Srikrishna Committee Recommended Amendments for Data Protection In Adhaar Act

NEW DELHI: In a bid to address privacy concerns, the UIDAI today introduced a new concept of 'Virtual ID' which Aadhaar-card holder can generate from its website and give for various purposes, including SIM verification, instead of sharing the actual 12-digit biometric ID.

This will give the users the option of not sharing their Aadhaar number at the time of authentication.

The Virtual ID, which would be a random 16-digit number, together with biometrics of the user would give any authorized agency like a mobile company, limited details like name, address, and photograph, which are enough for any verification.

Officials said a user can generate as many Virtual IDs as he or she wants. The older ID gets automatically canceled once a fresh one is generated.

The Unique Identification Authority of India (UIDAI) has also introduced the concept of 'limited KYC' under which it will only provide need-based or limited details of a user to an authorized agency that is providing a particular service, say, a telco.

The Virtual ID will be a temporary and revocable 16 digit random number mapped to a person's Aadhaar number and the Aadhaar-issuing body will start accepting it from March 1, 2018.

From June 1, 2018, it will be compulsory for all agencies that undertake authentication to accept the Virtual ID from their users.

Agencies that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.

"Aadhaar number holder can use the Virtual ID in lieu of Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the Virtual ID in a manner similar to using Aadhaar number," a UIDAI circular said.

The move aims to strengthen the privacy and security of Aadhaar data and comes amid heightened concerns around the collection and storage of personal and demographic data of individuals.

Users can go to the UIDAI website to generate their virtual ID which will be valid for a defined period of time, or till the user decides to change it.

They can give this Virtual ID to service agencies along with the fingerprint at the time of authentication. Since the system generated Virtual ID will be mapped to an individual's Aadhaar number itself at the back end, it will do away with the need for the user to share Aadhaar number for authentication.The Unique Identification Authority of India (UIDAI) on Wednesday put in place a two-layer security mechanism to reinforce privacy protection for Aadhaar ID number holders. 

It introduced a virtual identification for the ID holders so that the actual Aadhaar number need not be shared to authenticate identity. It also places more restrictions on the storage of the Aadhaar number within various databases.

The idea behind the changes is to address privacy concerns which have resulted in a legal challenge to Aadhaar in the Supreme Court, and to also prevent potential misuse of an individual’s Aadhaar details.

UIDAI has been under the scanner over the past few months over allegations of access of personal information by random entities without the consent of individual Aadhaar holders.

The virtual ID will be a 16-digit random number mapped with the Aadhaar number. It can only be generated, replaced or revoked by the Aadhaar number holder from time to time.

“It will not be possible to derive the Aadhaar number from the virtual ID,” a circular issued by UIDAI said.

Till now, a person had to give his/her 12-digit identity number along with other attributes (demographic and/or biometrics and/or through a one-time password) during authentication or e-KYC (know your customer) for accessing various benefits and services from service providers such as banks or telcos.

UIDAI also introduced the concept of a limited KYC category which does not access the Aadhaar number. To enable this, UIDAI has introduced two categories of an Authentication User Agency (AUA)—an entity engaged in providing Aadhaar-enabled services. The limited KYC category is a ‘Local AUA’, compared with a ‘Global AUA’—which will have access to e-KYC using the Aadhaar number.

An AUA may be a government, public or a private legal agency registered in India, using Aadhaar authentication services provided by UIDAI.

The Justice B.N. Srikrishna Committee on data protection in India has suggested amendments to various laws including the Aadhaar Act to provide for the imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law.

The 213-page report, prepared by a 10-member committee set up last year under the chairmanship of the retired Supreme Court judge, was submitted to Law and Electronics Minister Ravishankar Prasad who said that the government will go through the draft bill and take stakeholder comments before taking Cabinet approval for finalizing the legislation.