CHAPTER VI
PROTECTION OF INFORMATION
28. (1) The Authority shall ensure the security of identity information and
authentication records of individuals.
(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of
identity information and authentication records of individuals.
(3) The Authority shall take all necessary measures to ensure that the information in
the possession or control of the Authority, including information stored in the Central
Identities Data Repository, is secured and protected against access, use or disclosure not
permitted under this Act or regulations made thereunder, and against accidental or intentional
destruction, loss or damage.
(4) Without prejudice to sub-sections (1) and (2), the Authority shall—
(a) adopt and implement appropriate technical and organisational security
measures;
(b) ensure that the agencies, consultants, advisors or other persons appointed
or engaged for performing any function of the Authority under this Act, have in place
appropriate technical and organisational security measures for the information; and
(c) ensure that the agreements or arrangements entered into with such agencies,
consultants, advisors or other persons, impose obligations equivalent to those
imposed on the Authority under this Act, and require such agencies, consultants,
advisors and other persons to act only on instructions from the Authority.
(5) Notwithstanding anything contained in any other law for the time being in force,
and save as otherwise provided in this Act, the Authority or any of its officers or other
employees or any agency that maintains the Central Identities Data Repository shall not,
whether during his service or thereafter, reveal any information stored in the Central Identities
Data Repository or authentication record to anyone:
Provided that an Aadhaar number holder may request the Authority to provide access
to his identity information excluding his core biometric information in such manner as may
be specified by regulations.
29. (1) No core biometric information, collected or created under this Act, shall be—
(a) shared with anyone for any reason whatsoever; or
(b) used for any purpose other than generation of Aadhaar numbers and
authentication under this Act.
(2) The identity information, other than core biometric information, collected or created
under this Act may be shared only in accordance with the provisions of this Act and in
such manner as may be specified by regulations.
(3) No identity information available with a requesting entity shall be—
(a) used for any purpose, other than that specified to the individual at the time
of submitting any identity information for authentication; or
(b) disclosed further, except with the prior consent of the individual to whom
such information relates.
(4) No Aadhaar number or core biometric information collected or created under this
Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly,
except for the purposes as may be specified by regulations.
30. The biometric information collected and stored in electronic form, in accordance
with this Act and regulations made thereunder, shall be deemed to be “electronic record”
and “sensitive personal data or information”, and the provisions contained in the Information
Technology Act, 2000 and the rules made thereunder shall apply to such information, in
addition to, and to the extent not in derogation of the provisions of this Act.
Explanation.— For the purposes of this section, the expressions—
(a) “electronic form” shall have the same meaning as assigned to it in clause (r)
of sub-section (1) of section 2 of the Information Technology Act, 2000;
(b) “electronic record” shall have the same meaning as assigned to it in
clause (t) of sub-section (1) of section 2 of the Information Technology Act, 2000;
(c) “sensitive personal data or information” shall have the same meaning as
assigned to it in clause (iii) of the Explanation to section 43A of the Information
Technology Act, 2000.
31. (1) In case any demographic information of an Aadhaar number holder is found
incorrect or changes subsequently, the Aadhaar number holder shall request the Authority
to alter such demographic information in his record in the Central Identities Data Repository
in such manner as may be specified by regulations.
(2) In case any biometric information of Aadhaar number holder is lost or changes
subsequently for any reason, the Aadhaar number holder shall request the Authority to
make necessary alteration in his record in the Central Identities Data Repository in such
manner as may be specified by regulations.
(3) On receipt of any request under sub-section (1) or sub-section (2), the Authority
may, if it is satisfied, make such alteration as may be required in the record relating to such
Aadhaar number holder and intimate such alteration to the concerned Aadhaar number
holder.
(4) No identity information in the Central Identities Data Repository shall be altered
except in the manner provided in this Act or regulations made in this behalf.
32. (1) The Authority shall maintain authentication records in such manner and for
such period as may be specified by regulations.
(2) Every Aadhaar number holder shall be entitled to obtain his authentication record
in such manner as may be specified by regulations.
(3) The Authority shall not, either by itself or through any entity under its control,
collect, keep or maintain any information about the purpose of authentication.
33. (1) Nothing contained in sub-section (2) or sub-section (5) of section 28 or
sub-section (2) of section 29 shall apply in respect of any disclosure of information, including
identity information or authentication records, made pursuant to an order of a court not
inferior to that of a District Judge:
Provided that no order by the court under this sub-section shall be made without
giving an opportunity of hearing to the Authority.
(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and
clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in
respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not
below the rank of Joint Secretary to the Government of India specially authorised in this
behalf by an order of the Central Government:
Provided that every direction issued under this sub-section, shall be reviewed by an
Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the
Government of India in the Department of Legal Affairs and the Department of Electronics
and Information Technology, before it takes effect:
Provided further that any direction issued under this sub-section shall be valid for a
period of three months from the date of its issue, which may be extended for a further period
of three months after the review by the Oversight Committee.
