Indian Kanoon - Search engine for Indian Law

2.9. By the order dated 21.10.2021, the TCS Ltd. was impleaded as additional 5th respondent, which has filed an affidavit dated 14.12.2021, on SPMS, data privacy, manpower deployment, etc. As per the said affidavit, the Kerala Police had expressed interest in creating Digital Pilgrim Management System for Sabarimala pilgrimage and the Company in the meetings held on 22.07.2019 and 23.07.2019 agreed to deliver a next generation online service system with darshan service for devotees to book advance darshan tokens at Sabarimala along with Pilgrim Verification System for verification of booking details. Based on the same, the State DBP No.13 of 2021 & W.P.(C)Nos.21609 & Police Chief issued work order dated 16.08.2019 to the Company to develop Digital Pilgrim Management System for Sabarimala, subject to the terms and conditions. On data privacy, it is stated that various data privacy and security measures, as stated in paragraph 4.2 of the statement, have been consistently implemented across all three modules of SPMS, i.e., online service platform, online spot booking and online verification system. The data collected at the time of Virtual-Q booking is used strictly for verification purpose by the operator kiosks set up by the Kerala Police and manned by them. Operators can only retrieve pilgrim information using front-end screen, that too, they can only see the last four digits of the ID card in the plain text format. No police staff has access to the database directly to query or retrieve information in any form. The Company does not share any personal information or sensitive personal information or data with the Kerala Police or with any other agency. Kerala Police has front-end access to refer to high level summary reports (day wise, month wise bookings, cancellations, arrivals, etc.) as part of their logistics and manpower deployment planning DBP No.13 of 2021 & W.P.(C)Nos.21609 & in advance to serve the pilgrims visiting in the season. Even in the summary reports, no personal information or sensitive personal information or data is accessible. The project has been completed and delivered free of cost. The complete IT and operational infrastructure is provided by the Kerala Police, viz, Amazon Web Services Cloud Server for storage, two apple Mac-books for designs, SMS service provider API account to send alerts to pilgrims, Dhanalakshmi Bank Payment Gateway provider API to integrate with online system so that, pilgrims can place orders for 'prasadham' by paying money directly to the Devaswom account digitally along with booking Virtual-Q coupons. The Company developed SPMS in accordance with the requirements provided by the Kerala Police. Post- completion of the project, for ongoing maintenance and support, the Company is providing 12 full-time employees based on skill set up, during peak season when the temple opens for pilgrimage, as detailed in paragraph 7 of the statement. In the statement, the 5th respondent has stated that, data security and data privacy measures have been implemented bearing in mind the requirements under the DBP No.13 of 2021 & W.P.(C)Nos.21609 & Information Technology Act, 2008 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data and Information) Rules, 2011.

8. Per contra, the learned State Attorney for the 2nd respondent State and also the 3rd respondent State Police Chief contended that, the management of Virtual-Q system by the 3rd respondent State Police Chief will in no manner violate the provisions under the Travancore-Cochin Hindu Religious Institutions Act or the Kerala Hindu Places of Public Worship (Authorisation of Entry) Act. Sabarimala is a high security zone and Kerala Police is having a statutory duty to maintain law and order at Sabarimala. The online booking facility provided at Sabarimala, originally with the support of the KELTRON, was approved by the Division Bench of this Court. Thereafter, the 3rd respondent State Police Chief entrusted the DBP No.13 of 2021 & W.P.(C)Nos.21609 & same to the additional 5th respondent TCS Ltd. Virtual-Q system has to be operated by the Kerala Police with the active support of the TDB, as being done for the past so many years. Sabarimala, being a pilgrim destination of national importance, crowd control management and all sorts of security threats have to be taken care of by the Kerala Police. The police will be able to discharge the above duty, in a most effective manner, only if they have control over the Virtual-Q system. On the data privacy issues, the learned State Attorney submitted that, sufficient safeguards have already been taken.

636. Thus, the European Union Regulation of 2016 has recognised what has been termed as 'the right to be forgotten'. This does not mean that all aspects of earlier existence are to be obliterated, as some may have a social ramification. If we were to recognise a similar right, it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information /data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy."

66. In view of the provisions under Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, the body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract. Such policy shall be published on website of body corporate or any person on its behalf and shall provide for the DBP No.13 of 2021 & W.P.(C)Nos.21609 & matters enumerated in clauses (i) to (v) of sub-rule (1) of Rule 4 of the said Rules.