1. Terms and Definitions
- a) "Aadhaar number" means an identification number issued to an individual under sub-section (3) of section 3, and includes any alternative virtual identity generated under sub-section (4) of that section.
Reference: Section 2(a) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 and Section 3(i)(a) of the Aadhaar and Other Laws (Amendment) Act, 2019
- b) "Aadhaar Data Vault" (ADV) means a separate secure database/vault/system where the entities mandatorily store Aadhaar numbers and any connected data such that it will be the only place where the said data will be stored.
Reference: Point number (a) Circular No. 11020/205/2017 – UIDAI (Auth-I), dated 25.07.2017
- c) "Anonymization" in relation to personal data, means such irreversible process of transforming or converting personal data to a form in which an individual cannot be identified, which meets the standards of irreversibility.
Reference: Section 3 (2) of the Personal Data Protection Bill 2019
- d) "Authentication" means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it.
Reference: Section 2(c) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- e) "Authentication Service Agency" or "ASA" shall mean an entity providing necessary infrastructure for ensuring secure network connectivity and related services for enabling a requesting entity to perform authentication using the authentication facility provided by the Authority.
Reference: Regulation number 2(f) of the Aadhaar (Authentication) Regulations, 2016
- f) "Authentication User Agency" or "AUA" means a requesting entity that uses the Yes/ No authentication facility provided by the Authority. Here, the requesting entity is Smart Payment Solutions Private Limited (SPSPL).
Reference: Regulation number 2(g) of the Aadhaar (Authentication) Regulations, 2016
- g) "Authority" means the Unique Identification Authority of India established under sub-section (1) of section 11 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016.
Reference: Section 2(e) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- h) "Biometric information" means photograph, fingerprint, iris scan, or such other biological attributes of an individual as may be specified by regulations.
Reference: Section 2(g) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- i) "Central Identities Data Repository" (CIDR) means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto.
Reference: Section 2(h) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- j) "Consent" means the consent referred to in section 11 of the PDP Bill 2019.
Reference: Section 11 of PDP Bill 2019 (given below)
11. (1) The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.
(2) The consent of the data principal shall not be valid, unless such consent is—
(a) free, having regard to whether it complies with the standard specified under section 14 of the Indian Contract Act, 1872;
(b) informed, having regard to whether the data principal has been provided with the information required under section 7;
(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purpose of processing;
(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and
(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.
(3) In addition to the provisions contained in sub-section (2), the consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained—
(a) after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
(b) in clear terms without recourse to inference from conduct in a context; and
(c) after giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.
(4) The provision of any goods or services or the quality thereof, or the performance of any contract, or the enjoyment of any legal right or claim, shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose.
(5) The burden of proof that the consent has been given by the data principal for processing of the personal data under this section shall be on the data fiduciary.
(6) Where the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal.
- k) "De-identification" means the process by which a data fiduciary or data processor may remove, or mask identifiers from personal data, or replace them with such other fictitious name or code that is unique to an individual but does not, on its own, directly identify the data principal;
Reference: Section 3(16) of the Personal Data Protection Bill 2019
- l) "Demographic information" includes information relating to the name, date of birth, address and other relevant information of an individual, as may be specified by regulations for the purpose of issuing an Aadhaar number, but shall not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.
Reference: Section 2(k) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- m) "e-KYC User Agency" or "KUA" shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority.
Reference: Regulation number 2(l) of the Aadhaar (Authentication) Regulations, 2016
- n) "Global AUAs" means the agencies which will have access to full e-KYC (with Aadhaar number) and the ability to store Aadhaar number within their system.
Reference: Point number 9(a) of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018
- o) "Local AUAs" means the agencies which will only have access to Limited KYC and will not be allowed to store Aadhaar number within their systems.
Reference: Point number 9(b) of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018
- p) "Hardware Security Module (HSM)" means a device that will store the keys used for digital signing of Auth XML and decryption of e-KYC response data received from UIDAI.
