How safe is your Aadhaar data and what security measures are taken by UIDAI: Here’s all you need to know

Here’s all you need to know about the data protection and privacy measures taken by UIDAI


Aadhaar number is a 12-digit random number issued by the Unique Identification Authority of India (UIDAI) to the residents of India after satisfying the verification process laid down by it. The Aadhaar number is a proof of identity and does not confer any right of citizenship or domicile. Aadhaar has become very important now keeping in view the fact that the number has been made compulsory by the government for many financial transactions as well as a host of social schemes. However, the involvement of third-party agencies in data collection for Aadhaar has also left a lot of people worried over the safety and protection of their personal information and biometric data.

UIDAI, however, says that there is no need to worry as protection of an individual and safeguarding his/her information is inherent in the design of the UID project. UIDAI also has the obligation to ensure the security and confidentiality of the data collected.

Here’s all you need to know about the data protection and privacy measures taken by UIDAI:

1. What are the privacy protections in place to protect the right to privacy of the resident?
Protection of an individual and safeguarding his/her information is inherent in the design of the UID project. From having a random number which does not reveal anything about the individual to many other features, the UID project keeps the interest of the resident at the core of its purpose and objectives.

# Collecting limited information
The UIDAI ( is collecting only basic data fields – Name, Date of Birth, Gender, Address, Parent/ Guardian’s (name essential for children but not for others) photo, 10 finger prints and IRIS scan.

# No profiling and tracking information collected
The UIDAI policy bars it from collecting sensitive personal information such as religion, caste, community, class, ethnicity, income and health. The profiling of individuals is, therefore, not possible through the UID system.

# Release of information
UIDAI does not reveal personal information in the Aadhaar database – the only response is a ‘yes’ or ‘no’ to requests to verify an identity.

# Convergence and linking of UIDAI information to other databases
The UID database is not linked to any other databases, or to information held in other databases. Its only purpose is to verify a person’s identity at the point of receiving a service, and that too with the consent of the Aadhaar number holder.

The UID database is guarded both physically and electronically by a few select individuals with high clearance. The data is secured with the best encryption features, and in a highly secure data vault. All access details are properly logged.

2. What are the Data protection and privacy measures taken by UIDAI?
The UIDAI has the obligation to ensure the security and confidentiality of the data collected. The data will be collected on software provided by the UIDAI and encrypted to prevent leaks in transit. The UIDAI has a comprehensive security policy to ensure the safety and integrity of its data. There are security and storage protocols in place. UIDAI guidelines are available on its website.

Penalties for any security violation will be severe, and include penalties for disclosing identity information. There will also be penal consequences for unauthorised access to CIDR – including hacking, and penalties for tampering with data in the CIDR.

3. What are the possible criminal penalties envisaged against the fraud or unauthorized access to data?

Following are the possible criminal penalties in the Bill:
# Impersonation by providing false demographic or biometric information is an offence – imprisonment for 3 years and a of fine Rs 10,000.
# Appropriating the identity of an Aadhaar number holder by changing or attempting to change the demographic and biometric information of an Aadhaar number holder is an offence – imprisonment for 3 years and a fine of Rs 10,000.
# Pretending to be an agency authorized to collect Identity information of a resident is an offence – imprisonment for 3 years and a fine of Rs 10,000 for a person, and Rs 1 lakh for a company.
# Intentionally transmitting information collected during enrolment and authentication to an unauthorized person is an offence – imprisonment for 3 years and a fine of Rs 10,000 for a person, and Rs 1 lakh for a company.
# Unauthorized access to the central identities data repository (CIDR) and hacking is an offence – imprisonment for 3 years and a fine of Rs 1 crore.
# Tampering with the central identities data repository is an offence – imprisonment for 3 years and a fine of Rs 10,000.
# Providing biometrics that is not one’s own is an offence – imprisonment for 3 years and of Rs 10,000.

Security Concerns Remain

Despite these security systems and criminal penalties, some security concerns remain as third-party agencies are involved for collecting data for Aadhaar. A majority of experts, however, say that the UIDAI itself has clarified that the usage of private agencies is commonplace in most government systems, including the Passport system of India, which also collects demographic and biometrics data. From this perspective, usage of private agencies/companies in itself is not against any government practices. Moreover, there are legal statutes in place that prevent third parties from holding the Aadhaar data. They are only allowed to collect and transmit the encrypted data to the UIDAI servers and receive acknowledgements. Also, UIDAI has implemented strong security and data protection measures, which makes it impossible to steal data.

Some experts, however, say that ultimately every system (including social security no in the US) is prone to some or other risk of error or mischief, and Aadhaar is no exception. Hence, be it a government agency or a third party managing it, there will always be a risk of human error or mischief.