GOVERNMENT OF INDIA
MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
UNSTARRED QUESTION NO. 1835
TO BE ANSWERED ON: 17.03.2017/PHALGUNA 26, 2938 (SAKA)
SUPREME COURT’S ORDERS ON AADHAAR
Will the Minister of ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to refer to answer to Unstarred Question 373 given in the Rajya Sabha on 18 November, 2016 and state:
a) whether Government acknowledges that the violation of the Supreme Court's orders on Aadhaar dated 11 August, 2015 and 15 October, 2015 by Government agencies amounts to an infringement of Fundamental Rights of citizens under Article 21 of the Constitution;
b) whether Government proposes to examine and address the unresolved concerns under the Aadhaar programme, including the use of Aadhaar as ID and KYC, data security and privacy concerns and the data integrity of the Aadhaar database; and
c) if so, the details thereof, if not, the reasons therefor?
MINISTER OF STATE FOR ELECTRONICS AND INFORMATION TECHNOLOGY
(SHRI P.P. CHAUDHARY)
(a), (b) and (c): The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 has been passed by the Parliament and has been brought into force w.e.f 12th September, 2016.
The usage of Aadhaar is governed by the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. Section 7 of the Act provide that the Central Government or the State Government, may require that the individual shall undergo Aadhaar authentication for the purpose of establishing identity of such individuals, as a condition for receipt of a subsidy, benefit or service or in the case of an individual to whom no Aadhaar number has been assigned, such individual shall make an application for enrolment. Section 7 further provides that, if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy, benefit or service.
Appropriate legislative and administrative measures have been taken to ensure the privacy, data integrity and data security of identity information and authentication records of individuals. Section 29 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 provides that no core biometric information (iris and fingerprints) shall be shared with anyone for any reason whatsoever and the same shall not be
used for any purpose other than Aadhaar generation and authentication. It further provides that no Aadhaar number or core biometrics collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specifically provided for by the regulations framed under this Act.
Further, the Aadhaar (Authentication) Regulations 2016 have also been notified in September, 2016. These Regulations inter alia provide for biometric authentication to be done only by Authentication Users Agency (AUA) authorized by UIDAI, transmission of biometric information in encrypted form, use of only certified device etc. In case of biometric authentication, response of UIDAI is signed digitally, assuring its veracity and additionally user is alerted about the ibid transaction / authentication.
Chapter VII of the Aadhaar Act provides for the penalties for contravention of any provisions of the Aadhaar Act. Section 38 under the said Chapter more specifically deals with the penalty for unauthorized access to the UIDAI’s Central Identities Data Repository (CIDR) in the form of following unauthorized - accessing, downloading, introducing virus, damaging the data, disruption of access to the CIDR, denial of access to an authorized person, revealing, sharing, using or display of information, destroying, deleting or altering of
information, stealing, concealing any computer source code used by the Authority which shall attract an imprisonment for a term which may extend to three years and shall also be liable to a fine which shall not be less than Rs. 10 lakhs.
Additionally, Section 39 provides that any unauthorised use or tampering with data in CIDR or in any removable storage medium with the intent of modifying information relating to Aadhaar number holder or discovering any information thereof, shall be punishable with imprisonment for a term which may extend to 3 years and also liable to a fine which may extend to Rupees ten thousand.
UIDAI’s CIDR facilities, Information Assets, Logistics and Infrastructure and Dependencies installed at UIDAI have been classified as Protected System under section 70 (1) of the Information Technology Act, 2000 w.e.f. 11 December 2015. UIDAI in order to further strengthen its security protocols has received ISO 27001 certification which is globally accepted as the highest standard for IT security.