Q.1 Can the resident’s data be purged from Aadhaar database?
Ans: As is the case with the other services availed from the government, there is no provision for purging the data of the resident from the database once he has obtained his Aadhaar. The data is also required as it is used for de-duplication of every new entrant in the database against all the existing records to establish the uniqueness of the resident. Only after this process is completed that the Aadhaar is assigned.
Q.2 Can a resident opt out of Aadhaar?
Ans: The resident has the option in the first instance not to enrol for Aadhaar at all. Aadhaar is a service delivery tool, and not designed for any other purpose. Aadhaar being unique to every resident is non-transferable. If the resident does not wish to use the Aadhaar, it will remain dormant, as the use is based on the physical presence and biometric authentication of the person. However, children, within 6 months of attaining majority, may make an application for cancellation of their Aadhaar as per the provisions of the Aadhaar Act, 2016 (as amended) and regulations framed there under.
Q.3 How will the grievances of the resident be addressed?
Ans: The UIDAI will set up a Contact Centre to manage all queries and grievances and serve as a single point of contact for the organization. The details of the Contact Centre will be published on the website as and when enrolment begins. The users of this system are expected to be residents, registrars and enrolment agencies. Any resident seeking enrolment is given a printed acknowledgement form with an Enrolment Number, that enables the resident to make queries about her/his enrolment status through any communication channel of the contact centre. Each enrolment agency will be given a unique code that will also enable faster and pointed access to the Contact Centre that includes a technical helpdesk.
Q.4 Who will have access to the UID database? How will the security of the database be ensured?
Ans:
- Residents who have aadhaar numbers will be entitled to access their own information stored in the UID database.
- CIDR operations will be follow strict access protocols to limit access to the database.
- The database itself will be secured against hacking and other forms of cyberattacks.
Q.5 How does the UIDAI protect the individual and their information?
Ans: Protection of the individual, and the safeguarding their information is inherent in the design of the UID project. From having a random number which does not reveal anything about the individual to other features listed below, the UID project keeps the interest of the resident at the core of its purpose and objectives.
- Collecting limited information
Data collected by the UIDAI is purely to issue Aadhaar numbers, and confirm the identity of Aadhaar number holders. The UIDAI is collecting basic data fields in order to be able to establish identity– this includes Name, Date of Birth, Gender, Address, Parent/ Guardian’s name essential for children but not for others, mobile number and email id is optional as well . The UIDAI is collecting biometric information to establish uniqueness – therefore collecting photo, 10 finger prints and iris. - No profiling and tracking information collected
The UIDAI policy bars it from collecting sensitive personal information such as religion, caste, community, class, ethnicity, income and health. The profiling of individuals is therefore not possible through the UID system, since the data collected is limited to that required for identification and identity confirmation. The UIDAI had in fact, dropped the ‘place of birth’ data field – part of the initial list of information it planned to collect – based on feedback from CSOs that it could lead to profiling. The UIDAI also does not collect any transaction records of the individual. The records of an individual confirming their identity through Aadhaar will only reflect that such a confirmation happened. This limited information will be retained for a short period time in the interest of the resident, to resolve any disputes. - Release of information – yes or no response
The UIDAI is barred from revealing personal information in the Aadhaar database – the only response permitted are a ‘yes’ or ‘no’ to requests to verify an identity. The only exceptions are the order of a court, or the order of a joint secretary, in case of national security. This is a reasonable exception and is clear and precise. This approach is also in line with security norms followed in US and Europe on access to data in case of a security threat. - Data protection and privacy
The UIDAI has the obligation to ensure the security and confidentiality of the data collected. The data will be collected on software provided by the UIDAI and encrypted to prevent leaks in transit. Trained and certified enrollers will collect the information, which will not have access to the data being collected.
The UIDAI has a comprehensive security policy to ensure the safety and integrity of its data. It will publish more details on this, including the Information Security Plan and Policies for the CIDR and mechanisms for auditing the compliance of the UIDAI and its contracting agencies. In addition, there will be strict security and storage protocols in place. Penalties for any security violation will be severe, and include penalties for disclosing identity information. There will also be penal consequences for unauthorised access to CIDR – including hacking, and penalties for tampering with data in the CIDR. - Convergence and linking of UIDAI information to other databases
The UID database is not linked to any other databases, or to information held in other databases. Its only purpose will be to verify a person’s identity at the point of receiving a service, and that too with the consent of the aadhaar number holder. The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured with the best encryption, and in a highly secure data vault. All access details will be properly logged.
