PROTECTION OF INFORMATION
28. (1) The Authority shall ensure the security of identity information and authentication records of individuals.
(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals.
(3) The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage.
(4) Without prejudice to sub-sections (1) and (2), the Authority shall—
(a) adopt and implement appropriate technical and organisational security measures;
(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and
(c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority.
(5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not,
whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone:
Provided that an Aadhaar number holder may request the Authority to provide access to his identity information excluding his core biometric information in such manner as may be specified by regulations.
29. (1) No core biometric information, collected or created under this Act, shall be—
(a) shared with anyone for any reason whatsoever; or
(b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act.
(2) The identity information, other than core biometric information, collected or created
under this Act may be shared only in accordance with the provisions of this Act and in
such manner as may be specified by regulations.
(3) No identity information available with a requesting entity shall be—
(a) used for any purpose, other than that specified to the individual at the time of submitting any identity information for authentication; or
(b) disclosed further, except with the prior consent of the individual to whom such information relates.
(4) No Aadhaar number or core biometric information collected or created under this
Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly,
except for the purposes as may be specified by regulations.
30. The biometric information collected and stored in electronic form, in accordance with this Act and regulations made thereunder, shall be deemed to be “electronic record” and “sensitive personal data or information”, and the provisions contained in the Information Technology Act, 2000 and the rules made thereunder shall apply to such information, in addition to, and to the extent not in derogation of the provisions of this Act.
Explanation.— For the purposes of this section, the expressions—
(a) “electronic form” shall have the same meaning as assigned to it in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000;
(b) “electronic record” shall have the same meaning as assigned to it in clause (t) of sub-section (1) of section 2 of the Information Technology Act, 2000;
(c) “sensitive personal data or information” shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the Information Technology Act, 2000.
31. (1) In case any demographic information of an Aadhaar number holder is found incorrect or changes subsequently, the Aadhaar number holder shall request the Authority to alter such demographic information in his record in the Central Identities Data Repository in such manner as may be specified by regulations.
(2) In case any biometric information of Aadhaar number holder is lost or changes
subsequently for any reason, the Aadhaar number holder shall request the Authority to
make necessary alteration in his record in the Central Identities Data Repository in such
manner as may be specified by regulations.
(3) On receipt of any request under sub-section (1) or sub-section (2), the Authority may, if it is satisfied, make such alteration as may be required in the record relating to such Aadhaar number holder and intimate such alteration to the concerned Aadhaar number holder.
(4) No identity information in the Central Identities Data Repository shall be altered except in the manner provided in this Act or regulations made in this behalf.
32. (1) The Authority shall maintain authentication records in such manner and for such period as may be specified by regulations.
(2) Every Aadhaar number holder shall be entitled to obtain his authentication record in such manner as may be specified by regulations.
(3) The Authority shall not, either by itself or through any entity under its control, collect, keep or maintain any information about the purpose of authentication.
33. (1) Nothing contained in sub-section (2) or sub-section (5) of section 28 or sub-section (2) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made pursuant to an order of a court not inferior to that of a District Judge:
Provided that no order by the court under this sub-section shall be made without giving an opportunity of hearing to the Authority.
(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and
clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in
respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:
Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:
Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.
[Ref: Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.]