Reference: Point number 4 of Circular No. 11020/204/2017 – UIDAI (Auth-I), dated 22.06.2017
- q) "Identity information" in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information.
Reference: Section 2(n) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- r) "Limited KYC" means the service that does not return Aadhaar number and only provides an agency specific unique UID Token along with other demographic fields that are shared with the Local AUAs depending upon its need.
Reference: Point number 3 (II) and 9(b) of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018
- s) "PID Block" means the Personal Identity Data element which includes necessary demographic and/or biometric and/or OTP collected from the Aadhaar number holder during authentication.
Reference: Regulation number 2(n) of the Aadhaar (Authentication) Regulations, 2016
- t) "Personal data" means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling;
Reference: Section 3(28) of the Personal Data Protection Bill 2019
- u) "Personnel" means all the employees, staff and other individuals employed/contracted by the requesting entities;
Reference: Regulation number 2 (1) (f) of Aadhaar (Data Security) Regulations 2016
- v) "Processing" in relation to personal data, means an operation or set of operations performed on personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
Reference: Section 3(31) of the Personal Data Protection Bill 2019
- w) "Reference Key" means an additional key which is mapped with each Aadhaar number stored in the Aadhaar data vault.
Reference: Point number (c) Circular No. 11020/205/2017 – UIDAI (Auth-I), dated 25.07.2017
- x) "Requesting Entity" means an agency or person that submits the Aadhaar number, and demographic information or biometric information, of an individual to the Central Identities Data Repository for authentication.
Reference: Section 2(u) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- y) "Resident" means an individual who has resided in India for a period or periods amounting in all to one hundred and eighty-two days or more in the twelve months immediately preceding the date of application for enrolment.
Reference: Section 2(v) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016
- z) "Sensitive personal data or information" means such personal information which consists of information relating to:
- password;
- financial information such as Bank account or credit card or debit card or other payment instrument details;
- physical, physiological and mental health condition;
- sexual orientation;
- medical records and history;
- Biometric information;
- any detail relating to the above clauses as provided to body corporate for providing service;
- any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;
provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.
Reference: Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
- aa) "UID Token" means a 72-character alphanumeric string returned by UIDAI in response to the authentication and Limited KYC request. It will be unique for each Aadhaar number for a particular entity (AUA/Sub-AUA) and will remain same for an Aadhaar number for all authentication requests by that particular entity.
Reference: Point number 10 of Circular No. 1 of 2018, F. No. K-11020/217/2018-UIDAI (Auth-I), dated 10th January 2018
- bb) "Virtual ID (VID)" means any alternative virtual identity issued as an alternative to the actual Aadhaar number of an individual that shall be generated by the Authority in such manner as may be specified by regulations.
Reference: Section 3 (4) of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 and Section 4 of the Aadhaar and Other Laws (Amendment) Act, 2019
2. Purpose
The purpose of this policy is to provide direction to the various stakeholders and responsible personnel within to protect personal data of Aadhaar number holders in compliance to the relevant provisions of the Aadhaar Act, 2016; the Aadhaar and Other Laws (Amendment) Act, 2019; the Aadhaar (Authentication) Regulations, 2016; the Aadhaar (Data Security) Regulations; the Aadhaar (Sharing of Information) Regulations, 2016; and the Information Technology Act, 2000, and regulations thereunder.
3. Personal Data collection
a. Shall collect the personal data including Aadhaar number/Virtual ID, directly from the Aadhaar number holder for conducting authentication with UIDAI at the time of providing the services.
4. Specific purpose for collection of Personal data
- The Identity information including Aadhaar number / Virtual ID shall be collected for the purpose of authentication of Aadhaar number holder to provide on-line KYC compliance before providing the wallet services through its platform as per applicable KYC compliance norms.
- The identity information collected and processed shall only be used pursuant to applicable law and as permitted under the Aadhaar Act 2016 or its Amendment and Regulations.
