This Privacy Policy (“Policy”) governs the manner in which EGron Indiatech Pvt. Ltd. (the “eGron” or “We”) collect the personal data including Aadhaar number/Virtual ID, directly from the users/customers (each, a “User” or “You/ you” or “Your/ your” or “Aadhaar Number Holder”) for conducting authentication with the Unique Identification Authority of India (“UIDAI”) in respect of providing the services by EGron (as elaborated in the Terms and Conditions of EGron) (“Services”). EGron undertakes the above authentications as per the UIDAI guidelines to enable some of its Services / business functions.
Note: All the terms and conditions/ policies in respect of the Services provided by EGron Indiatech Pvt. Ltd. (as set out in the Terms and Conditions or any other policies of EGron) are incorporated in this Policy by reference.
EGron handles sensitive resident information such as the Biometric information, Aadhaar number, e-KYC information etc. of the Customer, it becomes imperative to ensure its security and safety to prevent unauthorized access. This Policy is in line with the directions of Information Security Policy issued by UIDAI and is applicable wherever UIDAI information is processed and/or stored by EGron.
The Purpose of this Policy include:
The Policy will apply to all departments/ employees/ officials/ agents of the EGron which access, process or store Aadhaar number and any other data received from the Customer or UIDAI in due course of authentication.
Aadhaar number means an identification number issued to an individual under sub-section (3) of section 3, and includes any alternative virtual identity generated under sub-section (4) of that section.
Aadhaar Data Vault (ADV) means a separate secure database/vault/system where the entities mandatorily store Aadhaar numbers and any connected data such that it will be the only place where the said data will be stored.
Anonymization in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which an individual cannot be identified, which meets the standards of irreversibility.
Authentication means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.
Authentication Service Agency or ASA shall mean an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.
Authentication User Agency or AUA means a requesting entity that uses the Yes/ No authentication facility provided by the Authority.
Authority means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
Biometric information means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.
Central Identities Data Repository (CIDR) means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
Consent means the consent referred to in section 11 of PDP bill 2019
Customer means an individual or entity who intends to avail services pertaining to the PPI Wallet created and maintained by EGron in favor of such individual or entity and includes Walk-in Customers wherever the context so requires, and agents/customer service points (CSP) empaneled/on-boarded by EGron in this respect.
De-identification means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;
Demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may
be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.
E-KYC User Agency or KUA shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority.
Global AUAs means the agencies which will have access to full e-KYC (with Aadhaar number) and the ability to store Aadhaar number within their system.
“Local AUAs means the agencies which will only have access to Limited KYC and will not be allowed to store Aadhaar number within their systems.
Hardware Security Module (HSM) means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.
Identity informationin respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.
Limited KYC means the service that does not return Aadhaar number and only provides an agency specific unique UID Token along with other demographic fields that are shared with the Local AUAs depending upon its need.
PID Blockmeans the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.
Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
Personnel means all the employees, staff and other individuals employed/contracted by the requesting entities;
PPI Wallet means a prepaid payment instrument created and issued by EGron in terms of the certificate of authorization no. 138/2019 dated September 13, 2019, granted by the Reserve Bank of India.
Processing in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
Reference Key means an additional key which is mapped with each Aadhaar number stored in the Aadhaar data vault.
Requesting Entity means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.
Resident means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.
Sensitive personal data or information means such personal information which consists of information relating to —
Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
“UID Token means a 72-character alphanumeric string returned by UIDAI in response to the authentication and Limited KYC request. It will be unique for each Aadhaar number for a particular entity (AUA/Sub-AUA) and will remain same for an Aadhaar number for all authentication requests by that particular entity.
Virtual ID (VID) means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.
EGron shall collect the personal data including Aadhaar number/Virtual ID, directly from the Customer for conducting authentication with UIDAI at the time of providing the Services.
The identity information including Aadhaar number / Virtual ID shall be collected for the purpose of authentication of Customer for the following purposes:
The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act or its Amendment and Regulations.
The identity information shall not be used beyond the mentioned purpose without consent from the Customer and even with consent use of such information for other purposes should be under the permissible purposes in compliance to the Aadhaar Act.
Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the Customer.
Customer shall be provided relevant information prior to collection of identity information / personal data. These shall include:
Customer shall be notified of the authentication either through the e-mail or phone or SMS at the time of authentication and the EGron shall maintain logs of the same.
Upon notice / disclosure of information to the Customer, consent shall be taken in writing or in electronic form on the website or mobile application or other appropriate means and EGron shall maintain logs of disclosure of information and Customer’s consent.
