Skip to main content

Aadhaar - Key Issues and Analysis

The Bill aims to issue unique identification numbers to residents of India and to provide for a reliable method of identifying individuals. The UIDAI Strategy Overview states that identification will facilitate access to benefits and services, especially for vulnerable groups such as homeless persons, migrant labour etc. Issuance of biometric based identities is expected to reduce problems of identity frauds and ghost beneficiaries.

However, any database that stores personal information carries the risk of its misuse by various agencies (both public and private), which may affect an individual's privacy. The UK National Identity Card scheme was scrapped in 2011. Some of the main reasons cited for scrapping the scheme were the cost of implementing the scheme and the infringement of civil liberties. The Real ID Act passed by the US in 2005 has also been opposed by many states on grounds of privacy and threat to data security.

We discuss below the safeguards that are built into this Bill to protect Aadhaar holders against invasion of their privacy.

Enrollment - Voluntary or Mandatory
The Bill does not make it mandatory for an individual to obtain an Aadhaar number. However, it does not prevent any service provider from prescribing Aadhaar as a mandatory requirement for availing services. This differs from the US where government agencies cannot deny benefits to individuals who do nto possess or refuse to disclose their Social Security Number, unless specifically required by law.

However, it must be noted that the success of Aadhaar in weeding out 'ghost' beneficiaries (in programmes such as the public distribution system) depends on mandatory enrollment. If enrollment is not mandatory, both authentication system (identity card based and Aadhaar based) must coexist. In such a scenario, 'ghost' beneficiaries and people with multiple cards will choose to opt out of the Aadhaar system.

Safeguards for maintaining confidentiality and privacy of information
Information collected may be misused if safeguards to maintain privacy are inadequate. Though the Supreme Court has included privacy as part of the Right to Life, India does not have a specific law governing issues related to privacy. The government has formed a committee to draft a suitable law.

We examine whether the Bill has sufficient safeguards if information is 
a. shared with agencies engaged in delivery of public benefits and services;
b. disclosed to intelligence or law enforcement agencies; and
c. used to identify behaviour patterns through data mining.

Sharing Information with agencies engaged in delivery of public benefits and services
The Bill allows NIAI to share the information of an Aadhaar number holder, based on his written consent, with agencies engaged in the delivery of public benefits and public services. However, it does not specify whether consent should be taken only once or at each instance a person avails of a new service. A one-time consent may be prone to misuse and this may affect an individual's privacy.

Disclosure of information to intelligence or law enforcement agencies
The Bill requires the NAIA to disclose information (including indentity information of individuals) in the interest of national security. This will be on the direction of an authorised officer of the rank of Joint Secretary or above in the central government.

In 1996, the Supreme Court held that the state may tap telephones "only at the occurance of any public emergency or in the interest of public safety" if
a. it is authorised by the Home Secretary of th central or state government; and
b. it is for a maximum period of six months.
Each order of telephone tapping must also be investigated by a separate Review Committee within a period of two months from the date of issuance.

The safeguards for protection of privacy in this Bill differ from those set out for phone tapping. 
First, the Bill permits sharing in the interest of "national security" rather than for public emergency or public safety. 
Second, the order can be issued by an officer of the rank of Joint Secretary. 
Third, there is no limit for the time period for which the authentication data may be collected. 
Fourth, there is no mechanism for review.

Potential to profile individuals
The Bill does not specifically prohibit intelligence agencies from using the UID as a link (key) while running computer programmes across various datasets (such as telephone records, air travel records etc.) in order to recognise patterns of behaviour. Such techniques for pattern recognition can be used for various purposes such as detecting potential illegal activities. However, these can also lead to harassment fo innocent individuals who get identified incorrectly as potential threats. As a safeguard against misuse, the US had introduced (but not passed) a legislation that required each agency that was engaged in data mining to submit an annual report to Congress on all such activities.

Compensation for loss or unauthorised disclosure of information
The Bill requires all persons with access to Aadhaar related information to keep in secure and confidential. It prescribes penalties for unauthorised access or intentional disclosure of information. However, it does not penalise any negligence that leads to loss of information. Also, it does not have a specific provision to compensate an individual in case his personal information is misused. This differs from the Information Technology Act, 2000, which states that a company handling "sensitive personal data" is liable to pay compensation upto Rs. 5 crore if it is "negligent in implementing and maintaining reasonalble security practices and procedures" with respect to such data.

