Sharing of Information under the Aadhaar Law

The Unique Identification Authority of India has made various Regulations by virtue of the power under Section 54  ,  Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

Aadhaar (Sharing of Information) Regulations, 2016 ; Aadhaar (Data Security) Regulations, 2016 and Aadhaar (Authentication) Regulations, 2016 are the relevant regulations.

A. Kinds of Information under Aadhaar Law

The Act alongwith the various Regulations deal with Core biometric information, demographic information, identity information, authentication records and authentication logs.

Section 2 (j) , Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 defines “core biometric information” as –

  • finger print,
  • Iris scan, or
  • such other biological attribute of an individual as may be specified by regulations.

Section 2 (k), Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 defines “demographic information” as information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include
race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical
history.

Section 2 (n) , Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 defines “identity information” in respect of an individual, as his Aadhaar number, his biometric information and his demographic information.

Section 2(d) Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016defines  “authentication record” as the record of the time of authentication and identity of the requesting entity and the response provided by the Authority thereto.

Regulation 20(1) of the Aadhaar (Authentication) Regulations, 2016 provides that an Authentication Service Agency shall maintain logs of the authentication transactions processed by it containing the following transaction details, namely:—

  • identity of the requesting entity;
  • parameters of authentication request submitted; and
  • parameters received as authentication response.

B. Sharing of Information

Different provisions as to sharing exist with respect to different kinds of information as follows-

  • Core biometric information

Aadhaar (Sharing of Information) Regulations, 2016 provide as follows –

Regulation 3(1)  provides that Core biometric information collected by the Authority under the Act shall not be shared with anyone for any reason whatsoever. Regulation 4 (1) provides that Core biometric information collected or captured by a requesting entity from the Aadhaar number holder at the time of authentication shall not be stored except for buffered authentication as specified in the Aadhaar (Authentication) Regulations, 2016, and shall not be shared with anyone for any reason whatsoever.

Regulation 17(1), the Aadhaar (Authentication) Regulations, 2016 provides that a requesting entity shall ensure that –
(a) the core biometric information collected from the Aadhaar number holder is not stored, shared or published for any purpose whatsoever, and no copy of the core biometric information is retained with it;
(b) the core biometric information collected is not transmitted over a network without creation of encrypted PID block which can then be transmitted in accordance with specifications and processes laid down by the Authority.

  • Demographic information and photograph of an individual 

Regulation 3 (2), Aadhaar (Sharing of Information) Regulations, 2016 provides that the demographic information and photograph of an individual collected by the Authority under the Act may be shared by the Authority with a requesting entity in response to an authentication request for e-KYC data pertaining to such individual, upon the requesting entity obtaining consent from the Aadhaar number holder for the authentication process, in accordance with the provisions of the Act and the Aadhaar (Authentication) Regulations, 2016.

Regulation 4, Aadhaar (Sharing of Information) Regulations, 2016 provides that the Authority may share demographic information and photograph, and the authentication records of an Aadhaar number holder when required to do so in accordance with Section 33 of the Act.

  • Authentication records

Regulation 3 (3), Aadhaar (Sharing of Information) Regulations, 2016 provides that the Authority shall share authentication records of the Aadhaar number holder with him in accordance with regulation 28 of the Aadhaar (Authentication) Regulations, 2016.

Regulation 28 (4) of the Aadhaar (Authentication) Regulations, 2016 provides that the authentication records and e-KYC data shall not be shared with any person or entity:
(a) other than with the Aadhaar number holder to whom the records or e-KYC data relate in accordance with the verification procedure specified. Aadhaar number holder may share their digitally signed authentication records and e-KYC data with other entities which shall not further share with any other agencies without obtaining consent of the Aadhaar holder every time before such sharing.
(b) except in accordance with the Act.

  • Authentication logs

Regulation 4 (3), Aadhaar (Sharing of Information) Regulations, 2016 provides that a requesting entity may share the authentication logs of an Aadhaar number holder with the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes, as specified in regulation 18 of the Aadhaar (Authentication) Regulations, 2016.

Regulation 18(4) of the Aadhaar (Authentication) Regulations, 2016 provides that the requesting entity shall not share the authentication logs with any person other than the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the Authority for audit purposes.

C.  Restrictions under Regulations 5 and 6

Unique Identification Authority of India,  requesting entity, as well as any agency or entity other than requesting entity with respect to Aadhaar number, have responsibilities under the Act and the various Regulations.

Regulation 5, Aadhaar (Sharing of Information) Regulations, 2016 (1) provides as follows-

  • Any individual, agency or entity which collects Aadhaar number or any document containing the Aadhaar number, shall:
    (a) collect, store and use the Aadhaar number for a lawful purpose;
    (b) inform the Aadhaar number holder the following details:—
    i. the purpose for which the information is collected;
    ii. whether submission of Aadhaar number or proof of Aadhaar for such purpose is mandatory or voluntary,
    and if mandatory, the legal provision mandating it;
    iii. alternatives to submission of Aadhaar number or the document containing Aadhaar number, if any;
    (c) obtain consent of the Aadhaar number holder to the collection, storage and use of his Aadhaar number for the specified purposes.
  • Such individual, agency or entity shall not use the Aadhaar number for any purpose other than those specified to the Aadhaar number holder at the time of obtaining his consent.
  • Such individual, agency or entity shall not share the Aadhaar number with any person without the consent of the Aadhaar number holder.

Regulation 6 , Aadhaar (Sharing of Information) Regulations, 2016 (1) provides following restrictions on sharing, circulating or publishing of Aadhaar number

  • The Aadhaar number of an individual shall not be published, displayed or posted publicly by any person or entity or agency.
  • Any individual, entity or agency, which is in possession of Aadhaar number(s) of Aadhaar number holders, shall ensure security and confidentiality of the Aadhaar numbers and of any record or database containing the Aadhaar numbers.
  • No entity, including a requesting entity, which is in possession of the Aadhaar number of an Aadhaar number holder, shall make public any database or record containing the Aadhaar numbers of individuals, unless the Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and electronic form.
  • No entity, including a requesting entity, shall require an individual to transmit his Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.
  • No entity, including a requesting entity, shall retain Aadhaar numbers or any document or database containing Aadhaar numbers for longer than is necessary for the purpose specified to the Aadhaar number holder at the time of obtaining consent.

Image from here

Bhumika Sharma

She is currently a Research Scholar, (PhD) at Himachal Pradesh University, Shimla. She finds peace in research and writing on a variety of social issues. She believes in the power of education and awareness to deal with various problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.