The draft Aadhaar (Authentication and Offline Verification) Regulations, 2021 stipulate that the Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication.
The draft regulations prepared by the Unique Identification Authority of India (UIDAI) stipulate that all biometric authentication against any such locked biometric records shall fail with a "No" answer with an appropriate response code. These draft norms are in supersession of the Aadhaar (Authentication) Regulations, 2016.
There have been privacy concerns with Aadhaar on identity theft and illegal use of biometrics.
An Aadhaar number holder shall be allowed to temporarily unlock his biometrics for authentication, and such temporary unlocking shall not continue beyond the time period specified by the Authority or till the completion of the authentication transaction, whichever is earlier.
The Authority may make provisions for Aadhaar number holders to remove such permanent locks at any point in a secure manner.
Similarly, the Authority shall enable an Aadhaar number holder to lock his/her Aadhaar number and unlock it when needed for authentication. (2) All authentication requests using Aadhaar number against any such locked Aadhaar number shall result with a "No" answer with an appropriate response code. (3) In case of a locked Aadhaar, the Authority will allow the resident to authenticate using Virtual ID or other means.
Online verification
Under the obligations of Offline Verification Seeking Entities, the draft norms say that they shall not collect, use or store Aadhaar number or biometric information of any individual for any purpose or share offline Aadhaar data with any other entity except in accordance with the Act and Regulations framed thereunder.
In case of any investigation involving Aadhaar data related frauds or dispute(s), it shall extend full cooperation to the Authority, or any agency appointed or authorised by it or any other authorised investigation agency, including, but not limited to, providing access to their premises, records, personnel and any other relevant resources or information as well to assist the Authority in disseminating information to the general public about any Aadhaar data related fraud to enable Aadhaar number holders to evaluate whether they were victims of the fraud and take remedial action.
The entity shall inform the Authority, without undue delay and in no case beyond 72 hours after having knowledge of misuse of any information or systems related to the Aadhaar framework or any compromise of Aadhaar related information.
If the OVSE is a victim of fraud or identifies a fraud pattern through its fraud analytics system related to Offline Verification, it shall share all necessary details of the fraud with the Authority as well as to affected Aadhaar number holders without undue delay.
The draft norms say that the authentication transaction data shall be retained by the Authority for a period of 6 months. The Authority may prescribe the procedure to archive and perform analysis, for research purposes, from aggregated and anonymised authentication transaction data in the form of circulars.
Expiry period of 6 months
Upon expiry of the period of six months the authentication transaction data shall be deleted except when such authentication transaction data are required to be maintained by the order of a court not inferior to that of a Judge of a High Court or in connection with any pending dispute.
The provision for access by Aadhaar number holder state that an Aadhaar number holder shall have the right to access his authentication records subject to conditions laid down and payment of such fees as prescribed by the Authority by making requests to the Authority within the period of retention of such records before they are archived.
The Authority may provide mechanisms such as an online portal or mobile application or designated contact centres for Aadhaar number holders to obtain their digitally signed authentication records within the period of retention of such records before they are archived as specified in these regulations.
The Authority may provide digitally signed e-KYC data to the Aadhaar number holder through biometric or OTP authentication, subject to payment of such fees and processes as specified by the Authority.