GOI directs removal of Aadhaar info published online: What the law says and what to do if you find your data online

The Central and state departments have been directed by the government to ensure that people’s Aadhaar number and related data are not published online, as per a report in the Economic Times. Any information already online must be removed immediately. The notification is a welcome move following the recent discovery of multiple leaked databases containing people’s Aadhaar and other data, and is designed to curb future leaks of data. The MEITY Notification The notification, issued on 25 March by the Ministry of Electronics and Information Technology, states that any act of publishing identity information like the Aadhaar number and demographic details, and personal sensitive information like bank details, is in contravention of the Aadhaar Act, 2016, and the Information Technology Act, 2000. The notification disallows such publication with immediate effect, and any such content already appearing online must be removed immediately. (Note: This is as per the Economic Times Report; the original notification is as yet unavailable). [caption id=“attachment_1596471” align=“alignleft” width=“380”] Representational image. AFP[/caption] Multiple data leaks reveal huge privacy risks The various reports of the leaked data from government welfare schemes, subsidy schemes, and even colleges were a cause of major concern. The type of data disclosed included names, names of parents, PAN numbers, mobile numbers, religion, marks, status of Aadhaar applications, beneficiaries of welfare schemes, bank account numbers, IFSC codes and other sensitive information. The most famous is, of course, the leak of Dhoni’s Aadhaar application form . The privacy risks are huge. For example, the simple combination of a person’s name, phone number, and bank account number is sufficient for numerous cyber attacks, such as phishing. The leak of biometric information can be even more disastrous, particularly in the sense that it’s often used for authentication purposes. The leaks so far, thankfully, did not include biometric information. Publication of Aadhaar data is punishable The leaks revealed that the privacy risks with Aadhaar are not restricted to leaks from the UIDAI database itself, but from any of the multiple entities who collect Aadhaar details today. The Aadhaar Act and regulations issued thereunder contain several provisions punishing the publication and unauthorized sharing of information by such entities. Under Section 8 of the Aadhaar Act, any entity collecting a person’s Aadhaar details must inform him about what the details can be used for, and who it can be shared with. This also applies to data given while enrolling for Aadhaar, under Section 3. This data must then only be used as specified to the individual, and any sharing of the data will need his consent. For example, in Dhoni’s case, his application details were shared online without his consent, and used for a purpose (advertisement) that he was not informed of. The enrolment agency, thus has violated the Aadhaar Act, which is a punishable offence under the Sections 37 to 42 of the Act with upto 3 years imprisonment and/ or Rs.10 lakhs fine. Database publication is illegal The database leaks discovered online are also punishable under Aadhaar (Sharing of Information) Regulations, 2016, under Regulations 4 to7. These prohibit the publication of a person’s Aadhaar number. Any person storing such data in a database is responsible to maintain its security and confidentiality. Moreover, no such database or even a record containing the Aadhaar numbers must be made public. Failing to do so this is also punishable under the Aadhaar Act. This will cover the entire range of database leaks discovered online, irrespective of whether the leak was by a government agency or a private one. Publication of financial data is illegal The notification also mentions violation of the Information Technology Act, 2000 through the publication of financial data like bank account details. Such information is ‘sensitive personal data’ under Section 43A of the Information Technology Act. This section is applicable only to ‘body corporates’, or a company engaged in commercial or professional activities. Normally, this will exclude entities like government bodies from its scope. The notification now extends its applicability to anyone, including government websites, in connection with Aadhaar related leaks. This is a great relief, granting a greater amount of privacy to users. What to do is you find your data online In case of a violation of the Aadhaar Act, only the UIDAI can file a complaint before the courts, as per Section 47 of the Aadhaar Act. Aadhaar holders who find their information online are, however, not without a remedy. Regulation 8 of the Aadhaar (Sharing of Information) Regulations, 2016 gives the people the right to raise a grievance with the UIDAI in case their identity information is used or shared in violation of the Aadhaar Act. If you find your data online, you can inform the UIDAI through various means- through the Centralized Public Grievance Redress and Monitoring System, through a post or e-mail to the UIDAI, or through the UIDAI Contact Centre (Details here). Once the UIDAI is notified, it can pursue the matter. Users finding their information online may also inform the relevant websites or the state governments, who also now, because of the notification, have an obligation to ensure removal of the data. Provisions for greater privacy needed Despite these provisions, concerns with data leaks and privacy risks remain. For example, one cause for worry is that the Aadhaar regulations draw an exception for databases published with the Aadhaar numbers redacted or blacked out. Even without the Aadhaar number, this puts a huge amount of sensitive data at risk. While such information may still be protected under Section 29 of the Aadhaar Act, until this section is clarified, the concerns remain. Another issue is that the penalties laid down under the Aadhaar Act only punishes intentional, i.e., deliberate publication. Therefore, while Dhoni’s enrolment agency can be punished under these sections, the databases leaked online, which appears to be accidental, will not. The Aadhaar Act should be amended to punish negligent database leaks also, so as to impose a stricter responsibility on the entities collecting Aadhaar data. While the notification shows a positive step towards preventing data leaks, a lot more is needed to protect people’s privacy.