Will the Minister of ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to state:
(a) whether the Government plans to initiate broad ranging privacy and data protection laws that can address systematic concerns relating to breach of privacy of citizens due to the provision of Aadhaar Bill;
(b) if so, the details thereof ;
(c) whether the Government has taken any measures to ensure absolute safety of biometric authentication; and
(d) if so, the details thereof?
(a) and (b): The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 [Act 18 of 2016], was passed by the Parliament on 16-03-2016. It is designed to promote good governance, financial inclusion and for targeted delivery of subsidies, benefits and services to deserving individuals in a transparent manner. In the Act, all important, legally validated and well certified principles of data privacy and protection of information have been incorporated. The specific provisions of the Act, in this regard, are as follows:-
(i) The Act provides that the resident shall be informed at the time of enrolment of the manner in which the information collected at the time of enrolment shall be used and the nature of recipients with whom the information is intended to be shared during authentication [Section 3(2)]. Further, consent of the individual would be obtained for using his identity information during authentication and he would also be informed of the nature of information that may be shared upon authentication and usage thereof [Section 8 and 29(3)].
(ii) Section 29 provides that no core biometric information (iris and fingerprints) shall be shared with anyone for any reason whatsoever and the same shall not be used for any purpose other than Aadhaar generation and authentication. It further provides that no Aadhaar number or core biometrics collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specifically provided for by the regulations framed under this Act.
(c) and (d): Yes, Sir. Appropriate measures have been taken by the Government to ensure the security of identity information and authentication records of individuals. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, provide that no core-biometric information (fingerprints, iris scan) shall be shared with anyone for any reason whatsoever (Sec29) and that the biometric information shall not be used for any other purpose other than generation of Aadhaar and authentication.
Further, the Aadhaar (Authentication) Regulations 2016 have also been notified in September 2016. These Regulations inter alia provide for biometric authentication to be done only by Authentication Users Agency (AUA) authorized by UIDAI, transmission of biometric information in encrypted form, use of only certified device etc. In case of biometric authentication, response of UIDAI is signed digitally, assuring its veracity and additionally user is alerted about the ibid transaction/authentication.
********