Thiruvananthapuram: The proposed transfer of the entire K-SMART user database to the Information and Public Relations Department (I&PRD) has brought the Digital Personal Data Protection (DPDP) Act, 2023, into focus, raising questions about consent, purpose limitation and lawful processing. The issue stems from a letter issued on chief minister’s office (CMO) letterhead by Seeram Sambasiva Rao IAS, officer on special duty to the chief minister, referring to an I&PRD communication dated Dec 31, 2025. The letter directed the Information Kerala Mission (IKM) to provide the “latest database of registered users of K-SMART application” in Excel or data-pull format. The fields sought included phone number, name, age, gender, district, taluk, ward and local body— effectively a full demographic and contact profile of users. The request was linked to a proposed digital communication initiative titled “Centralised Notification Hub for Govt Services.” According to the letter, I&PRD is building a “comprehensive Data Lake” by collecting service-related information, target groups and other details from departments to enable real-time notifications through SMS, email, WhatsApp and voice/IVR under a unified sender identity — “Govt of Kerala.” K-SMART (Kerala Solutions for Managing Administrative Reformation and Transformation) is the state’s integrated e-governance platform for local self-govt institutions, developed by IKM. It digitises services such as birth and death registration, building permits, property tax, trade licences and grievance redressal across municipalities and gram panchayats. With statewide rollout completed, K-SMART is now the primary digital interface for local body services, with registered users running into several lakhs and potentially exceeding a million. Any bulk transfer would therefore involve data at significant scale. Under Section 7 of the DPDP Act, the state may process personal data for certain “legitimate uses” without fresh consent if the data was voluntarily provided for a specified public service. However, such processing must remain within the scope of the original purpose of collection. The K-SMART privacy policy states that personal information will be used for “providing and improving the service” and will not be shared except as described in the policy. Whether sharing complete user profiles with I&PRD and IT Mission to create a cross-departmental data lake and notification system falls within that original purpose is now a key question. Section 5 of the Act requires that data principals be informed of the purpose of processing and the categories of recipients, while Section 6 provides for withdrawal of consent. The CMO letter makes no reference to any fresh user notice, policy update or opt-out mechanism. . Though the initiative originated from I&PRD, the instruction to IKM was issued through the CMO rather than the IT department, which typically anchors major e-governance architecture. The development comes amid recent high court scrutiny over the use of SPARK employee data by the CMO for official messaging, where concerns of “intrusion of privacy” were raised. The director of I&PRD did not respond to queries on whether users were informed of the proposed data sharing.
