Aadhaar Data Privacy Policy

This Privacy Policy (“Policy”) governs the manner in which EGron Indiatech Pvt. Ltd. (the “eGron” or “We”) collect the personal data including Aadhaar number/Virtual ID, directly from the users/customers (each, a “User” or “You/ you” or “Your/ your” or “Aadhaar Number Holder”) for conducting authentication with the Unique Identification Authority of India (“UIDAI”) in respect of providing the services by EGron (as elaborated in the Terms and Conditions of EGron) (“Services”). EGron undertakes the above authentications as per the UIDAI guidelines to enable some of its Services / business functions.

Note: All the terms and conditions/ policies in respect of the Services provided by EGron Indiatech Pvt. Ltd. (as set out in the Terms and Conditions or any other policies of EGron) are incorporated in this Policy by reference.

Introduction

EGron handles sensitive resident information such as the Biometric information, Aadhaar number, e-KYC information etc. of the Customer, it becomes imperative to ensure its security and safety to prevent unauthorized access. This Policy is in line with the directions of Information Security Policy issued by UIDAI and is applicable wherever UIDAI information is processed and/or stored by EGron.

Purpose

The Purpose of this Policy include:

  • Design suitable controls to ensure the privacy and security of the Biometric information of the Customer as well as Aadhaar number and any other data received from the UIDAI in due course of authentication.
  • he purpose of this Policy is to provide direction to the various stakeholders and responsible personnel within the EGron to protect personal data of the Customer in compliance to the relevant provisions of the Aadhaar Act, 2016 (“Aadhaar Act”); the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016; and the Information Technology Act, 2000, and regulations thereunder.

Applicability

The Policy will apply to all departments/ employees/ officials/ agents of the EGron which access, process or store Aadhaar number and any other data received from the Customer or UIDAI in due course of authentication.

Terms and Definitions:

Aadhaar number means an identification number issued to an individual under sub-section (3) of section 3, and includes any alternative virtual identity generated under sub-section (4) of that section.

Aadhaar Data Vault (ADV) means a separate secure database/vault/system where the entities mandatorily store Aadhaar numbers and any connected data such that it will be the only place where the said data will be stored.

Anonymization in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which an individual cannot be identified, which meets the standards of irreversibility.

Authentication means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.

Authentication Service Agency or ASA shall mean an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.

Authentication User Agency or AUA means a requesting entity that uses the Yes/ No authentication facility provided by the Authority.

Authority means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.

Biometric information means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.

Central Identities Data Repository (CIDR) means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.

Consent means the consent referred to in section 11 of PDP bill 2019

  • 1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.
  • 2) The consent of the data principal shall not be valid, unless such consent is—
    • Free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;
    • Informed, having regard to whether the data principal has been provided with the information required under section 7;
    • Specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
    • Clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
    • Capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
  • 3) In addition to the provisions contained in sub-section (2), the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained—
    • After informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
    • In clear terms without recourse to inference from conduct in a context; and
    • After giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
  • 4) The provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
  • 5) The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
  • 6) Where the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.

Customer means an individual or entity who intends to avail services pertaining to the PPI Wallet created and maintained by EGron in favor of such individual or entity and includes Walk-in Customers wherever the context so requires, and agents/customer service points (CSP) empaneled/on-boarded by EGron in this respect.

De-identification means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;

Demographic information includes information relating to the name, date of birth, address and other relevant information of an individual, as may

be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.

E-KYC User Agency or KUA shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority.

Global AUAs means the agencies which will have access to full e-KYC (with Aadhaar number) and the ability to store Aadhaar number within their system.

“Local AUAs means the agencies which will only have access to Limited KYC and will not be allowed to store Aadhaar number within their systems.

Hardware Security Module (HSM) means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.

Identity informationin respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.

Limited KYC means the service that does not return Aadhaar number and only provides an agency specific unique UID Token along with other demographic fields that are shared with the Local AUAs depending upon its need.

PID Blockmeans the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.

Personal data means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;

Personnel means all the employees, staff and other individuals employed/contracted by the requesting entities;

PPI Wallet means a prepaid payment instrument created and issued by EGron in terms of the certificate of authorization no. 138/2019 dated September 13, 2019, granted by the Reserve Bank of India.

Processing in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

Reference Key means an additional key which is mapped with each Aadhaar number stored in the Aadhaar data vault.

Requesting Entity means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.

Resident means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.

Sensitive personal data or information means such personal information which consists of information relating to —

  • Password
  • Financial information such as Bank account or credit card or debit card or other payment instrument details;
  • Physical, physiological and mental health condition;
  • Sexual orientation;
  • Medical records and history;
  • Biometric information;
  • Any detail relating to the above clauses as provided to body corporate for providing service; and
  • Any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

“UID Token means a 72-character alphanumeric string returned by UIDAI in response to the authentication and Limited KYC request. It will be unique for each Aadhaar number for a particular entity (AUA/Sub-AUA) and will remain same for an Aadhaar number for all authentication requests by that particular entity.

Virtual ID (VID) means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.

Personal Data collection

EGron shall collect the personal data including Aadhaar number/Virtual ID, directly from the Customer for conducting authentication with UIDAI at the time of providing the Services.

Specific purpose for collection of Personal Data

The identity information including Aadhaar number / Virtual ID shall be collected for the purpose of authentication of Customer for the following purposes:

  • Verification of person(s) for opening of their Prepaid Payment Instrument (“PPI”).
  • Verification of persons for their onboarding as authorized agents of EGron in respect of PPI and for their user access of EGron platform;

The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act or its Amendment and Regulations.

The identity information shall not be used beyond the mentioned purpose without consent from the Customer and even with consent use of such information for other purposes should be under the permissible purposes in compliance to the Aadhaar Act.

Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the Customer.

Notice / Disclosure of Information to Customers

Customer shall be provided relevant information prior to collection of identity information / personal data. These shall include:

  • The purpose for which personal data / identity information is being collected;
  • The information that shall be returned by UIDAI upon authentication;
  • The information that the submission of Aadhaar number or the proof of Aadhaar is mandatory or voluntary for the specified purpose and if mandatory the legal provision mandating it;
  • The alternatives to submission of identity information (if applicable);
  • Details of Section 7 notification (if applicable) by the respective department under the Aadhaar Act, 2016, which makes submission of Aadhaar number as a mandatory or necessary condition to receive subsidy, benefit or services where the expenditure is incurred from the Consolidated Fund of India or Consolidated Fund of State. Alternate and viable means of identification for delivery of the subsidy, benefit or service may be provided if an Aadhaar number is not assigned to an individual;
  • The information that Virtual ID can be used in lieu of Aadhaar number at the time of Authentication;
  • The name and address of EGron collecting and processing the personal data.

Customer shall be notified of the authentication either through the e-mail or phone or SMS at the time of authentication and the EGron shall maintain logs of the same.

Obtaining Consent

Upon notice / disclosure of information to the Customer, consent shall be taken in writing or in electronic form on the website or mobile application or other appropriate means and EGron shall maintain logs of disclosure of information and Customer’s consent.

Legal department shall be involved in vetting the method of taking consent and logging of the same, and formal approval shall be recorded from the legal department.

Processing of Personal data

The identity information, including Aadhaar number, biometric /demographic information collected from the Customer by EGron shall only be used for the Aadhaar authentication process by submitting it to the Central Identities Data Repository (CIDR).

Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to UIDAI and permitted by UIDAI. Such specific purposes shall be notified to the Customers at the time of authentication through disclosure of information notice.

EGron shall not use the Identity information including Aadhaar number or e-KYC for any other purposes than allowed under the Prevention Of Money-Laundering Act, 2002 (“PMLA”) (particularly Section 11A of the PMLA) and Rules made thereunder and informed to Customers at the time of Authentication.

For the purpose of e-KYC, the demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services.

Retention of Personal Data

The authentication transaction logs shall be stored for a period of two years subsequent to which the logs shall be archived for a period of five years or as per the regulations governing the entity, whichever is later and upon expiry of which period, barring the authentication transaction logs required to be maintained by a court order or pending dispute, the authentication transaction logs shall be deleted.

Sharing of Personal data

Identity information shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time.

Biometric information collected shall not be transmitted over any network without creation of encrypted PID block as per Aadhaar Act and regulations.

EGron shall not require a Customer to transmit the Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.

Data Security

The Aadhaar number shall be collected over a secure application, transmitted over a secure channel as per specifications of UIDAI and the identity information returned by UIDAI shall be stored securely.

The biometric information shall be collected, if applicable, using the registered devices specified by UIDAI. These devices encrypt the biometric information at device level and the application sends the same over a secure channel to UIDAI for authentication.

OTP information shall be collected in a secure application and encrypted on the client device before transmitting it over a secure channel as per UIDAI specifications.

Aadhaar /VID number that are submitted by the Customer to the requesting entity and PID block hence created shall not be retained under any event and entity shall retain the parameters received in response from UIDAI.

E-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice.

EGron has been classified as a Local AUA by UIDAI and does not store Aadhaar numbers of the Customers to maintain their privacy and security;

EGron shall, as mandated by law, encrypt and store the Aadhaar numbers and any connected data only on the secure Aadhaar Data Vault (ADV) in compliance to the Aadhaar data vault circular issued by UIDAI. (Not applicable at present as EGron is Local AUA)

The keys used to digitally sign the authentication request and for encryption of Aadhaar numbers in Data vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars.

EGron shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI certified biometric devices for Aadhaar authentication (if biometric authentication is used).

All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information; The applications shall be audited on an annual basis by information systems auditor(s) certified by STQC, CERT-IN or any other UIDAI recognized body.

In the event of an identity information breach, the organisation shall notify UIDAI of the following:

  • A description and the consequences of the breach;
  • A description of the number of Customers affected and the number of records affected;
  • The privacy officer’s contact details;
  • Measures taken to mitigate the identity information breach.

Appropriate security and confidentiality obligations shall be implemented in the non-disclosure agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling identity information.

Only authorized individuals shall be allowed to access Authentication application, audit logs, authentication servers, application, source code, information security infrastructure. An access control list shall be maintained and regularly updated by organisation.

Best practices in data privacy and data protection based on international Standards shall be adopted.

The response received from CIDR in the form of authentication transaction logs shall be stored with following details:

  • The Aadhaar number against which authentication is sought. In case of Local AUAs where Aadhaar number is not returned by UIDAI and storage is not permitted, respective UID token shall be stored in place of Aadhaar number;
  • Specified parameters received as authentication response;
  • The record of disclosure of information to the Customer at the time of authentication; and
  • Record of consent of the Customer for authentication but shall not, in any event, retain the PID information.

An Information Security Policy in-line with ISO27001 standard, UIDAI specific Information Security Policy and Aadhaar Act shall be formulated to ensure Security of Identity information.

Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications provided by UIDAI.

Rights of the Customer

The Customer has the right to obtain and request update of identity information stored with the organisation, including Authentication logs. The collection of core biometric information, storage and further sharing is protected by Section 29 of the Aadhaar Act, hence the Customer cannot request for the core biometric information.

EGron shall provide a process for the Customer to view their identity information stored and request subsequent updation after authenticating the identity of the Customer. In case the update is required from UIDAI, same shall be informed to the Customer.

The Customer may, at any time, revoke consent given to EGron for storing his e-KYC data, and upon such revocation, EGron shall delete the e-KYC data in a verifiable manner and provide an acknowledgement of the same to the Customer.

The Customer has the right to lodge a complaint with the privacy officer who is responsible for monitoring of the identity information processing activities so that the processing is not in contravention of the law.

Customer Access request

A process shall be formulated to handle the queries and process the exercise of rights of Customer with respect to their identity information / personal data. As part of the process it shall be mandatory to authenticate the identity of the Customer before providing access to any identity information.

All requests from the Customer shall be formally recorded and responded to within a reasonable period.

Compliance to the relevant data protection / privacy law (s) shall be ensured.

Privacy by Design

Processes shall be established to embed privacy aspects at the design stage of any new systems, products, processes and technologies involving data processing of identity information of the Customer.

The EGron, in possession of the Aadhaar number of the Customer, shall not make public any database or records of the Aadhaar numbers unless the

Aadhaar numbers have been redacted or blacked out through appropriate means, both in print and in electronic form.

Before going live with any new process that involves processing of identity information, the organisation shall ensure that Disclosure of information / Privacy notice in compliance to the Aadhaar Act, is provided to the Customer and that consent is taken and recorded in compliance to Aadhaar Act.

Quarterly self-assessments shall be conducted to ensure compliance to disclosure of information and consent requirements.

Privacy enhancing organizational and technical measures like anonymization, de-identification and minimization shall be implemented to make the collection of identity information adequate, relevant, and limited to the purpose of processing.

Governance and Accountability Obligations

A Privacy committee shall be established to provide strategic direction on Privacy matters.

A person (Privacy Officer) responsible for developing, implementing, maintaining and monitoring the comprehensive, organization-wide governance and accountability shall be designated to ensure compliance with the applicable laws.

The name of the Privacy Officer and contact details shall be made available to UIDAI and other external agencies through appropriate channel.

The Privacy Officer shall be responsible to assess privacy risks of processing Identity information / personal data and mitigate the risks.

