Aadhaar law has good data protection & privacy provisions: A B P Pandey

Dr A B P Pandey, Director General and Mission Director of UIDAI speaks to Nitin Sethi on how the efficacy of Aadhaar will be monitored and what challenges it faces as it reaches the 100 crore enrolment mark.

Challenges now that the law is in place…

Once the law is notified, then one be the procedural challenge. Government will have to notify necessary rules under the law and UIDAI will have to frame all the regulations which will govern the jobs we are doing. This is a unique case. Usually what happens first a law is passed and thereafter the institutions are built and operations start. Here it has happened the other way around. The operations – the enrolment – is almost complete. The organisation is also there and has been working under executive orders. Now everything has to be kind of retrofitted in to the acts and the regulations.

How much time do you foresee this process taking?

I foresee it will take maybe 4-5 weeks after the Act is notified to create this whole structure in terms of regulations and other things.

What changes would it entail for UIDAI?

At this time I would say that this Act has a very strong data protection and privacy provisions. So, what we shall have to do is obtain the consent of every individual and that consent has to be informed consent. So we have to go through this process of obtaining informed consent.

For all the 100 crore people enrolled?

No, for the people who will be enrolling in future.

But the consent of those who have already enrolled?

It is not required because the Act validates all the actions done earlier. So this will apply to the new enrolments. Similar thing will happen for the authentication. When the people come for authentication again the process of informed consent will have to be carried out. The agencies that are involved in this job of authenticate, they will have to do it. This is very important from the people’s point of view as it will assure them that their data is secure and will be used only for the purpose it was obtained and not handed over to anyone else without their consent.

That will require back-end tweaking?

That is correct. First the policy and regulations are to be put in place. Then, we have entered into various agreements with our partners – those agreements will have to be changed. Next, all these things have to be reflected in the field, for example it could require changing a form to be filled – that has to be done. Some electronic processes for doing such tasks may also require modifications.

You are saying all this can be done in four weeks?

No, in four weeks we can come out some kind of the draft regulations. We will need some more time. But we need a time deadline. There can’t be a situation where you have an act passed by the Parliament and just because the regulations are not formed we can’t implement the act.

Compliance with law…

Compliance and the urgency with which the Parliament has passed this act, this emergency is also to be reflected in our operations.

Once this architecture is in place, what new ventures or tasks have the government tasked the UIDAI to do?

You see, where all Aadhaar can be used is primarily dependent on the concerned departments or agencies of the government. It will be their domain to decide which areas they want to implement it. So say if the government decides Aadhaar will be made mandatory under section 7 for LPG they can do that. But, that department has to assess the readiness of their organisations.

For average citizens if you can explain, once the line department says they want to use Aadhaar for some scheme, how much time does it take you to tweak your systems for the service?

Actually it wouldn’t take time. The Act provides that when Aadhaar is made mandatory for a particular service or benefit of subsidy the person may go for an Aadhaar authentication. If the government department chooses to go purely through this authentication route then that department has to provide this facility at all service points. The department has to make the preparations. If the department is not 100% ready and all service points do not have Aadhaar authentication facility, till then at some of the centres they have the option of accepting the proof of Aadhaar number and that can be done by accepting the paper copy of Aadhar card.

..till the biometric system is in place?

Right, so the appropriate mix of these strategies will help the departments roll out use of Aadhaar for their services faster.

There is research being done now through your centre at how biometrics can be used more efficiently in India. Do you foresee Iris data being used more for authentication along with the fingerprints?

As of today we are already using three sets of biometrics – fingerprints, Iris and photographs. As on today this meets our requirements for the next few years. But yes, particularly for infants – children below 5 years of age – there is an issue of how well formed are the fingerprints. But, I am told that some research is going on where the print of heels of infants are perhaps more well-formed than the fingerprints. Perhaps after few years, supposing if that technological development comes we should be in the position to including that in our system. If more development comes to find another biometric that is less obtrusive – we would also like to use only those biometrics that are less obtrusive and cost effective and provide some use that is not met by current biometrics, we should be able to use it. We will not collect biometrics just for the sake of collection. Our principle from beginning has been to capture the most minimal data required for de-duplication and identification.

There have been reports of how in some places where biometric is being used, like in Rajasthan for PDS, the rate of failure of fingerprint authentication is much higher than expected..

At certain places if the fingerprint fails they have an option. Either they can go for Iris or if the mobile number is registered then through the OTP system that can always be done. But say even that doesn’t work say because of connectivity problems…

Electricity or internet connection…

Yes, the government should always have an exception system in place where based on the paper Aadhaar card services can be given and an entry could be made for those exceptional cases. In such exceptional cases where electricity was not working or internet connectivity was bad or some location without connectivity or where fingerprint has not come up correctly, in such cases we should always see what are the alternatives and those can be used.

So will mobile-based authentication towards which UIDAI is set to progress?

