Safeguarding the Aadhaar number

An overview of Aadhaar Act, 2016

A look at the provisions under the Aadhaar Act, 2016, to protect and safeguard identity, information and authentication records of individuals. 

What are the obligations of the Unique Identification Authority of India (UIDAI) in protecting data? 

According to the Aadhaar Act, 2016, the UIDAI has to ensure confidentiality of identity, information and authentication records of individuals. It has to take all necessary measures to ensure that the information in its possession or control, including those stored in the Central Identities Data Repository, is secured and protected against access, use or non-permitted disclosure under the Act. 

The UIDAI has come up with regulations to protect the Aadhaar data at the time of enrolment as well as at the time of authentication. There are detailed rules on how the Aadhaar data will be collected, stored and used by the enrolment agencies and the authentication agencies. So the technical and organisational security measures followed by the UIDAI are also applicable to the enrolment and authentication agencies, external consultants and advisors. 

Does the Act allow an individual access to his identity data under any condition?  

No person can collect, store or use the Aadhaar number without the owner’s consent. Further, the Act prohibits publishing the Aadhaar number. An Aadhaar number holder may request the UIDAI to provide access to his identity information in a manner specified through regulations. But the Act does not give the holder access to his core biometric information. The Act specifically states: “No core biometric information, collected or created under this Act, shall be (a) shared with anyone for any reason whatsoever; or (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act”. 

The UIDAI is, therefore, not permitted to share an individual’s finger print, iris scan and other biological attributes for any other purpose other than generation of Aadhaar numbers and authentication.  

What is the recourse for an individual if there has been any breach in personal information data or its misuse?  

According to the Act, only the UIDAI is authorised to file a complaint of any breach or misuse of the Aadhaar data. The aggrieved individual has to first approach the authority with his complaint. Only after verifying its validity can the UIDAI (or any person authorised by it) file the complaint with the investigating agencies. A police officer not below the rank of inspector shall investigate any offence under this Act.  

Only a Chief Metropolitan Magistrate or a Chief Judicial Magistrate can try any offence punishable under this Act. 

What are the offences and penalties for any breach or misuse of data? 

Any person who causes harm or mischief to an Aadhaar number holder or impersonates by providing any false demographic or biometric information is punishable with imprisonment up to three years or with a fine up to Rs 10,000 or with both. 

Similarly, unauthorised collection of identity information could attract jail term up to three years or a fine up to Rs 10,000. In case of a company, the fine could extend up to Rs 100,000.

According to Section 43 (1), where an offence under this Act has been committed by a company, every person who were in charge, as well as the company, shall be deemed to be guilty and liable to be proceeded against and punished accordingly. No penalty imposed under this Act shall prevent the imposition of any other penalty or punishment under any other law.

According to Vaibhav Parikh, partner, Nishith Desai Associates, violations such as hacking, identity theft, breach of privacy and confidential data may also attract punishment under provisions of Information Technology Act, 2000, and some cases of the Indian Penal Code.

In certain cases where there is compromise of fingerprint or iris scan data that causes wrongful loss to a person, he may be able to seek compensation for the loss against the person who caused such loss, said Parikh.