Husain Dalwai, a politician from Indian National Congress party, and an MP in the Rajya Sabha had asked about “Startups and private companies authorized to collect Aadhaar information” in unstarred question 4580 in the Rajya Sabha. He asked for the following information:

Will the Minister of ELECTRONICS AND INFORMATION TECHNOLOGY be pleased to state:

  1. whether Startups and private companies are demanding Aadhaar from citizens, if so, the list of such companies authorised to collect Aadhaar information;
  2. whether UIDAI audits private companies collecting Aadhaar information periodically, if so, the list of such audits carried out; and
  3. how many of these private companies have collected Aadhaar information without appropriate permissions by forcing the customers?

To this, the Minister of State for Information and Technology, K J Alphons responded by saying that:

  1. Unique Identification Authority of India (UIDAI) provides Aadhaar Authentication Services to the entities appointed as per Regulation 12 of Aadhaar (Authentication) Regulations, 2016. Only those entities, that fulfill the eligibility criteria laid down in Schedule-A of Aadhaar (Authentication) Regulations, 2016, are eligible to apply for appointment as requesting entity.
    As on 31.03.2018, total 310 entities have been appointed as requesting entities including 27 private entities which have been authorized under category 3. The list of such 27 private entities is attached at Annexure-I.
  2. As per the provisions of Regulation 21 of Aadhaar (Authentication) Regulations, 2016, the Authority may undertake audit of the operations, infrastructure, systems and procedures, of requesting entities, including the agencies or entities with whom they have shared a license key or the entities on whose behalf they have performed authentication.
    So far, UIDAI has conducted audit of 07 private entities belonging to category 3. The list of such entities is attached at Annexure-II.
  3. No such incidence has been reported for collecting of Aadhaar information, without appropriate permissions by forcing the customers.

******

Annexure-I

List of Private entities appointed as Authentication User Agencies

S. No. Private entities appointed as Authentication User Agencies
1 A and A Dukaan Financial Services Private Limited
2 Alankit Assignments Ltd.
3 Alankit Limited
4 AuthBridge Research Services Pvt. Ltd
5 Credit Information Bureau (India) Limited
6 Crif High Mark Credit Information Services Pvt. Ltd.
7 Equifax Credit Information Services Pvt. Ltd.
8 Experian Services India Private Limited
9 Fino PayTech Ltd
10 GI Technology Private Limited
11 Integra Micro Systems (P) Ltd.
12 Karvy Data Management Services Limited
13 Khosla Labs Private Limited
14 M-Tech Innovation ltd
15 NSDL e-Governance Infrastructure Limited (NSDL)
16 Oswal Computers and consultants
17 Promind Solutions Pvt. Ltd.
18 Smart Chip Limited
19 Transunion Software Services Pvt. Ltd.
20 Vakrangee Limited
21 VFS Global Services Pvt.
22 VSoft Technologies Pvt. Ltd.
23 WeP Solutions Ltd.
24 GMR Hyderabad International Airport Limited
25 In-Solutions Global Pvt. ltd.
26 Modicare Limited
27 V-CON Integrated Solution Pvt. Ltd.

Annexure-II
List of entities whose audit was conducted by UIDAI as per Regulation 21 of Aadhaar (Authentication) Regulation, 2016

S. No. Name of entity whose audit was conducted
1 NSDL
2 Alankit Limited
3 Equifax
4 Fino Paytech Limited
5 Transunion
6 Smartchip
7 Khosla Labs

MediaNama’s take

This does not actually answer the question, which was not about “requesting entities” appointed by the UIDAI, it was about startups and private companies demanding Aadhaar from citizens – this includes a large number of banks, insurance companies, corporate offices, schools, hospitals, telecoms, LPG providers and more. Making Aadhaar mandatory for various purposes has resulted in a large number of private organizations demanding Aadhaar for citizens which they are forced to do if they want their children to continue in school, hold bank accounts, phone numbers, keep jobs where EPF needs their Aadhaar number, claim insurance and so on.

None of these entities are requesting entities as per the list provided by the government, but they are demanding Aadhaars of citizens and are, by now, entrusted with a large numbers of Aadhaars, which can be misused by anyone who has access to them.

The question was a legitimate one and very clear. The government chose to reply to it with irrelevant information rather than describe the chain of responsibility for the security of these Aadhaars that government policies have empowered private entities to demand. So far, there has been no explanation of how the information on these Aadhaars is secured.

MediaNama does not believe that information on such photocopies provided to all entities that demand them in order to retain essential services can be reliably secured.