Kerala government issues guidelines on COVID-19 data collection, processing

All data collection processes should strictly comply with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules.
People wearing masks pass by the Statue of the Survivor which was erected by the Koratty police at the NH66. (Photo| Albin Mathew, EPS)
People wearing masks pass by the Statue of the Survivor which was erected by the Koratty police at the NH66. (Photo| Albin Mathew, EPS)

THIRUVANANTHAPURAM:  State government has announced general guidelines on data collection and processing in the context of the outbreak of COVID-19.

In one of the last orders signed by the outgoing Chief Secretary Tom Jose, he has stated that all data collection processes should strictly comply with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules issued by the Central Government.

It should be recalled that the Kerala High Court had expressed its concern over the confidentiality of information gathered from COVID-19 patients which saw the state government being asked to anonymize all data collected from citizens before allowing access to US company Sprinklr Inc

The High Court had also asked the state government to explore the Central Government’s submission that it’s the Ministry of Information and Technology that is capable of providing a service similar to Sprinklr which later saw them informing that it will be done through State Data Centre (SDC).

The latest order issued by the state government said that if any sensitive personal data is breached, explicit consent should be obtained from the data principal. The order has asked the officials to ensure that all the data collected and collated from Kerala on COVID-19 containment activities should be anonymised so that unique identification of the data principal is not possible. Every citizen who has provided data will be informed that it is likely to be accessed by third party service providers.

Specific consent has to be obtained in the requisite format. The privacy policy illustrating the compliance in Malayalam and English forms will be included. The privacy policy will also be explicitly specifying the purpose for which data is collected and the data should be used only for the purpose for which it has been collected.

The data collected will be stored in encrypted form in the SDC. If data is stored in Cloud, the Cloud service provider will be approved by the Central Government and the guidelines issued for procurement of cloud by government departments should be strictly followed.

The order also says that if data is collected from a data principal involuntarily using an automated device like GPS and Bluetooth, it will be done on prior explicit consent of the data principal. In case a third party system is used, the compliance of the system with ISO27000 will be preferred. Any software or application to be hosted in the SDC will be subjected to security audit before hosting it.

‘Adhere to it rules’

In one of the last orders signed by the outgoing Chief Secretary Tom Jose, he has stated that all data collection processes should strictly comply with the Information Technology Rules issued by the Central Government.

Related Stories

No stories found.
The New Indian Express
www.newindianexpress.com