Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016- Chapter VI- Protection Of Information

By
Tilak Marg
-

Chapter VI

PROTECTION OF INFORMATION

28. Security and confidentiality of information.

28. Security and confidentiality of information.—(1) The Authority shall ensure the security of identity information and authentication records of individuals.

(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.

(3) The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.

(4) Without prejudice to sub-sections (1) and (2), the Authority shall—

(a) adopt and implement appropriate technical and organisational security measures;

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.

(5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone:

Provided that an Aadhaar number holder may request the Authority to provide access to his identity information excluding his core biometric information in such manner as may be specified by regulations.

29. Restriction on sharing information.

29. Restriction on sharing information.—(1) No core biometric information, collected or created under this Act, shall be—

(a) shared with anyone for any reason whatsoever; or

(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.

(2) The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations.

[i][(3) No identity information available with a requesting entity or offline verification-seeking entity shall be—

(a) used for any purpose, other than the purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification; or

(b) disclosed for any purpose, other than purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification:

Provided that the purposes under clauses (a) and (b) shall be in clear and precise language understandable to the individual.]

(4) No Aadhaar number [ii][, demographic information or photograph] collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations.

 

Other Contents of Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016

Chapter I- Preliminary
Chapter II- Enrolment
Chapter III- Authentication
Chapter IV- Unique Identification Authority Of India
Chapter V- Grants, Accounts And Audit And Annual Report
Chapter VI- Protection Of Information
Chapter VI-A- Civil Penalties
Chapter VII- Offences And Penalties
Chapter VIII- Miscellaneous

 

30. Biometric information deemed to be sensitive personal information.

30. Biometric information deemed to be sensitive personal information.—The biometric information collected and stored in electronic form, in accordance with this Act and regulations made thereunder, shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 (21 of 2000) and the rules made thereunder shall apply to such information, in addition to, and to the extent not in derogation of the provisions of this Act.

Explanation.—For the purposes of this section, the expressions—

(a) “electronic form” shall have the same meaning as assigned to it in clause (r) of sub-section (1) of Section 2 of the Information Technology Act, 2000 (21 of 2000);

(b) “electronic record” shall have the same meaning as assigned to it in clause (t) of sub-section (1) of Section 2 of the Information Technology Act, 2000 (21 of 2000);

(c) “sensitive personal data or information” shall have the same meaning as assigned to it in clause (iii) of the Explanation to Section 43-A of the Information Technology Act, 2000 (21 of 2000).

31. Alteration of demographic information or biometric information.

31. Alteration of demographic information or biometric information.—(1) In case any demographic information of an Aadhaar number holder is found incorrect or changes subsequently, the Aadhaar number holder shall request the Authority to alter such demographic information in his record in the Central Identities Data Repository in such manner as may be specified by regulations.

(2) In case any biometric information of Aadhaar number holder is lost or changes subsequently for any reason, the Aadhaar number holder shall request the Authority to make necessary alteration in his record in the Central Identities Data Repository in such manner as may be specified by regulations.

(3) On receipt of any request under sub-section (1) or sub-section (2), the Authority may, if it is satisfied, make such alteration as may be required in the record relating to such Aadhaar number holder and intimate such alteration to the concerned Aadhaar number holder.

(4) No identity information in the Central Identities Data Repository shall be altered except in the manner provided in this Act or regulations made in this behalf.

32. Access to own information and records of requests for authentication.

32. Access to own information and records of requests for authentication.—(1) The Authority shall maintain authentication records in such manner and for such period as may be specified by regulations.

(2) Every Aadhaar number holder shall be entitled to obtain his authentication record in such manner as may be specified by regulations.

(3) The Authority shall not, either by itself or through any entity under its control, collect, keep or maintain any information about the purpose of authentication.

33. Disclosure of information in certain cases.

33. Disclosure of information in certain cases.—(1) Nothing contained in sub-section (2) or sub-section (5) of Section 28 or sub-section (2) of Section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a [iii][Judge of a High Court]:

Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority [iv][and the concerned Aadhaar number holder]:

[v][Provided further that the core biometric information shall not be disclosed under this sub-section.]

(2) Nothing contained in sub-section (2) or sub-section (5) of Section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of Section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of [vi][Secretary] to the Government of India specially authorised in this behalf by an order of the Central Government:

Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:

Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

References

[i]  Substituted by Act 14 of 2019, S. 13(a) (w.e.f. 25-7-2019).

[ii]  Substituted for “or core biometric information” by Act 14 of 2019, S. 13(b) (w.e.f. 25-7-2019).

[iii]  Substituted for “District Judge” by Act 14 of 2019, S. 14(i)(a) (w.e.f. 25-7-2019).

[iv]  Inserted by Act 14 of 2019, S. 14(i)(b) (w.e.f. 25-7-2019).

[v]  Inserted by Act 14 of 2019, S. 14(i)(c) (w.e.f. 25-7-2019).

[vi]  Substituted for “Joint Secretary” by Act 14 of 2019, S. 14(ii) (w.e.f. 25-7-2019).

[disclaimer]

LEAVE YOUR COMMENT

Note: 1. Your email is kept confidential and is NOT displayed. 2. All comments are moderated. 3. Do NOT use keywords or dummy names in the Name field. 4. Spam or abusive comments or comments with hyperlinks will be deleted.

Please enter your comment!
Please enter your name here