The Parliament enacted Aadhaar Act 2016 on 11th March 2016 with the objective of providing seamless transfer of benefits and various administration of welfare schemes and provide legislative backing to the Aadhaar project. It aims to cater to targeted delivery of incentives directly to the beneficiaries; thereby mitigating the unfair advantages by the intermediaries in the process and streamlining government-aided benefits and services.
It has also been enacted with the objective of protecting and safeguarding the sensitive personally identifiable data of the holder of the Aadhaar number.
Salient features of Aadhaar Act, 2016:
- Every resident is entitled to obtain an Aadhaar number.
- Enrolment requires submission of demographic and biometric information, about which the enrolling agency shall acquaint the applicant into the manner of information utilisation, nature of parties with which information may be shared during authentication, right to access the information and its procedures.
- Aadhaar can be accepted as proof of identity. However, it cannot be proof of citizenship or domicile.
- Aadhaar authentication may be required by the Central or the State Government as a condition for receipt of a subsidy, benefit or service.
- It instructs requesting entities to obtain the consent of an individual and inform the individual how the information provided for authentication may be used.
- The agency or requesting entity can use the disclosed information only for the purposes for which the individual provides consent.
Establishment & composition of authority
- For enrolment and authentication, the Act provides for the establishment of an authority called the Unique Identification Authority of India (UIAD).
- The Authority consists of a Chairperson (part-time or full-time), two part-time members, and a chief executive officer.
- The main functions of the Authority include developing policy, procedure and systems for issuing Aadhaar numbers and performing authentication thereof. The chairperson and members are required to be well-experienced, with at least ten years’ background in matters such as technology, governance, etc.
Protection of Information
- Authority shall ensure confidentiality of biometric information and use it only for the purpose of Aadhaar generation and authentication.
- Identity information of the person undergoing authentication shall not be used for any purpose other than specified at the time of authentication and shall not be shared without the consent of the concerned Aadhaar holder.
- No Aadhaar number or core biometric information shall be published, displayed or posted publicly except for the purposes specified by regulations.
- The Authority shall not collect, store or maintain any information about the purpose of authentication.
Circumstances under which information may be revealed
- Disclosure of identity information or authentication records can be made only per order of a court no inferior to that of a District Judge and/or disclosure made in the interest of national security following the direction of an officer not below the rank of a Joint Secretary to the Government of India. Further, any direction issued under matters of national security shall be reviewed by an Oversight Committee comprising the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology. However, under no circumstances, core biometrics shall be shared.
- On the order of a court, an individual’s Aadhaar number, photograph and demographic information may be revealed.
Offences and penalties
- Breach of provisions of the Act attracts penalties. A penalty can be imposed for impersonation of the Aadhaar holder, disclosing identity information, unauthorised access to the Central Identities Data Repository (CIDR), unauthorised use of identity information by the requesting entity, non-compliance with the intimation requirements.
- A requesting entity can be punished with imprisonment up to one year or a fine up to Rs 10,000, or with both if it fails to comply with rules.
- No court shall take cognizance of any offence except that a complaint is made by the UID authority or a person authorised by it.
Despite having enacted the robust Aadhar Act 2016, the concerns for data protection arise from the following possibilities:
- possible data loss
- unauthorised access and misuse of data
- financial loss
- loss of reputation
- promotional marketing and cross-selling
- compromise of data through wrongful exclusion or forgery of data through dubious means
These are some of the real threats that are hanging over Aadhaar.
There are serious concerns over fake Aadhaar cards being issued through fraudulent means in order to take advantage and benefits of the government welfare schemes that are meant for the real needy people of this society.
The issuance of Aadhar cards through fraudulent means is also a serious concern for the national security of the country.
At many places it has been observed that illegal immigrants have acquired Aadhaar identity and are enjoying multiple benefits of various government schemes thus robbing the people who have the genuine need and are being excluded from the welfare schemes.
Issue of Identity Theft
The issue of identity theft through stealing the biometric data of finger-print and iris scan is scary. The lost or forgotten passwords can be re-created but not the biometric data. Since the biometric data is unique to every individual, the UIDAI has surely put in place multiple barriers in terms of data protection and has implemented the highest standard of cybersecurity to protect and safeguard the data.
The biometric and demographic data of over 1 billion Indians lies in the vaults of the Central Identities Data Repository.
However, the Aadhaar number cannot be deployed or used for any benefits or services without two factor authentication.
The growth of digital-commerce, e-payments, e-governance, projects of the government creation of databases and greater use of usage of information technology both by government and corporates and automated decision making by the systems require for a very sound legal framework to protect the personal data from misuse and theft from hackers and demand that it be protected and secured with technology of the highest standard of cybersecurity.
Aadhaar Act 2016 is the right step in the direction of protecting and safeguarding the PII and SPII(biometric information like finger prints, iris scan, address) of billion plus people of India and providing a robust legal framework against its misuse or forgery or fraud.
We at Data Secure(www.datasecure.ind.in) can help you to understand Privacy and Trust while dealing with data and provide Privacy Training and Awareness sessions to improve upon the knowledge of Privacy and implement Privacy Management Programs.
For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at email@example.com.
For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution