The debate over the security of data collected and stored under the Aadhaar project is heating up. While the Unique Identification Project has always had strong supporters and equally strong detractors, the latest controversy has been sparked off by an alleged breach of biometric data.
On 25 February, Mint reported that the Unique Identification Authority of India (UIDAI) had detected a breach of biometric data and filed a police complaint on 15 February against Axis Bank Ltd, business correspondent Suvidhaa Infoserve and e-sign provider eMudhra with the allegation of impersonation using illegally stored biometric information.
These entities deny storage of any data and claim that the business correspondent was merely testing the platform which accidentally sent authentication requests to the live server instead of the testing
one.
Still, the incident has sparked concerns about the security of data in the possession with the UIDAI and also the redressal mechanism in the case of a breach like this.
Interestingly, it turns out that the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act is silent on making the UIDAI liable for reporting any breaches.
Legal experts point out that while the international principles of data collection require that any breach or abnormal activity be revealed to the users and authorities quickly, the Aadhaar regulations give no such assurance.
While banks are not required to disclose details of the breach to the public, they are required to report it to regulators immediately. Customer protection provisions also ensure deposit protection to some extent.