Thursday 31 August 2017

Aadhar Act (Must know about aadhaar card) #negiup

When your Aadhaar number is used to authenticate you, the organisation requesting your Aadhaar information from the UIDAI is expected to obtain your consent. According to Chapter III 8 (2) (a) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, consent has to be restricted for purposes of authentication.  
 
According to the Act (section 8(2)) and Authentication Regulations (section 5), before authenticating, the service provider is expected to provide you the nature of the information that will be available to the requesting organization  upon authentication from the UIDAI, the ways in which the information shall be used by the requesting organization and alternatives to submission of identity information, should you not wish to use an Aadhaar number. 
 
Once you understand the nature of the information and manner in which it shall be used, according to the Authentication Regulations (section 6), the service provider is supposed to hand you a consent form, which you shall fill. The authentication regulations mandate that the service provider use a template provided by UIDAI to take your consent. The consent may be recorded either in paper form or electronic form. In either case, the requesting organisation is required to offer alternate methods of identification, should you not wish to use Aadhaar. The service provider is supposed to keep a log of consent information. And, according to Aadhaar Act (section 32(2)), you have a right to access that information, if you wish to, in case you are willing to undergo Aadhaar authentication.
 
The Aadhaar Authentication Regulations (section 16 (5)) gives you the right to revoke your consent to the organisation that has obtained your identity information from the UIDAI. When you revoke your consent, the requesting organisation would be required to delete your identity information that it obtained from the UIDAI. For example, if you decide to stop using your once favourite mobile connection for whatever reason, you can revoke the consent you granted them and inform them accordingly. Once they receive your request for revoking consent, they shall delete all your information received during e-KYC (know-your-customer) process, which you followed to get the connection in the first place. This ensures that your identity information is not misused. 
 
Interestingly, UIDAI, which provides the e-KYC service to authenticate you, does not provide any means to revoke your consent. UIDAI does not mention the turnaround time for completing the revocation request, too. The UIDAI-supplied consent form template does not mention any method to revoke your authentication. There is, therefore, no best practice available to requesting organisations to allow you to revoke your consent. This amounts to denial of your legal rights. 
 
On a related note, neither the UIDAI nor Government of India has defined standards to irrevocably delete your data from a service provider’s systems. Ask a cyber forensic expert, and he will show you how the deleted data can be recovered from disks. Even our Information Technology (IT) Act and subsequent rules are silent on this matter.
 
So it is illegal use of your Aadhaar number if your Aadhaar number has been used to obtain your identity information from UIDAI without your consent.