Is your sensitive Aadhaar details safe in the hands of Department of Post?

You will find the detailed and clear answer to the question “Is your sensitive Aadhaar details safe in the hands of the Department of Post? in this blog.

The answer is YES. The Aadhar Data Privacy Policy Of the Department of Posts India will explain this in detail.

Aadhar Data Privacy Policy Of Department of Posts India – INTRODUCTION

(I)Since the Department of Posts (hereinafter referred to as “DoP”) handles Sensitive Personal Data such as Aadhaar number, e-KYC information, biometric data, etc. of customers, at the time of providing the services, UIDAI authentication is required. To prevent unauthorized access, it becomes essential to ensure its safety and security. (II)This policy complies with UIDAI’s Information Security Management Policy and DoP’s Information Security Management Policy. It is applicable wherever UIDAI information is processed or stored by DoP.

All Aadhaar-related information is handled according to the following guidelines.

Specific Reason for Collecting Aadhar and Related Information

(i) For a more general purpose and broader view, if eKYC verification is required, identity information including Aadhaar number will be collected. (ii) The Aadhaar Act 2016 or its Amendment and Regulations only permit the use of identity data collected and processed in accordance with applicable laws. (iii) Without the Aadhaar number holder’s consent, the identity information should not be used for any other purpose than the above-mentioned purpose. In accordance with the Aadhaar Act 2016, any other purpose for which the holder’s consent is obtained should only be done in appropriate manner. (iv) All personal and sensitive data collected is protected in accordance with the provisions of the Information technology Act, 2000 (“IT Act”), Digital personal Data Protection Act, 2023 (“DPDP Act”), Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

STORAGE PROHIBITION

The captured biometric and Aadhar number data will not be stored in any way or form due to the storage DoP prohibition. The resident, customer, or individual shall submit their Aadhaar number to the DoP and PID block (i.e., the Personal Identity Data element, which includes the required demographic, biometric, or OTP from the holder of the Aadhaar number during authentication). As a result, the created Aadhaar number will not be retained in any event, and the DoP will retain the parameters received from UIDAI in response.

MASKED AADHAAR NUMBERS

Only Aadhaar number holders or employees with special roles or users who have specific needs on a “need to know” basis will be able to hide their full Aadhaar number By default, all displays are masked and only the last four digits of the Aadhaar number are shown.

AADHAAR DATA SECURITY

(i) To protect Aadhaar data in both digital and physical forms, DoP will implement robust security protocols, including encryption and access controls.

(ii) UIDAI will be promptly informed of any security incidents that could compromise the confidentiality, integrity, or availability of the information it receives.

(iii) When making non-disclosure agreements (NDAs) with employees, contract agencies, consultants, advisors, and other personnel who handle identity information, appropriate safety and confidentiality measures should be taken.

(iv) DoP shall follow UIDAI’s procedures and specifications to collect the Aadhaar number holder’s biometric data. Users’ biometric data will only be captured by STQC-certified authentication devices.

(v) Customer data will not be stored in the terminal device (biometric device).

(vi) DoP will only use the biometric details for data exchange with UIDAI for validation. In case of disputes, a system log will be maintained.

(vii) Transaction ID, timestamp, and other information will be captured and stored in the logs, but the transaction-related PID (Person Identity Data) will not be captured or stored. In any case, the PID, biometric, and OTP information will not be kept in the logs.

(vii) Regular vulnerability assessment exercises should be conducted to maintain the security of the authentication applications. Reports will be produced and shared with UIDAI upon request.

(ix) An Annual Vulnerability Assessment (VA) will be conducted to ensure that the Aadhaar infrastructure is safe and that necessary network intrusion and prevention systems are in place.

(x) Endpoint security solutions will be used to protect all hosts that handle customer identity data. Such a host shall have anti-virus/malware detection software installed.

AADHAAR AUTHENTICATION

(i) DoP shall ensure that Aadhaar authentication requests are only made for legal purposes and that authentication logs are only stored in accordance with the UIDAI timelines. e-KYC will only be performed by means of biometric and/or OTP authentication.

(ii) Prior to collecting identity/personal data, Aadhaar number holders will be provided with pertinent information, which includes:

a) the type of information that UIDAI will share for authentication; b) ways in which the data obtained during authentication can be used; c) identity information submission options.

(iii) At the time of authentication, the holder of the Aadhar number will be notified by either email, phone, or SMS.

(iv) Aadhaar number holder’s consent shall be obtained for each authentication, ideally in electronic form, and records of disclosure of information and consent shall be maintained.

COMPLIANCE WITH UIDAI GUIDELINES

i. DoP shall comply with all guidelines issued by UIDAI from time to time, including the use of Aadhaar data for e-KYC and authentication processes.

ii. Necessary Information security training shall be conducted for all personnel for Aadhaar-related authentication services during induction.

iii. Only licensed Authentication User Agencies (AUA), ASAs (Authentication Service Agencies), and e-KYC User Agencies (KUA) approved by UIDAI are permitted to perform Aadhaar authentication and access Authentication applications, audit logs, authentication servers, applications, source code, information security infrastructure. An access control list shall be maintained and regularly updated by DoP.

iv. DoP shall create internal awareness about consequences of breaches of Aadhaar data via various channels such as Newsletter articles, employee trainings, internal Memos and communications etc.

v. e-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice.

vi. All assets (business applications, operating systems, databases, network etc.) used for the Aadhaar authentication services shall be identified, labelled and classified.

vii. All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information.

viii. Identity information shall not be hosted or transferred outside the territory of India in compliance to the Aadhaar Act and its Regulations.

ix. Each year, applications must be audited by information systems auditor(s) certified by STQC, CERT-IN or any other UIDAI recognized body. If requested, the audit report will be provided to UIDAI.

COMPLIANCE WITH DATA PROTECTION ACT

(i) DoP has created a data protection policy as part of AUA/KUA. This policy covers matters such as compliance with the Aadhaar Act, 2016 and its related regulations and standards prescribed by UIDAI; Information Technology Act, 2000, including Information Technology (Amendment) Act 2008; Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011; and Digital Personal Data Protection (Digital Personal Data Protection) Act, 2013.

(ii) AUA/KUA’s DoP has published a data protection policy on its website, whose URL is https://www.indiapost.gov.in.

(iii) Responsibility, consent, purpose limitation, and data minimization principles will govern all data processing activities to ensure compliance with DPDP Act.

(iv) Data protection policy covers things like using encryption and secure transmission protocols, regular review and audit of IT systems handling Aadhar data to ensure compliance with reasonable security practices in accordance with the IT Act and IT Rules.

(v) To make the collection of identity information sufficient, pertinent, and limited to the purpose of processing, organizational and technical privacy improvements like anonymization, de-identification, and minimization have been implemented.

AADHAAR DATA GRIEVANCE REDRESSAL

Any grievances regarding Aadhaar data processing will be promptly addressed. DoP will select a suitable grievance officer to handle Aadhaar privacy issues.

REGULATORY REFERENCE

i. Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016 i.e. Aadhaar Act, 2016 and its associated regulations and standards prescribed by UIDAI

ii. Aadhar (Authentication and Offline Verification) Regulations, 2021

iii. UIDAI Information Security Policy for AUA/KUA

iv. Various circulars issued by UIDAI

v. Information Technology Act, 2000

vi. Information Technology (Amendment) Act 2008 vii. Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

viii. Digital Personal Data Protection Act, 2023 (DPDP Act)