“UIDAI has urged REs (requesting entities), which carry out online authentications, to ensure that residents understand the type of data being collected and the purpose of Aadhaar authentications," said the Ministry of Electronics and Information Technology.
The authority underlined that logs of authentication transactions including the consent taken are kept only for the period as prescribed in the Aadhaar Regulations. Purging of such logs after the expiry of the said time period will also be done as per the Aadhaar Act and its regulations.
REs are engaged in providing Aadhaar authentication services to residents and are responsible for submitting the Aadhaar number and demographic/ biometric OTP information to the Central Identities Data Repository for the purpose of authentication.
“UIDAI highlighted that REs should be courteous to residents and assure them about the security and confidentiality of the Aadhaar numbers, which are being used for authentication transactions," the ministry added.
The Authority also asked REs to immediately report to the UIDAI about any suspicious activity around authentications like suspected impersonation by residents, or any compromise or fraud by any authentication operator.
“RE should not store Aadhaar either in physical or electronic form without masking or redacting the first 8 digits of the Aadhaar number. UIDAI has guided REs to store an Aadhaar number only if it is authorized to do so, and in the manner as prescribed by the UIDAI," the ministry said.
It further asked REs to provide effective grievance-handling mechanisms for residents and cooperate with UIDAI and other agencies deputed by it for any security audit as required under the law and regulations.