Entities which carry out Aadhaar authentication exercise have been told to obtain residents’ informed consent, either on paper or electronically, before carrying out the authentications, the Unique Identification Authority of India (UIDAI) has highlighted in its new guidelines for the Requesting Entities (REs).
UIDAI has urged the REs carrying out online authentications to ensure that residents understand the type of data being collected and the purpose of Aadhaar authentication.
It has been underlined that logs of authentication transactions including the consent taken are kept only for the period as prescribed in the Aadhaar Regulations. And purging of such logs after expiry of the said time period shall also be done as per the Aadhaar Act and its regulations.
REs are engaged in providing Aadhaar authentication services to residents. REs are responsible for submitting the Aadhaar number and demographic/biometric OTP information to the Central Identities Data Repository for the purpose of authentication.
UIDAI has highlighted that REs should be courteous to residents and assure them about the security and confidentiality of the Aadhaar numbers, which are being used for authentication transactions.
The Authority has also urged REs to immediately report to the UIDAI about any suspicious activity around authentications like suspected impersonation by residents, or any compromise or fraud by any authentication operator.
REs generally should not store Aadhaar either in physical or electronic form without masking or redacting the first 8 digits of the Aadhaar number. UIDAI has guided REs to store an Aadhaar number only if it is authorized to do so, and in the manner as prescribed by the UIDAI.
It has further asked REs to provide effective grievance handling mechanisms for residents and cooperate with UIDAI and other agencies deputed by it for any security audit as required under the law and regulations.