Question : Security of Aadhaar Data

Will the Minister of ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to state:

(a) the number and details of incidents/cases where Aadhaar data was leaked/breached and used illegally all over the country, State-wise;

(b) whether any investigation has been conducted against the agencies which were responsible for breach/leakage of Aadhaar data;

(c) if so, the details thereof along with the action taken against them;

(d) whether any FIR has been lodged by UIDAI in this regard during the last three years and if so, the details thereof;

(e) the extent to which the Aadhaar database is secure along with the steps taken by the Government to ensure the privacy/security of Aadhaar data; and

(f) the mechanism put in place for usage of Aadhaar data by Government agencies and the accountability of officials in case of negligence on their part in handling of such data along with the details thereof?

(a): In respect of so-called data breach reported in certain sections of media, it is informed that there has been no security breach of Unique Identification Authority of India (UIDAI)’s biometric database or Central Identity Data Repository (CIDR).

(b), (c) and (d): Do not arise in view of (a) above.

(e): UIDAI has a well-designed, multi-layered robust security system in place and the same is being constantly upgraded to maintain the highest level of data security and integrity. UIDAI has adequate legal, organizational and technological measures in place for the security of the data stored with UIDAI. Data Protection measures have also been mandated for the requesting entities and ecosystem partners to ensure the security of data. Government is fully alive to the need to maintain highest level of data security, privacy and is deploying the necessary technology and infrastructure. The architecture of Aadhaar ecosystem has been designed to ensure non-duplication, data integrity and other related management aspects of security & privacy in Aadhaar database. Additionally, various policies and procedures have been defined clearly which are reviewed and updated periodically, thereby, appropriately controlling and monitoring security of data.



UIDAI data is fully secured/ encrypted at all the times i.e. at rest, in transit and in storage. UIDAI''s existing security controls and protocols are robust and capable of countering any such attempts or malicious designs of data breach or hacking. For, further strengthening of security and privacy of data, security audits are conducted on regular basis, and all possible steps are taken to make the data safer and protected. Further, there are multiple layers of security at physical level in UIDAI Data Centres and is being managed by armed CISF personnel round the clock. Strengthening of security of data is an ongoing process and all possible steps are being taken in this regard.

Legal status of UIDAI has further strengthened the security assurance of Aadhaar ecosystem, manifolds with enactment of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 passed by Indian Parliament which has stringent penalties/ punishments for offenders. In the ibid Act, Chapter VI on Protection of Information (Section 28 – Section 33) & Chapter VII on Offences and Penalties (Section 34 – Section 47), specifically relates to protection of information and related offences and penalties to offenders.

UIDAI has been declared ISO 27001:2013 certified by STQC with respect to Information Security which has added another layer of information security assurance. Further, in pursuance of sub-section (1) of Section 70 of the IT Act 2000, UIDAI data has also been declared as Protected System by National Critical Information Infrastructure Protection Centre.

(f): The usage of Aadhaar data by any agency is governed by the Aadhaar Act 2016 and subsequent regulations framed thereunder, which has adequate safeguards. Sharing of information with the authorised agencies is governed as per the provisions of the Aadhaar Act, 2016.

(i) Section 29 (1) of the Aadhaar Act 2016 read together with Regulation 3(1) of the Aadhaar (Sharing of information) Regulations, 2016 categorically states that no core biometric information, collected or created under the Aadhaar Act, shall be shared with anyone for any reason whatsoever; or used for any purpose other than generation of Aadhaar numbers and authentication under the Act.

(ii) Regulation 4(1) of the Aadhaar (Sharing of information) Regulations, 2016 provides that core biometric information collected or captured by a requesting entity from Aadhaar number holder at the time of authentication shall not be shared for any reason whatsoever.

(iii) Regulation 4(2) of the Aadhaar (Sharing of information) Regulations, 2016 provides that identity information available with a requesting entity shall not be used for any purpose other than that specified to the Aadhaar number holder at the time of submitting identity information for authentication and shall not be disclosed further without the prior consent of the Aadhaar number holder.

(iv) Regulation (5) of the Aadhaar (Sharing of information) Regulations, 2016 ensures the responsibility of any agency or entity other than requesting entity with respect to Aadhaar number and subsequent Regulation (7) states that any contravention of the above-mentioned regulations shall constitute a violation of sub-section (2) of Section 29 of the Act.

(v) Section 30 of the Aadhaar Act, 2016 applies the rigours of the IT Act, 2000 and the rules thereunder, whereby Biometric Information is deemed to be Sensitive personal information.

(vi) Additionally, Chapter VII of the Act lays down monetary penalties and imprisonment for unauthorized sharing of residents’ identity information. Any violation to the provisions of the Aadhaar Act is a criminal offence.
******