Monday, September 19, 2022

Imprisonment upto 3 years and fines up to 10 lakhs rupees for storing Aadhaar numbers in clear text

 


 

Now a days the most used identity / address proof document by enterprises is the Aadhaar identity proof of the customer. Banks, NBFC, Stoke Brokers, Insurance Companies, Nidhi Companies etc prefer to use Aadhaar as identity proof as almost every Indian has an Aadhaar card and customers are willing to share their Aadhaar numbers when they want to avail any service of the enterprise. Using Aadhaar as KYC document has many advantage such as easy digital access of the data, fast customer on boarding, lower cost for KYC process.

The important thing to note here is that, Companies / Enterprises should be extremely careful when dealing with aadhaar data.  Mistakes in dealing with Aadhaar data can cause imprisonment upto 3 years and fines up-to 10 lakhs Rupees. (Ref: https://www.uidai.gov.in/en/289-faqs/your-aadhaar/protection-of-individual-information-in-uidai-system/1944-what-are-the-possible-criminal-penalties-envisaged-against-the-fraud-or-unauthorized-access-to-data.html)

In accordance with the UIDAI circular 11020/205/2017, any organisation that stores Aadhaar number in their database should implement Aadhaar Data Vault and replace the Aadhaar numbers using the reference tokens created by the Aadhaar Data Vault. The Aadhaar number and the aadhaar data will have to be stored in the encrypted format and the access to the Aadhaar Data Vault will have to be strictly controlled. The encryption keys should be stored in a Hardware Security Module.   This is the crux of the reference id circular published by UIDAI, for more details please follow the link given above.

Questions you need to ask yourself are below.

  • Are you storing aadhaar number of your customer?
  • Are you using Aadhaar number to identify a customer?
  • Are you storing aadhaar number along with other customer data?
  • Are you using any kind on encryption to store aadhaar number?
  • Are you using HSM device for storing the encryption keys?
  • Do you have Adhaar data revoke feature if customer request for it?

If the answers to any of the above question is Yes, you need to implement Aadhaar Data Vault solution and integrate it to your other systems like CRM, CBS etc. Then only you will reach the right side of govt regulation.

In conclusion, there must be a discussion among the stakeholders to finalize on the approach to be taken. 
If you have any questions or doubts, please reach out to us and we will be able to help you out.
We, Finahub, are experts in Aadhaar related products and services like Vault, eKYC, Authentication, etc. If you want to know how your enterprise can start using it, please give us a call  @ 0484 2388285 or email us at [email protected]