- The identity information shall not be used beyond the mentioned purpose without consent from the Aadhaar number holder and even with consent use of such information for other purposes should be under the permissible purposes in compliance to the Aadhaar Act 2016.
- Process shall be implemented to ensure that Identity information is not used beyond the purposes mentioned in the notice/consent form provided to the Aadhaar number holder.
5. Notice / Disclosure of Information to Aadhaar number holder
- The purpose for which personal data / identity information is being collected;
- The information that shall be returned by UIDAI upon authentication;
- The information that the submission of Aadhaar number or the proof of Aadhaar is mandatory or voluntary for the specified purpose and if mandatory the legal provision mandating it;
- The alternatives to submission of identity information (if applicable);
- Details of Section 7 notification (if applicable)...;
- The information that Virtual ID can be used in lieu of Aadhaar number at the time of Authentication;
- The name and address of the SPSPL collecting and processing the personal data;
b) Aadhaar number holder shall be notified of the authentication either through the e-mail or phone or SMS at the time of authentication and the SPSPL shall maintain logs of the same.
6. Obtaining Consent
- Upon notice / disclosure of information to the Aadhaar number holder, consent shall be taken in writing or in electronic form...;
- Legal department shall be involved in vetting the method of taking consent and logging of the same, and formal approval shall be recorded from the legal department;
7. Processing of Personal data
- The identity information... shall only be used for the Aadhaar authentication process by submitting it to the CIDR.
- Aadhaar authentication or e-KYC shall be used for specific purposes declared and permitted by UIDAI and notified at the time of authentication.
- SPSPL shall not use the Identity information for any other purposes than allowed under applicable law and informed at the time of Authentication.
- e-KYC demographic details received from UIDAI shall be used only for identification for the specified services and duration.
8. Retention of Personal Data
a) The authentication transaction logs shall be stored for a period of two years, after which they shall be archived for a period of five years or as per applicable regulations. Upon expiry of the retention period (unless required by court order or due to a pending dispute), the logs shall be deleted.
9. Sharing of Personal Data
- a) Identity information shall not be shared in violation of the Aadhaar Act 2016, amendments, regulations, and UIDAI circulars.
- b) Biometric information shall not be transmitted unless encrypted via PID block as per regulations.
- c) Aadhaar numbers shall not be transmitted over the Internet unless securely encrypted, except for correction or grievance purposes.
10. Data Security
- a) Aadhaar data must be securely collected, transmitted, and stored as per UIDAI specifications.
- b) Biometric data shall be collected using UIDAI-certified devices that encrypt data at source.
- c) OTP data must be encrypted on the client device before secure transmission.
- d) Aadhaar/VID numbers and PID blocks must not be retained; only UIDAI response parameters should be stored.
- e) e-KYC data must be encrypted and stored according to UIDAI standards.
- f) As a Local AUA, SPSPL shall not store Aadhaar numbers to ensure privacy.
- g) As a Global AUA/KUA (if applicable), Aadhaar numbers must be encrypted and stored in the Aadhaar Data Vault only.
- h) Encryption and signing keys shall be stored only in HSMs.
- i) Only STQC/UIDAI-certified biometric devices may be used.
- j) Authentication apps must undergo compliance testing and annual audits by UIDAI-approved auditors.
- k) UIDAI must be notified in case of a breach, including breach impact, affected individuals, contact info, and mitigation actions.
- l) NDAs must cover security and confidentiality for personnel handling identity data.
- m) Only authorized individuals may access critical systems; access control lists must be maintained.
- n) Follow international best practices in data privacy and protection.
- o) Store CIDR authentication response logs including UID token, authentication parameters, disclosure, and consent records (not PID).
- p) Adopt an information security policy aligned with ISO27001 and UIDAI/Aadhaar standards.
- q) Aadhaar numbers shall be stored only in the Aadhaar Data Vault as per UIDAI guidelines.
11. Rights of the Aadhaar Number Holder
- a) Aadhaar holders can request updates to their identity data (excluding core biometric information).
