How does the UIDAI protect the individual and their information?
Protection of the individual, and the safeguarding their information is inherent in the design of the UID project. From having a random number which does not reveal anything about the individual to other features listed below, the UID project keeps the interest of the resident at the core of its purpose and objectives.
Collecting limited information: Data collected by the UIDAI is purely to issue Aadhaar, and confirm the identity of Aadhaar holders. The UIDAI is collecting basic data fields in order to be able to establish identity this includes Name, Date of Birth, Gender, Address, Parent/ Guardian's name essential for children but not for others, mobile number and email id is optional as well . The UIDAI is collecting biometric information to establish uniqueness therefore collecting photo, 10 finger prints and iris.
No profiling and tracking information collected: The UIDAI policy bars it from collecting sensitive personal information such as religion, caste, community, class, ethnicity, income and health. The profiling of individuals is therefore not possible through the UID system, since the data collected is limited to that required for identification and identity confirmation. The UIDAI had in fact, dropped the place of birth data field part of the initial list of information it planned to collect based on feedback from CSOs that it could lead to profiling. The UIDAI also does not collect any transaction records of the individual. The records of an individual confirming their identity through Aadhaar will only reflect that such a confirmation happened. This limited information will be retained for a short period time in the interest of the resident, to resolve any disputes.
Release of information - yes or no response: The UIDAI is barred from revealing personal information in Aadhaar database the only response permitted is yes or no to requests to verify an identity The only exceptions are the order of a High court , or the order of a secretary, in case of national security . This is a reasonable exception and is clear and precise. This approach is also in line with security norms followed in US and Europe on access to data in case of a security threat.
Data protection and privacy: The UIDAI has the obligation to ensure the security and confidentiality of the data collected . The data will be collected on software provided by the UIDAI and encrypted to prevent leaks in transit. Trained and certified enrollers will collect the information, who will not have access to the data being collected. The UIDAI has a comprehensive security policy to ensure the safety and integrity of its data. It will publish more details on this, including the Information Security Plan and Policies for the CIDR and mechanisms for auditing the compliance of the UIDAI and its contracting agencies. In addition, there will be strict security and storage protocols in place. Penalties for any security violation will be severe, and include penalties for disclosing identity information . There are penal consequences for unauthorised access to CIDR including hacking , and penalties for tampering with data in the CIDR under the Aadhaar Act, 2016 .
Convergence and linking of UIDAI information to other databases: The UID database is not linked to any other databases, or to information held in other databases. Its only purpose will be to verify a person's identity at the point of receiving a service, and that too with the consent of Aadhaar holder. The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured with the best encryption, and in a highly secure data vault. All access details will be properly logged.