Conflict of Interest
The Bill states that no court shall take cognizance of any offence punishable under the Act, except on a complaint made by the NIAI. Such a provision is usually included to ensure that the regulatory body vets all complaints before a criminal charge is filed.

However, unlike regulators such as the Securities and Exchange Board of India or the Reserve Bank of India, the NIAI also has a role in implementation and its members and exmployees have duties related to data security. This could result in a conflict of interest situation if the offence is committed by an employee of the NIAI.

Discretionary powers under delegated legislation
Regulation of demographic and biometric information to be recorded
Demographic Information: The Bill empowers the NIAI to specify demographic information that may be recorded. The only restriction imposed on NIAI is that it shall not record information pertaining to race, religion, caste, language, income or health of the individual. Keeping this definition in the Regulations provides the NIAI with the power to collect additional personal information, without prior approval from Parliament.

It may be noted that the enrollment form currently being used contains fields for capturing information such as the National Population Register (NPR) receipt number, mobile number, bank account number etc. Though these fields are labelled "optional", it is unclear why this additional information is being recorded.
Biometric information: The definition of biometric information will be specified in the Regulations. Currently, the UIDAI is capturing 10 fingerprints, iris scan and photograph as biometric information of each resident. However, the Bill does not prevent it from collecting other biometric information such as DNA.

Storage of authentication information
The NIAI is required to maintain details of every request for authentication and response provided. The Bill does not specify the maximum duration for which authentication data may be stored by the NIAI. This has been left to Regulations. Authentication data provides insights into usage patterns of an Aadhaar number holder. Data that has been recorded over a long duration of time may be misused for activities such as profiling an individual's behaviour.

Different dates for notification of different clauses
Some clauses of the Bill provide the NIAI with the power to collect and maintain data. Some other clauses provide safeguards against misuse. The Bill contains a blanket provision that allows the central government to notify different clauses on different dates. There is no requirement that the safeguard clauses should come into force by the time the provisions enabling collection of data are notified.

Courtesy: PRS India

Comments

Popular posts from this blog

First Amendment Act, 1951

Empowered the state to make special provision for advancement of socially and economically backward classes Provided for the saving of laws providing for acquisition of the State, etc. Added ninth schedule to protect the land reform and other laws included in it and judicial review Added three more ground of restrictions on freedom of speech and expression viz., public order, friendly relations with foreign states and incitement to an offence. Also made the restriction reasonable and justiciable in nature Provided that state trading and nationalization of any trade or business by state is not to be invalid on the ground of violation of the right to trade or business

Aadhaar : Key Features

The National Identification Authority of India (NIAI) will issue identification number (called "Aadhaar" number) to residents of India and any other category of people that may be specified. The NIAI shall have a chairperson and two part-time members. Aadhaar Numbers Every resident of India (regardless of citizenship) shall be entitled to obtain an Aadhaar number after furnishing demographic and biometric information. Demographic information shall include items such as name, age, gender and address. Biometric information shall include some biological attributes of the individual. Collection of information pertaining to race, religion, caste, language, income or health is specifically prohibited. The Aadhaar number shall be issued after the information provided by the person is verified. It shall serve as proof of identity, subject to authentication. However, it should not be construed as proof of citizenship or domicile. The Aadhaar number holder may be required t...

The Copenhagen Summit

Background The negotiating process on climate change revolves around the sessions of the Conference of the Parties to the United Nations Framework Convention on Climate Change (COP), which meets every year to review the implementation of the Convention. This year this process culminates in Copenhagen. At Bali, Parties agreed to jointly step up international efforts to combat climate change and get to an agreed outcome in Copenhagen in 2009. Thus, an ambitious climate change deal will be clinched to follow on the first phase of the UN’s Kyoto Protocol, which expires in 2012. Why is a deal so important? We know the world is warming, on average by 0.74ÂșC during the past century, with most of that since 1970. The IPCC has reported regularly on climate change science for 20 years. Its last report was “unequivocal” that climate change is with us, and is set to get drastically worse unless we take urgent action. Nature, through both oceans and forests, currently absorbs ab...