Legal department shall be involved in vetting the method of taking consent and logging of the same, and formal approval shall be recorded from the legal department.
The identity information, including Aadhaar number, biometric /demographic information collected from the Customer by EGron shall only be used for the Aadhaar authentication process by submitting it to the Central Identities Data Repository (CIDR).
Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to UIDAI and permitted by UIDAI. Such specific purposes shall be notified to the Customers at the time of authentication through disclosure of information notice.
EGron shall not use the Identity information including Aadhaar number or e-KYC for any other purposes than allowed under the Prevention Of Money-Laundering Act, 2002 (“PMLA”) (particularly Section 11A of the PMLA) and Rules made thereunder and informed to Customers at the time of Authentication.
For the purpose of e-KYC, the demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services.
The authentication transaction logs shall be stored for a period of two years subsequent to which the logs shall be archived for a period of five years or as per the regulations governing the entity, whichever is later and upon expiry of which period, barring the authentication transaction logs required to be maintained by a court order or pending dispute, the authentication transaction logs shall be deleted.
Identity information shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time.
Biometric information collected shall not be transmitted over any network without creation of encrypted PID block as per Aadhaar Act and regulations.
EGron shall not require a Customer to transmit the Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.
The Aadhaar number shall be collected over a secure application, transmitted over a secure channel as per specifications of UIDAI and the identity information returned by UIDAI shall be stored securely.
The biometric information shall be collected, if applicable, using the registered devices specified by UIDAI. These devices encrypt the biometric information at device level and the application sends the same over a secure channel to UIDAI for authentication.
OTP information shall be collected in a secure application and encrypted on the client device before transmitting it over a secure channel as per UIDAI specifications.
Aadhaar /VID number that are submitted by the Customer to the requesting entity and PID block hence created shall not be retained under any event and entity shall retain the parameters received in response from UIDAI.
E-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice.
EGron has been classified as a Local AUA by UIDAI and does not store Aadhaar numbers of the Customers to maintain their privacy and security;
EGron shall, as mandated by law, encrypt and store the Aadhaar numbers and any connected data only on the secure Aadhaar Data Vault (ADV) in compliance to the Aadhaar data vault circular issued by UIDAI. (Not applicable at present as EGron is Local AUA)
The keys used to digitally sign the authentication request and for encryption of Aadhaar numbers in Data vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars.
EGron shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI certified biometric devices for Aadhaar authentication (if biometric authentication is used).
All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information; The applications shall be audited on an annual basis by information systems auditor(s) certified by STQC, CERT-IN or any other UIDAI recognized body.
In the event of an identity information breach, the organisation shall notify UIDAI of the following:
Appropriate security and confidentiality obligations shall be implemented in the non-disclosure agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling identity information.
Only authorized individuals shall be allowed to access Authentication application, audit logs, authentication servers, application, source code, information security infrastructure. An access control list shall be maintained and regularly updated by organisation.
Best practices in data privacy and data protection based on international Standards shall be adopted.
The response received from CIDR in the form of authentication transaction logs shall be stored with following details:
An Information Security Policy in-line with ISO27001 standard, UIDAI specific Information Security Policy and Aadhaar Act shall be formulated to ensure Security of Identity information.
Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications provided by UIDAI.
The Customer has the right to obtain and request update of identity information stored with the organisation, including Authentication logs. The collection of core biometric information, storage and further sharing is protected by Section 29 of the Aadhaar Act, hence the Customer cannot request for the core biometric information.
EGron shall provide a process for the Customer to view their identity information stored and request subsequent updation after authenticating the identity of the Customer. In case the update is required from UIDAI, same shall be informed to the Customer.
The Customer may, at any time, revoke consent given to EGron for storing his e-KYC data, and upon such revocation, EGron shall delete the e-KYC data in a verifiable manner and provide an acknowledgement of the same to the Customer.
The Customer has the right to lodge a complaint with the privacy officer who is responsible for monitoring of the identity information processing activities so that the processing is not in contravention of the law.
A process shall be formulated to handle the queries and process the exercise of rights of Customer with respect to their identity information / personal data. As part of the process it shall be mandatory to authenticate the identity of the Customer before providing access to any identity information.
All requests from the Customer shall be formally recorded and responded to within a reasonable period.
Compliance to the relevant data protection / privacy law (s) shall be ensured.