- b) SPSPL shall provide a process to view and update identity data after authentication.
- c) Aadhaar holders may revoke consent to store e-KYC data; SPSPL must delete the data and confirm.
- d) Complaints may be lodged with the Privacy Officer overseeing data processing compliance.
12. Aadhaar Number Holder Access Request
- a) A process shall be in place to handle access and rights requests, requiring identity authentication first.
- b) All such requests shall be formally recorded and responded to within a reasonable timeframe.
- c) Compliance with applicable data protection and privacy laws must be ensured.
13. Privacy by Design
- a) Privacy must be embedded during the design phase of systems and processes involving Aadhaar data.
- b) Aadhaar numbers must not be disclosed unless redacted or anonymized.
- c) Proper notice and consent must be obtained in compliance with the Aadhaar Act before processing.
- d) Conduct quarterly self-assessments to ensure notice and consent compliance.
- e) Implement privacy-enhancing measures such as anonymization, de-identification, and data minimization.
14. Governance and Accountability Obligations
- a) A Privacy Committee shall be established to provide strategic direction on privacy matters.
- b) A designated Privacy Officer will be responsible for implementing and overseeing governance and accountability.
- c) The Privacy Officer’s name and contact shall be made available to UIDAI and relevant agencies.
- d) The Privacy Officer will assess and mitigate privacy risks related to identity data processing.
- e) The Privacy Officer shall be independent and involved in all identity data processing activities.
- f) The officer must be an expert in data protection and privacy laws and practices.
- g) The officer will advise top management on privacy obligations.
- h) The officer shall guide on high-risk processing and privacy impact assessments.
- i) Acts as a contact point for UIDAI and other agencies regarding privacy matters.
- j) Manages and responds to privacy incidents.
- k) Implements training and awareness programs about consequences of breaches.
- l) Ensures annual audits by CERT-IN/STQC-approved auditors of systems/applications.
- m) Conducts quarterly internal audits for Aadhaar compliance.
- n) Ensures front-end operators are trained on disclosure, consent, and data security, with audits documented.
- o) Provides Aadhaar-specific training to technical and support staff with documentation.
- p) Communicates policy to all relevant stakeholders; updates are promptly shared.
- q) Facilitates periodic performance reviews on privacy initiatives and compliance.
15. Transfer of Identity Information Outside India is Prohibited
a) Identity information shall not be hosted or transferred outside India as per Aadhaar Act and Regulations.
16. Grievance Redressal Mechanism
- a) Aadhaar holders can contact the Privacy Officer via website, phone, SMS, or mobile app for grievances.
- b) Ensure individuals are informed of the Privacy Officer's contact details.
- c) Display contact info and complaint format on the organization’s website and commonly used channels.
- d) For non-digital mediums, use posters or notice boards to display Privacy Officer details.
- e) If unresolved, redressal may be sought through Section 33B of the Aadhaar Act, 2016.
17. Responsibility for Implementation and Enforcement
- a) Monitoring and enforcement lies with Mr. Praveen Dhabhai, Director.
- b) Implementation of policy controls is also Mr. Praveen Dhabhai’s responsibility.
- c) Mr. Ankit Alhuwalia, Sr. Manager – Regulatory & Compliance, will handle reviews and consent logging.
18. Relevant Provisions of Aadhaar Act and Supreme Court Judgement
The following documents guide compliance:
- Judgement of the Hon'ble Supreme Court (Sep 2018)
- Aadhaar Act 2016
- Aadhaar and Other Laws (Amendment) Act 2019
- Aadhaar (Authentication) Regulations 2016
- Aadhaar (Data Security) Regulations 2016
- Aadhaar (Sharing of Information) Regulations 2016
- Other notices and circulars issued by UIDAI
19. Contact Details
Name of Privacy Officer: Praveen Dhabhai
Phone: 9717798566
Email: praveen.dhabhai@payworldindia.com