The Ministry of Electronics & Information Technology (MEITY) has issued fresh guidelines for securing personal data including Aadhaar data held by various government departments, titled ‘General guidelines for securing Identity information and Sensitive personal data or information in compliance to Aadhaar Act, 2016 and Information Technology Act, 2000’. These guidelines are a follow-up to the MEITY notification sent in March this year directing all government departments to remove any personal data published on their websites or other places.
While the guidelines provide clarity to a lot of questions being asked on data protection under the Aadhaar Act, concerns with the effective implementation of these guidelines remain. People are still not provided with any remedies for data found online.
Application to government departments covers loopholes
Guidelines applicable to all government departments are welcome, since this covers certain loopholes in the Information Technology Act, 2000 and the Aadhaar Act, 2016. Section 43A of the IT Act and IT Sensitive Personal Data Rules, 2011 (IT SPD Rules), for instance, apply only to body corporates, which may not include all government departments.
The Aadhaar Act, on the other hand, prescribes a number of requirements for the UIDAI and ‘requesting entities’, or the entities using the UIDAI for authentication. However, it has very limited requirements for entities collecting Aadhaar data for purposes other than Aadhaar authentication. To these, Regulations 5 and 6 of the Aadhaar (Sharing of Information) Regulations, 2016 are among the few regulations that apply.
These guidelines will now be applicable to all categories of government departments, regardless of factors like the purpose of collection.
Broad range of personal data protected
Another loophole covered is that unlike the Aadhaar Act, which mainly protects data related to or linked with Aadhaar numbers, these guidelines will apply to any personal data, regardless of whether or not the data includes Aadhaar numbers.
The guidelines seek to protect specific categories of personal data, which together cover most of the data reported to have been leaked from various government websites so far:
i) Personal information which is any data which enables the identification of a natural person; (Rule 2(1)(i), IT SPD Rules)
ii) Sensitive personal data (SPD) like password, financial information, health condition, sexual orientation, medical records and biometric information (Rule 3, IT Sensitive personal data Rules)
iii) Identity information including Aadhaar number, biometric information (includes photograph) and demographic information (name, date of birth, address, etc.) (Section 2(n), Aadhaar Act, 2016)
The prescribed security requirements in brief
- Officers and employees to be trained and familiarised with data protection requirements under Aadhaar and IT Act.
- Compliance with all prescribed security requirements by MEITY and UIDAI to be ensured.
- SPD like Aadhaar number, financial data, gender, religion, etc., must be masked by default, and display, if any, must be only to authorised persons.
- Any databases with SPD or Aadhaar numbers must be encrypted.
- Aadhaar based authentication for family based schemes like PDS can also be done through a family member. This adds to the prescribed alternative modes of Aadhaar authentication under the Aadhaar (Authentication) Regulations, 2016.
- Informed, positive consent, either on paper or electronic, must be taken prior to collection and use of any data. This clarifies existing ambiguities as to the nature of consent required. The specification of positive consent is also welcome, since surreptitious negative consent, such as considering no response to be consent, will now be invalid.
- Agencies using Aadhaar based authentication must provide grievance redressal mechanisms. This obligation does not apply to agencies collecting personal data including Aadhaar data for other purposes.
- Data retention policies must be framed, SPD must not be stored for longer than necessary, and all data is to be deleted after a specific period. Biometric data collected for authentication cannot be stored. The Aadhaar Act had prescribed these requirements only with respect to Aadhaar numbers or databases containing Aadhaar numbers. This guideline broadens the scope of the data retention limitation requirement.
- Only the last four digits of the Aadhaar number can be displayed. There must be no print/display of personally identifiable Aadhaar data mapped with other departmental data like ration card, caste, etc.
Ambiguities and drawbacks in the guidelines
There are some ambiguities in the guidelines that need clarification. A number of terms which are used lack clarity. This includes the use of ‘personally identifiable data’, ‘personally identifiable Aadhaar data’, ‘Aadhaar linked personal data’, ‘end-users’ and ‘data users’.
The guidelines also have certain drawbacks, including the lack of requirement of privacy policies for the government departments. People are also still not given the option to withdraw their consent or stop further use of the data by the govt departments. Also, while the Aadhaar Act and the IT Act provide a limited right to correct data, the people are still not given a full right of access and correction for their data with the govt departments.
No clear consequences for non-compliance
A major issue that arises is that no additional accountability is prescribed, apart from the existing obligations under the IT Act and Aadhaar Act. Nor are people provided with any additional remedy against the government departments for any non-compliance.
For example, the Aadhaar Act only punishes intentional publication of Aadhaar data. Will an accidental disclosure, which could have been prevented through compliance with these guidelines, be punishable under that provision?
Guidelines need better enforcement mechanisms
The lack of enforcement mechanisms was a significant drawback with the IT SPD Rules. These rules had prescribed security practices to be adopted by body corporates under Rule 8. Actual compliance by the body corporates, however, is reported to be very low. This is despite Section 43A, under which companies will be liable to pay compensation for any loss that happens because of the lack of security practices.
Strict enforcement mechanisms, specified consequences for non-compliance, combined with provisions for penalties and compensation to the people, are essential for the guidelines to be more than just security on paper.
Updated Date: Jun 01, 2017 15:03 PM