Yes I see it moving. Our systems should have the options. One has to know for what kind of transaction you have to collect biometrics for confirmation of identity or for what purpose you can use the confirmation through the mobile phones or go for both in a combination. There could be some very sensitive transactions where someone would want to go for both Iris and mobile OTP. It all depends on the nature of transaction. Hypothetically someone wants to enter a high-value transaction. Then the department can decide it shall go for multi-factor authentication. In Aadhaar we have multi-factor authentication system. It could be any combination of three options we have provided – fingerprints, Iris as well as mobile OTP.

Are you able to monitor how Aadhaar is being used and what is its efficacy – where it is working or failing, say if biometric identification through fingerprints is working or not?

One thing is clear. From Aadhaar side we will not have any data on purpose or location of authentication. For what purpose this aadhar is being used and from where the transaction has originated. This is something we have stated repeatedly in our affidavits in Supreme Court and also reflected in the law. So people are assured that their data we will not keep. But yet, of course we shall have to have information of what kind of people are failing those transactions – whether there is some problem with their biometrics or whether the biometrics need to be updated, or the machines they are working all right or in case someone is attacking us. So, we shall need that kind of data. But we won’t need data about say what transaction is being done, whether you are withdrawing or depositing money or for what purpose – not that kind. Say somebody has authentication – we will not have information if it’s being used for PDS or MNREGA. So will not have, keep or accept that information in to our systems.

Is there a system already in place for monitoring the efficacy of Aadhaar? Say, if I came to you six months down the line and asked how is the biometric system working? Would you be able to provide that authentication worked in 85% of cases or not? Are you regularly collecting this kind of data?

We monitor this. Say in one day, say, we get 2 million requests. Out of that we naturally have the information that so many have failed or so many has passed. The failure could be because of various reasons. Someone could have tried to falsify an identity, it could be a finger print failure. We also try to monitor the failure rate.

Would I as a citizen or a journalist have access to this data on the efficacy of Aadhaar?

At this stage we don’t know how much of the data will be put in public domain. We will have to understand what the security implications are and how much data we need to put in public.

Second thing, how would you monitor that the authentication through Aadhaar has been done legally and only for the purpose that one was permitted to use the authentication system. Who monitors that?

We will have a process laid down, an agreement. Now that we have a law, certain responsibility will be cast on the people who are doing the enrolment or authentication when they handle sensitive personal data. Then there is an obligation cast on them that they use it for specific purpose. We will have our system that we shall have some kind of audit of who we call authentication user agency to see to what extent they are compliant.

Are the protocols in place for you to share periodically with public how the user agencies used the data, in how many instances did they breach the law?

It all depends upon what kind of audit mechanism we have…

At the time we don’t have one in place?

Right, we also have to realise the sheer number of agencies we work with. We shall have to work out a workable arrangement as to how it is be done or if it’s to be based on self-certification. Some kind of judgement call will have to be taken. It shouldn’t happen that we start doing very closely tied audit of every transaction.

Say by CAG?

CAG audits only what the government does and here there will be whole lot of government and those outside the government will be using it and are dealing with a 125 crore number. Therefore what would be the form of audit, whether it would be an audit by some independent auditors etc – those things will have to be thought through and we shall come out with an appropriate response.

Do you forsee that the CAG will be able to audit not just UIDAI but the work of all its private partners?

So far as UIDAI is concerned, it’s a government agency, and CAG will have full access to audit every aspect of work that UIDAI does directly. Then, Aadhaar will be used by various government agencies to ensure that services, benefits and subsidies from Consolidated Fund of India is directed to the deserving people. CAG perhaps tomorrow could consider including this aspect also in their audit when they audit such departments.

And audit of the services that the private sector provides for the UIDAI?

There are two categories. One where private sector is doing the UIDAI’s job – like running our data centre, the CAG can go in to the question of how they are doing it, whether they are doing it efficiently, whether we are paying them more or less – the CAG can always go in to those aspects. But, supposing we have authorised an agency to do authentication which they are using for their own purpose. Say SEBI has permitted all companies and entities to use Aadhaar for KYC and SEBI is authenticating the genuineness of Aadhaar number. I am not sure to what extent the CAG can go and audit those private entities. This is something on which the CAG will have to take a call.

But these audit processes will take at least few months to be drafted and put in place?

Exactly.

Once the systems are all in place what is the next task for UIDAI as it reaches the 100 crore mark

We are soon going to touch the 100 crore enrolment mark. So, one is it brings that kind of confidence to us. Now we have a creditable mechanism to accurately identify people for providing benefits. At the same time, there is also a challenge. There could still be some people who could be left out in the certain remote localities or especially among the old or the infirm. The government will have to ensure those persons are not denied the benefits because they don’t possess an Aadhaar. We have a provision in the law under section 7 when an Aadhaar number is not assigned the person shall be given the benefit through some alternative and viable means of identification. The concerned agencies have to establish this system. Then, even if Aadhaar number is given and because of connectivity or some technical problem or say if the finger print is not matching – to take care of such exceptions, process have to be built in to the system so benefits should not get interrupted.