Processes shall be established to embed privacy aspects at the design stage of any new systems, products, processes and technologies involving data processing of identity information of the Customer.
The EGron, in possession of the Aadhaar number of the Customer, shall not make public any database or records of the Aadhaar numbers unless the
Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and in electronic form.
Before going live with any new process that involves processing of identity information, the organisation shall ensure that Disclosure of information / Privacy notice in compliance to the Aadhaar Act, is provided to the Customer and that consent is taken and recorded in compliance to Aadhaar Act.
Quarterly self-assessments shall be conducted to ensure compliance to disclosure of information and consent requirements.
Privacy enhancing organizational and technical measures like anonymization, de-identification and minimization shall be implemented to make the collection of identity information adequate, relevant, and limited to the purpose of processing.
A Privacy committee shall be established to provide strategic direction on Privacy matters.
A person (Privacy Officer) responsible for developing, implementing, maintaining and monitoring the comprehensive, organization-wide governance and accountability shall be designated to ensure compliance with the applicable laws.
The name of the Privacy Officer and contact details shall be made available to UIDAI and other external agencies through appropriate channel.
The Privacy Officer shall be responsible to assess privacy risks of processing Identity information / personal data and mitigate the risks.
The Privacy Officer shall be independent and shall be involved in all the issues relating to processing of identity information.
The Privacy Officer shall be an expert in data protection and privacy legislations, regulations and best practices.
The Privacy Officer shall advise the top management on the privacy obligations.
The Privacy Officer shall advise the top management on the privacy obligations.
h) The Privacy Officer shall advise on high-risk processing and the requirement of data privacy impact assessments.
The Privacy Officer shall act as a point of contact for UIDAI for coordination and implementation of privacy practices and other external agencies for any queries.
The Privacy Officer shall be responsible for managing privacy incidents and responding to the same
The Privacy Officer shall also be responsible for putting in place measures to create awareness and training of staff involved in processing identity information, about the legal consequences of data breach to the reputation of the organization.
Privacy officer shall ensure that the Authentication operations, systems and applications are audited by CERT-IN (Indian Computer Emergency Response Team), Standardization Testing and Quality Certification (STQC) empaneled auditors or any other UIDAI recognized body at least on an annual basis.
Privacy officer shall conduct internal audits (through internal audit team) on a quarterly basis and monitor compliance through these audits against Aadhaar Act 2016.
Privacy officer shall ensure that the front-end operators interacting with the Customers are trained on a periodic basis to ensure they communicate the disclosure of information to the Customer, take consent appropriately after showing the screen to the Customer and ensure Security of identity information. Such trainings shall be documented for audit purposes.
Aadhaar specific trainings to developers, systems admins and other users shall be provided to ensure they are aware of the obligations for their respective roles; Completion of such trainings shall be documented.
Privacy officer shall be responsible to formally communicate this Policy to all stakeholders and staff who need to comply with this Policy; Any changes to the Policy shall be communicated immediately.
Privacy Officer shall facilitate formal Privacy performance reviews with the relevant stakeholders / Privacy Committee and suggest improvements. The reviews shall consider the results of various audits, privacy incidents, privacy initiatives, UIDAI requirements etc
Identity information shall not be hosted or transferred outside the territory of India in compliance to the Aadhaar Act and its Regulations.
Customers with grievances about the processing can contact the organisation’s Privacy Officer via multiple channels like on the website, through phone, SMS, mobile application etc.
Reasonable measures shall be taken to inform the Customers about the Privacy Officer and its contact details.
The contact details of Privacy Officer and the format for filing the complaint shall be displayed on the organisations’ website and other such mediums that are commonly used for interaction with the Customers.
Where the medium of interaction is not electronic (such as physical), Poster / Notice board that is prominently visible shall be used to display the name of Privacy officer and contact details.
f any issue is not resolved through consultation with the management of the EGron, Customer can seek redressal by way of mechanisms as specified in Section 33B of the Aadhaar Act.
The overall responsibility of monitoring and enforcement of this Policy through various mechanisms such as Audits etc. shall be with the Chief Compliance & Risk Officer
Responsibility of the implementation of controls of this Policy shall be with the Chief Compliance & Risk Officer.
Responsibility of review of Disclosure of information notice, consent clause, method of consent, logging of consent etc. shall be with the Legal Head, Mr. Prashant Kumar Mishra.
Relevant Provisions of Aadhaar Act and Supreme Court of India Judgement
Following relevant documents shall be referred to for ensuring compliance to the Aadhar requirements: