Data privacy



1. Disclosure of information to Aadhaar number holder

 

  1. At the time of authentication, the following information shall be provided to the Aadhaar number holder:
    • Nature of information that will be shared by UIDAI upon authentication
    • Uses to which the information received during authentication may be put
    • Alternatives to submission of identity information
    • Whether submission of Aadhaar number or proof of Aadhaar for such purpose is mandatory or voluntary, and if mandatory, the legal provision mandating it
  2. RSGICL shall ensure that the above stated information is provided to the Aadhaar number holder in local language as well.

 

2. Consent taken from Aadhaar number holder

 

  1. Once the information pertaining to Aadhaar authentication is communicated to the Aadhaar number holder, RSGICL shall obtain consent from Aadhaar number holder in physical or electronic form.
  2. RSGICL shall maintain logs or records of the consent obtained in the manner and form as specified by UIDAI for this purpose.
  3. Aadhaar number holder may, at any time, revoke consent given to RSGICL for storing his e-KYC data or for sharing it with third parties, and upon such revocation, RSGICL shall delete the e-KYC data and cease any further sharing.

 

3. Data Processing

 

  1. RSGICL shall use Aadhaar authentication facility only for the purpose that is informed and allowed by UIDAI.
  2. The identity information shall not be used by RSGICL for any purpose other than that specified to the Aadhaar number holder at the time of submitting identity information for authentication.
  3. The identity information shall not be disclosed further without the prior consent of the Aadhaar number holder.

 

4. Data Retention

 

  1. RSGICL shall maintain logs of authentication transactions for a period of two years, during which period an Aadhaar number holder shall have the right to access such logs, in accordance with the procedure laid down for the same.
  2. Subsequently, logs shall be archived for a period of five years or the number of years as required by the laws or regulations governing RSGICL, whichever is later, and upon expiry of the said period, the logs shall be deleted except those records required to be retained by a court or required to be retained for any pending disputes.

 

5. Grievance Redressal

 

  1. RSGICL shall provide effective grievance handling mechanism via multiple channels such as website, call-center, mobile application, SMS, physical center etc.
  2. RSGICL may share the authentication logs of an Aadhaar number holder with the concerned Aadhaar number holder upon his request or for grievance redressal and resolution of disputes or with the UIDAI for audit purposes.

 

6. Security Safeguards

 

  1. RSGICL has been classified as local AUA by UIDAI and does not store Aadhaar number of its customers.
  2. RSGICL shall ensure that authentication devices used to capture biometrics of Aadhaar number holder are STQC/UIDAI certified registered devices, which encrypt the biometric information at device level.
  3. RSGICL shall ensure that the core biometric information collected from the Aadhaar number holder is not stored, shared or published for any purpose whatsoever, and no copy of the core biometric information is retained with it.
  4. After collecting the Aadhaar number and necessary demographic and / or biometric information and/ or OTP from the Aadhaar number holder, RSGICL’s client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the UIDAI, and shall send it to server of the requesting entity using secure protocols.
  5. RSGICL shall store, with consent of the Aadhaar number holder, e-KYC data of an Aadhaar number holder, received upon e-KYC authentication, in encrypted form
  6. RSGICL shall maintain logs of the authentication transactions processed by it, containing the following transaction details:
    1. In case of Local AUAs where Aadhaar number is not returned by UIDAI and storage is not permitted, respective UID token shall be stored in place of Aadhaar number.
    2. Specified parameters of authentication request submitted
    3. Specified parameters received as authentication response
    4. Record of disclosure of information to the Aadhaar number holder at the time of authentication
    5. Record of consent of the Aadhaar number holder for authentication
  7. RSGICL shall store the keys used for digital signing of request XML and for decrypting e-KYC response data received from UIDAI in HSM, in compliance with the circular released by UIDAI in this matter.
  8. RSGICL shall ensure that the application used for Aadhaar authentication is audited by information system auditor(s) certified by STQC/CERT-IN and compliance audit report is submitted to UIDAI.
  9. RSGICL shall ensure that the operations and systems are audited by information systems auditor certified by a recognized body on an annual basis, to ensure compliance with the UIDAI’s standards and specifications.
  10. RSGICL shall conduct a background check and sign a confidentiality agreement/NDA with all personnel/agency handling Aadhaar related information.
  11. Periodic information security trainings shall be conducted for all RSGICL personnel involved in Aadhaar related authentication services. The training shall include all relevant security guidelines per the UIDAI information security policy for Authentication, Aadhaar Act, 2016 and Aadhaar Regulations, 2016 and all circulars/notices published from time to time.
  12. RSGICL shall not publish any personal identifiable data including Aadhaar in public domain/websites etc.
  13. RSGICL shall have its servers used for Aadhaar authentication operations to be located within data centers located in India.
  14. RSGICL shall ensure compliance to Aadhaar Act 2016 and its regulations, Aadhaar and Other Laws (Amendment) Act 2019 and various other circulars and notices released by UIDAI from time to time.