Aug 30, 2017 | 17:39 IST | by Times Now, TNN Reports
Bengaluru: The government’s Aadhaar push received a massive jolt a few days ago when the Supreme Court declared Right to Privacy as fundamental under Article 21 of the Constitution.
While the privacy judgement came as a blow to the government, putting its Aadhaar mandate at risk, a right to information plea has now revealed a major flaw.
Begaluru-based RTI activist Col Matthew Thomas, who filed the RTI, said the Unique Identification Authority of India (UIDAI), responsible for storing biometric Aadhaar data, signed contracts with foreign firms earlier to give them “full access” to classified data such as fingerprints, iris scan info, and other personal information like date of birth, address and mobile number of the card holders or applicants.
They were also allowed to store all the data for seven years, reported The Times of India. The RTI was filed by one of the petitioners in the Aadhaar privacy case.
Contrary to the UIDAI’s previous statement, which stated that no private entity had access to unencrypted Aadhaar data, the RTI reply made it clear that some of the rules regarding data sharing were violated.
Contrary to the UIDAI’s previous statement, which stated that no private entity had access to unencrypted Aadhaar data, the RTI reply made it clear that some of the rules regarding data sharing were violated.
As per the reply, the contract with one of the biometric service providers (BSPs), US-based L-1 Identity Solutions Operating Co Pvt Ltd – now taken over by French transnational Safran Group) - was given access to Aadhaar database “as part of its job”.
Two others firms, Morpho and Accenture Services Pvt Ltd were given identical 2-year accessibility contracts from 2012 to 14’.
As per Clause 15.1 of the contract awarded to these foreign entities, titled ‘Data and Hardware’, the companies had access to personal data of the “purchaser” or the applicant.
Also read: Linking Aadhaar to PAN in national interest; prevents money laundering: Ravi Shankar Prasad
By virtue of the contract, firms “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India..."
In addition, Clause 3 of the contract that deals with privacy, highlighted that BSP could “collect, use, transfer, store and process the data".
The contract further empowered the BSPs to “process all personal data” in accordance with applicable law and regulation, but barred them from disclosing such information elsewhere. The contract, however, does not discuss what it means by ‘personal data’.
An advocate who explained the contract to TOI, said, “If the contract does not define it, then we must go by the definitions given by UIDAI as part of the project."
In such a scenario, the UIDAI defines ‘personal data’ as biometric (fingerprints and iris) and demographic data (name, date of birth, address, mobile number). Demographic data may also furnish other information such as bank details, licence number, PAN number, passport number, and other KYC details.
The UIDAI, in one of the clauses mentioned in the identical contracts awarded to the companies, said that in the event of termination or expiry of contract, the firms "shall transfer all the proprietary templates to UIDAI".
In view of this, the RTI activist Thomas slammed the UIDAI and questioned them. “If the fir,s did not have any biometric data, what were they (the companies) expected to transfer? Why can't the UIDAI just come out in the open with all the contract details?"
The UIDAI maintains that it had purchased all the software and hardware for the rollout of Aadhaar programme, but the contracts establish that BSPs were responsible for providing hardware for the first one crore enrolments