In response to unstarred question 2347 in the Lok Sabha, the Minister of State in the Ministry of Finance said that as of the 5th of March, the number of Aadhaar cards linked with PAN is 16,65,82,421 and as of the 2nd of March 2018, the 8779.65 lakhs current and savings accounts have been linked with Aadhaar and 6811 Aadhaar enrolment/update centres are operational in bank branches.

The reply also details security features to protect transactions as the following:

  • Biometric/authentication data is encrypted using PKI (Public Key Infrastructure). Only, authentication success or failure message is conveyed back to the user.
  • The connectivity between bank, NPCI and UIDAI is also through secured encrypted private network.
  • UIDAI has issued number of security guidelines, circulars and registered device security specification for AUA, ASA and Technology Solution Provider to comply.

In response to the part of the question asking about the measures taken by the Government to ensure that such sensitive data is not leaked from organizations handling this data, the reply said:

Sharing of information or seeding of Aadhaar information with the authorised agencies is governed as per the provisions of the Aadhaar Act 2016.Section 29 (1) of the Aadhaar Act 2016 read together with Regulation 3(1) of the Aadhaar (Sharing of information) Regulations, 2016 categorically states that no core biometric information, collected or created under the Aadhaar Act, shall be shared with anyone for any reason whatsoever; or used for any purpose other than generation of Aadhaar numbers and authentication under the Act. Also, Regulation 4(1) of the Aadhaar (Sharing of information) Regulations, 2016 provides that core biometric information collected or captured by a requesting entity from Aadhaar number holder at the time of authentication shall not be shared for any reason whatsoever. Further, Section 30 of the Aadhaar Act, 2016 applies the rigours of the IT Act, 2000 and the rules thereunder whereby Biometric Information is deemed to be Sensitive personal information. Additionally, Chapter VII of the Act lays down monetary penalties and imprisonment for unauthorized sharing of residents’ identity information. Any violation to the provisions of The Aadhaar Act is a criminal offence.

Notably, the government reply and described measures do not explain or address growing reports of transaction failures in the UPI, where the money sent does not get credited to the recipient, even though it gets deducted from the sender’s account and the transaction is reported to be successful. The lack of logs, reporting or transparency in the NPCI makes the tracing of such transactions very difficult for senders. There is no way to know the percentage of transactions that fail, as this too is not reported by the NPCI.