The Privacy Officer shall be independent and shall be involved in all the issues relating to processing of identity information.

The Privacy Officer shall be an expert in data protection and privacy legislations, regulations and best practices.

The Privacy Officer shall advise the top management on the privacy obligations.

The Privacy Officer shall advise the top management on the privacy obligations.

h) The Privacy Officer shall advise on high-risk processing and the requirement of data privacy impact assessments.

The Privacy Officer shall act as a point of contact for UIDAI for coordination and implementation of privacy practices and other external agencies for any queries.

The Privacy Officer shall be responsible for managing privacy incidents and responding to the same

The Privacy Officer shall also be responsible for putting in place measures to create awareness and training of staff involved in processing identity information, about the legal consequences of data breach to the reputation of the organization.

Privacy officer shall ensure that the Authentication operations, systems and applications are audited by CERT-IN (Indian Computer Emergency Response Team), Standardization Testing and Quality Certification (STQC) empaneled auditors or any other UIDAI recognized body at least on an annual basis.

Privacy officer shall conduct internal audits (through internal audit team) on a quarterly basis and monitor compliance through these audits against Aadhaar Act 2016.

Privacy officer shall ensure that the front-end operators interacting with the Customers are trained on a periodic basis to ensure they communicate the disclosure of information to the Customer, take consent appropriately after showing the screen to the Customer and ensure Security of identity information. Such trainings shall be documented for audit purposes.

Aadhaar specific trainings to developers, systems admins and other users shall be provided to ensure they are aware of the obligations for their respective roles; Completion of such trainings shall be documented.

Privacy officer shall be responsible to formally communicate this Policy to all stakeholders and staff who need to comply with this Policy; Any changes to the Policy shall be communicated immediately.

Privacy Officer shall facilitate formal Privacy performance reviews with the relevant stakeholders / Privacy Committee and suggest improvements. The reviews shall consider the results of various audits, privacy incidents, privacy initiatives, UIDAI requirements etc

Transfer of Identity information outside India is prohibited

Identity information shall not be hosted or transferred outside the territory of India in compliance to the Aadhaar Act and its Regulations.

Grievance Redressal Mechanism

Customers with grievances about the processing can contact the organisation’s Privacy Officer via multiple channels like on the website, through phone, SMS, mobile application etc.

Reasonable measures shall be taken to inform the Customers about the Privacy Officer and its contact details.

The contact details of Privacy Officer and the format for filing the complaint shall be displayed on the organisations’ website and other such mediums that are commonly used for interaction with the Customers.

Where the medium of interaction is not electronic (such as physical), Poster / Notice board that is prominently visible shall be used to display the name of Privacy officer and contact details.

f any issue is not resolved through consultation with the management of the EGron, Customer can seek redressal by way of mechanisms as specified in Section 33B of the Aadhaar Act.

Responsibility for implementation and enforcement of the Policy

The overall responsibility of monitoring and enforcement of this Policy through various mechanisms such as Audits etc. shall be with the Chief Compliance & Risk Officer

Responsibility of the implementation of controls of this Policy shall be with the Chief Compliance & Risk Officer.

Responsibility of review of Disclosure of information notice, consent clause, method of consent, logging of consent etc. shall be with the Legal Head, Mr. Prashant Kumar Mishra.

Contact Details

Relevant Provisions of Aadhaar Act and Supreme Court of India Judgement

Following relevant documents shall be referred to for ensuring compliance to the Aadhar requirements:

  • Judgement of Honourable Supreme court dated 26th September 2018
  • Aadhaar and Other Laws (Amendment) Act 2019
  • Aadhaar (Authentication) Regulations 2016
  • Aadhaar (Data Security) Regulations 2016
  • Aadhaar (Sharing of Information) Regulations 2016
  • Any other Regulations or notices or Circulars issued by UIDAI from time to time.

Abbreviations

  • ADV: Aadhaar Data Vault
  • ASA: Authentication Service Agency
  • AUA: Authentication User Agency
  • CERT: In Indian Computer Emergency Response Team
  • CIDR: Central Identities Data Repository
  • E-KYC: Electronic Know Your Customer
  • E-Mail: Electronic Mail
  • HSM: Hardware Security Module
  • KUA: e-KYC User Agency
  • NDA: Non-Disclosure Agreement
  • OTP: One-Time Password
  • PID: Personal Identity Data
  • SMS: Short Message Service
  • STQC: Standardisation Testing and Quality Certification
  • UIDAI: Unique Identification Authority of India
  • UID Token: Unique ID Token
  • VID: Virtual ID