telegraph on Friday.

While conventional software has to be downloaded on each computer, the cloud-based system allows those responsible for entering and analysing data to access the SaaS system from anywhere via cloud operations, accessed through the Internet.

The Congress-led Opposition, which was hunting for an issue after Vijayan drew widespread acclaim for the way he handled the virus crisis, has accused the government of clandestinely signing a deal with a US-based company and violating privacy norms.

“Data gathered with the help of government machinery is being transferred to a private company outside India,” leader of the Opposition Ramesh Chennithala said on April 10. He has repeated the allegation every day and on Friday, called it “a major scam that needs to be exposed”.

A man named Balu Gopalakrishnan moved a petition in Kerala High Court on Friday against the state using the services of Sprinklr.

With the Covid-19 cases dipping steadily in the state, chief minister Vijayan had announced on Thursday that he would hold briefings only when necessary. But this fuelled murmurs that the software controversy was behind the decision to suspend the regular and hugely popular briefings.

Former chief minister Oommen Chandy of the Congress on Friday alleged procedural lapses in the agreement, saying “departments such as law, finance, health and local self-governance have not seen this file”.

Law minister A.K. Balan said there was no need to obtain clearances from all the departments.

“There was no exchange of money, (so there was no need) to get all the clearances,” he said.

The government has stressed that the data are being hosted on servers in India and that the state-run C-DIT (Centre for Development of Imaging Technology) has been assigned to manage them.

It has also released the text of the agreement with Sprinklr, which appears to ensure data confidentiality.

“Kerala at all times retains all rights to and responsibility for Customer Data uploaded to or accessed by the Sprinklr Platform,” says the affirmation letter signed by Dan Haley, general counsel of the company.

The letter contains a long list of data protection clauses in favour of the Kerala government and lays down how the entire data should be transferred to Kerala whenever asked.

Kerala and the company have also signed a non-disclosure agreement.

Another allegation is that the state had started working with the tool before even signing a deal, and later got Sprinklr to predate the agreement.

The data collection began by March-end, the non-disclosure agreement is dated March 24, and the affirmation letter is dated April 12.

A senior official with a state-run IT body stressed that the data were being hosted in India. “If they (the Congress) are talking about privacy... they need to check where the websites of the AICC and Shashi Tharoor are hosted,” he said.

A web application that identifies hosting locations shows that the All India Congress Committee site is hosted in Cologne, Germany, and Tharoor's site in Houston.

“Of course, there’s nothing unusual about hosting a website in some other country, unless it contains highly classified data. So we have made sure our SaaS is hosted in India,” the official said.

“This is the era of cloud computing and all your applications are available online. It won’t be good for the state if we start portraying all modern applications as instruments for data theft.”