Central and state government ministries will be able to share partially-masked Aadhaar data (i.e. last 4 digits) along with demographic information (name, date of birth, gender, residential address), among themselves, according to a memorandum from the Unique Identification Authority of India (UIDAI). The departments can do so only if they comply with the provisions related to safety, security, and confidentiality, it added.
Another UIDAI memorandum states that ministries can use consent obtained from individuals during a particular scheme for any future schemes as long as they inform the individuals via email or mobile. The departments will have to get a consent form filled by the individual submitting their identity information for authentication.
Aadhaar IDs contain sensitive data which needs to be guarded zealously as India does not have a data protection law in place yet. It needs to be stressed that the memoranda do not shed light on the checks and balances in place to prevent misuse of data.
Why did the UIDAI publish these memoranda?
The regulatory body revealed that it has received requests from various government ministries to provide guidance regarding the use of such data for future schemes. The data, they said, was collected during the course of the implementation of respective welfare schemes.
What are the red flags?
Srikanth Lakshmanan, a tech activist, said that the timing of these memos was “interesting” as they were released just before the central government tabled the JPC report on the data protection bill in the Parliament.
He suggested that the intention seemed to be to give permission and nudge the government ministries/departments to share data freely before the data protection law comes into force. He also stressed that the Aadhaar Act has purpose limitations built into its framework.
“This circular will allow ministries to reuse data collected for a particular purpose because they already hold it. It is shady,” Lakshmanan said.
https://t.co/lAcYK6pBlp @UIDAI pioneering blank cheque equivalent for consent. #SaveOurPrivacy
cc @no2uid @internetfreedom @VrindaBhandari
— Srikanth ஸ்ரீகாந்த் (@logic) January 4, 2022
The form annexure is a notice which shall be put on a website indicating that a particular ministry is indulging in consent collection for the future. “It is slightly problematic because you are giving your permission for that agency to use your data for a future thing you do not know about as if you are signing a blank cheque,” he added.
‘Data sharing among different ministries is dangerous’
Lakshmanan explained that the ministries will be able to share masked Aadhaar data (last four digits) in addition to demographic data which does not make sense because it is almost like sharing the whole set of data. “It is a fairly unique dataset even if you do not have the 12 digits,” he said. He added that individuals will not even know if their data was shared with other ministries.
Srinivas Kodali, a researcher working on data, the internet, and cybersecurity, said that this move can be viewed as an attempt to build a family database under the State Family Database (SFDB).
Understanding SFDB: SFDB is a data integration and exchange platform that is envisioned to be an all-in-one database used across different departments of the state government to maintain records of various kinds. Tamil Nadu, and Haryana, are some of the states currently working on it.
What does the Aadhaar Act say?
The Aadhaar Act, 2016, was introduced for the delivery of subsidies, benefits, and services, to Indian citizens by assigning unique identity numbers to them. There are over 300 schemes notified under Section 7 of the Aadhaar Act which cover a huge number of individuals.
It is mandatory to inform individuals in writing under Section 29(3) of the Aadhaar Act, for which purposes their Aadhaar number is being used by the ministry.
UIDAI’s powers were expanded recently
The central government amended the Aadhaar Act (Adjudication of Penalties) Rules 2021 last year to give UIDAI powers to penalise entities for both civil and criminal violations. It outlined the following mechanism for UIDAI to enforce the penalties, and hence implement the privacy safeguards outlined in the Act.
Who should be the adjudicating officer? Under the Aadhaar Act, UIDAI must appoint an adjudicating officer to deal with violations of the act. The officer must:
- not be below the rank of Joint Secretary to the Government of India
- possess ten years or more of experience in the government body
- possess more than three years of experience law, management, IT or commerce
How to send a complaint: The UIDAI can send a complaint to the adjudicating officer in case of a violation, which must contain the following:
- the nature of the contravention
- relevant provision of the Aadhaar Act or rules issued by UIDAI
- the maximum penalty which can be imposed on the person or entity
- the timing, place of contravention along with supporting documents
Also read:
- Based on UIDAI complaint, Hyderabad Police shuts down illegal Aadhaar operation
- What RS Sharma had to say about consent, privacy, and UIDAI’s handling of Aadhaar
- India working on creating a common database with family as the unit: MeitY in Parliament
- Tamil Nadu’s Makkal Number exposed in massive data breach, bringing into question its privacy implications and legality
Have something to add? Subscribe to MediaNama here and post your comment.
