When your Aadhaar number is used to authenticate you, the organisation
requesting your Aadhaar information from the UIDAI is expected to obtain
your consent. According to Chapter III 8 (2) (a) of the Aadhaar
(Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act 2016, consent has to be restricted for purposes of
authentication.
According to the Act (section 8(2)) and Authentication Regulations
(section 5), before authenticating, the service provider is expected to
provide you the nature of the information that will be available to the
requesting organization upon authentication from the UIDAI, the ways in
which the information shall be used by the requesting organization and
alternatives to submission of identity information, should you not wish
to use an Aadhaar number.
Once you understand the nature of the information and manner in which it
shall be used, according to the Authentication Regulations (section 6),
the service provider is supposed to hand you a consent form, which you
shall fill. The authentication regulations mandate that the service
provider use a template provided by UIDAI to take your consent. The
consent may be recorded either in paper form or electronic form. In
either case, the requesting organisation is required to offer alternate
methods of identification, should you not wish to use Aadhaar. The
service provider is supposed to keep a log of consent information. And,
according to Aadhaar Act (section 32(2)), you have a right to access
that information, if you wish to, in case you are willing to undergo
Aadhaar authentication.
The Aadhaar Authentication Regulations (section 16 (5)) gives you the
right to revoke your consent to the organisation that has obtained your
identity information from the UIDAI. When you revoke your consent, the
requesting organisation would be required to delete your identity
information that it obtained from the UIDAI. For example, if you decide
to stop using your once favourite mobile connection for whatever reason,
you can revoke the consent you granted them and inform them
accordingly. Once they receive your request for revoking consent, they
shall delete all your information received during e-KYC
(know-your-customer) process, which you followed to get the connection
in the first place. This ensures that your identity information is not
misused.
Interestingly, UIDAI, which provides the e-KYC service to authenticate
you, does not provide any means to revoke your consent. UIDAI does not
mention the turnaround time for completing the revocation request, too.
The UIDAI-supplied consent form template does not mention any method to
revoke your authentication. There is, therefore, no best practice
available to requesting organisations to allow you to revoke your
consent. This amounts to denial of your legal rights.
On a related note, neither the UIDAI nor Government of India has defined
standards to irrevocably delete your data from a service provider’s
systems. Ask a cyber forensic expert, and he will show you how the
deleted data can be recovered from disks. Even our Information
Technology (IT) Act and subsequent rules are silent on this matter.
So it is illegal use of your Aadhaar number if your Aadhaar number has
been used to obtain your identity information from UIDAI without your
consent.