[Exclusive] Precautions to be Taken While Handling Aadhaar Numbers

India's Aadhaar project is the world's largest national identity project which collects biometric and demographic data of residents. However, recently there have been considerable deliberations over the privacy and security issues related to the Aadhaar project.

Establishing Identity of an Individual through Aadhaar Number

The Aadhaar Act entitles resident individuals to obtain an Aadhaar number by submitting certain biometric information and demographic information as part of the enrolment process. All these information shared during the enrolment process fall within the ambit of Personally Identifiable Information which is considered privacy and secured information. Whenever the private entities or the Government bodies’ require to establish an identity of an individual, the Aadhaar number is authenticated. This process of establishing the identity of an individual is in itself considered confidential.

Right to Privacy as Fundamental Right

The Right to Privacy has been established as the fundamental right by the Supreme Court. In this regard, it is important to note that a number of Government bodies, private institutions and corporates require sharing of Aadhaar numbers for identity authentication. Privacy obligations are cast on these Government bodies, private institutions and corporates. Further in this article we will see how these bodies meet the obligations and the stiff penalties that they face for breaching these obligations.

Aadhaar and other Laws (Amendment) Act, 2019

The Rajya Sabha, in a landmark decision, passed the Aadhaar and other Laws (Amendment) Bill, 2019 in July 2019. This Bill now allows Aadhaar holders to voluntarily share their Aadhaar number as a valid identity proof for opening bank accounts or applying for new mobile phone connections. The amended bill also allows individuals to share their virtual (Aadhaar) identification number for e-KYC authentication.

Aadhaar Number sharing - compliance of the IT Act, 2000 and Aadhaar Act, 2016

The eGovernance Group, MeitY has observed that various bodies in both the government and the private have been collecting personal identity or information of residents, including Aadhaar numbers, demographic information and other sensitive personal data. Publication or storing of any such personal information is violation of IT Act 2000 and Aadhaar Act 2016. In this regard the MeitY has prepared general guidelines for securing identity information and sensitive personal data in compliance to Information Technology Act 2000 and Aadhaar Act 2016.

Amendment to Telegraph Act, 1885 and the Prevention of Money Laundering Act, 2002

The Aadhaar and other Laws (Amendment) Act, 2019 amends the Telegraphic Act, 1885 and the Prevention of Money Laundering Act, 2002 to state that persons with a license to maintain a telegraph, banking companies and financial institutions may verify the identity of their clients by a) authentication of e-KYC or for offline verification of Aadhaar, b) passport or c) any other documents notified by the Central Government. The Act further states that the client will have the choice to use either mode to verify the identity. Further no person shall be denied any services for not having an Aadhaar number.

Role of Entities using Aadhaar

An entity, either State or a body corporate under any law, may be allowed for authentication of a person through Aadhaar, if the UIDAI is satisfied that it is a) complaint with certain standards of privacy and security or b) is permitted by law, or c) seeking authentication for a purpose specified by the Central Government in the interest of the State. Hence, it becomes very critical that the bodies which use the Aadhaar number for verification or other purposes comply with the law. Under the Act, now courts can take cognizance of an offence even if an individual registers a complaint for impersonation or disclosure of their identity or Aadhaar number. Failure to comply with the law has severe penalties as seen in this article. Intellect has a Magic Aadhaar product which will help entities using Aadhaar numbers to comply with the law.

Penalty for Violation of Aadhar Act

The Aadhar and other Laws (Amendment) Act, 2019 provides for a INR 1 Crore penalty and a jail term for private entities violating the provisions of Aadhaar data. The amendments provide for use of Aadhaar number for KYC authentication on voluntary basis. The Act also casts responsibility on private companies and others who use Aadhaar numbers for KYC authentication and for other purposes.

Disclosure of Aadhaar Information in litigation

The restrictions on security and confidentiality of Aadhaar related information do not apply in case the disclosure is pursuant to an order of a High Court and above. Further an officer not below the rank of a Secretary may issue directions for disclosing information in the interest of national security.

UIDAI Fund

Under the Act, all fees and revenues collected by the UIDAI are credited to the Unique Identification Authority of India Fund. The fund shall be used for expenses of the UIDAI including salaries and allowances of its employees.

Hence, the Aadhaar Act and its Amendment casts several and severe responsibilities on corporates and other bodies collecting Personal Identifiable Information through Aadhaar numbers. With the privacy law picking up across the globe and our own PDP Bill looming large to be effected as an important law in the country, it is time that the corporates and other bodies are sensitized on how the Aadhaar number and other collected details are used.

profile-image

K Satish Kumar

Guest Author K Satish Kumar is the SVP & Group Chief Legal Officer of Intellect Design Arena Ltd. He is actively involved in many pro bono activities through Chennai Lawyers. He is an award-winning lawyer and regularly contributes as an author in various forums.

Also Read

Stay in the know with our newsletter