November 27, 2024 by Arjun Khandelwal & Vinay Venu
In recent years, the question of storing Aadhaar numbers has come up frequently from our customers. Given the sensitive nature of Aadhaar data and the legal implications of storing it, we took this as an opportunity to learn more about the topic to guide our approach. We share our learnings with you.
An Aadhaar number is a 12-digit unique identification number that is issued to Indian residents by the Unique Identification Authority of India (UIDAI) after satisfying the verification process laid down by the Authority. It serves as a proof of identity and a proof of address for residents of India.
The UIDAI was created to issue Aadhaar numbers that are:
Any resident of India may voluntarily enrol to obtain an Aadhaar number. The UIDAI issues an Aadhaar number to each resident after verifying their uniqueness and associating their demographic data with the number.
This is governed under the Aadhaar Act 2016.
There are three situations we have come across for store and use of Aadhaar information in field applications like Avni.
As per the Aadhaar Act, any agency doing lawful activities can collect Aadhaar number for knowing their customer.
However, there are regulations on the manner of collection, use, ciculations, transfer or publication of Aadhaar numbers or scanned images of Aadhaar card.
UIDAI has published detailed guidelines on how to collect consent in different scenarios. For a data collection system like Avni where users us an offline mobile application to collect and manage data, the possible means of notice and consent are
The Aadhaar Data Vault is a secure and centralized storage system mandated by UIDAI for storing Aadhaar numbers and associated data. Its primary purpose is to minimize the presence of Aadhaar numbers across an organization’s systems, thereby reducing the risk of unauthorized access or misuse. Each Aadhaar number is replaced with a unique reference key for operational use, ensuring that Aadhaar numbers remain inaccessible outside the vault. The vault must comply with strict encryption standards (e.g., AES 256) and be logically separated from other systems. Additionally, all access to the Aadhaar Data Vault must be highly restricted and on a need-to-know basis, with robust access controls in place.
When storing images of an Aadhaar card, the security requirements are lower. The image needs to be encrypted at rest and in transit and have sufficient protection on it.
Based on the regulatory requirements and features Avni provides, we recommend the following :
Many organisations have asked about the feasibility of storing Aadhaar information in Avni. Hopefully, this article introduces you to the regulations around use and storage of Aadhaar in data collection systems, the current capabilities of Avni and the nuances involved.
This article is for informational purposes only and is not intended as legal advice. Please consult a legal professional before acting on any information or views expressed here. While we strive for accuracy, we make no warranties, express or implied, regarding the content of this article.
As data security and compliance needs evolve, Avni remains committed to adapting its capabilities to support NGOs in managing sensitive information responsibly.