To address privacy and security concerns over Aadhaar, the Union government is in the process of educating government agencies that sensitive data must not be made public, and is drafting amendments to the Information Technology (IT) Act to strengthen the provisions for data protection and security.
Aruna Sundararajan, Secretary, Union Electronics and Information Technology Ministry, told The Hindu that besides privacy issues, the new IT law would quell security concerns related to digital payments,
Her comments assume significance as Aadhaar’s original architect and former Infosys CEO, Nandan Nilekani, recently mooted need for strong data protection and privacy laws to ensure citizen data in the Unique Identification (UID) database is not misused.
Plugging data leakage
Close to 135 million Aadhaar numbers and 100 million bank account numbers could have leaked from official portals dealing with government programmes of pensions and rural employment, according to a report published on Monday by the Centre for Internet and Society (CIS). With Aadhaar being used to authenticate and authorise transactions, the financial risks presented by the disclosure of such data are greatly exacerbated, it said.
“Actually, Aadhaar has very strong privacy regulation built into it... But the area we are working on is enforcement,” Ms. Sundararajan said.
“People are not aware that so a large number of government agencies are making available all this sensitive data. So now, the process is to educate them so that they become aware that Aadhaar data is not meant to be published like this freely,” she said.
“No Aadhaar data can be shared with anybody or be used for anything purpose other than for which it was collected. There are several limitations imposed by the Act,” she pointed out.
As per the CIS report, the data in question has not been treated as confidential at all in several cases and the government agencies in question have, in fact, taken pains to publish them. ''These are wilful and intentional instances of treating Aadhaar numbers and other personally identifiable information (PII) as publicly shareable data by the custodians of the data,” the CIS report noted.
“Some of the amendments we are bringing to the IT Act should take care of the rest of the [privacy and data protection] concerns relating to Aadhaar,” Ms. Sundararajan said. The key focus of these amendments being drafted, she said, was strengthening data protection provisions and security, particularly in relation to digital payments.
“For security, draft regulations have already been framed for e-wallets. We expect to finalise those soon. And now, we are working on a data protection framework,” she said.
While Aadhaar-enabled payments and the Bhim app are seeing the maximum growth in transactions, Ms Sundrarajan said there were still some challenges in making them easy to use. “We expect the next version of Bhim to be released by the National Payments Corporation of India [NPCI] in June. With each version, we are trying to make the user experience simpler,” she observed.
The CIS report, titled ‘ Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information,’ pointed out that Aadhaar data leaked could be higher than its estimate.
“…Other major schemes, who have also used Aadhaar for direct benefit transfer [DBT] could have leaked PII similarly due to lack of information security practices. Over 23 crore beneficiaries have been brought under Aadhaar programme for DBT and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number,” it noted.