Finance minister Arun Jaitley in his recent budget speech had assured of providing a statutory backing to the Aadhaar programme that his NDA government plans to use as a means to curtail wasteful expenditure on subsidies and government service delivery by using it to identify intended beneficiaries and for targeted disbursement of such benefits.
The Lok Sabha passed the Aadhaar bill on Friday to make sure its subsidies and services reach the people directly, thereby going beyond the scheme’s current mandate of assigning a unique identity to residents.
First mooted by Nandan Nilekani in 2009, the concept of using a citizen-centric unique identification mechanism was embraced by the UPA government via an executive notification. However, as the gamut of citizen’s personal information collected by the government began increasing, there were demands to make this process more accountable and transparent in its operations.
After two failed attempts in 2010 and 2013 to establish the National Identification Authority of India (NIAI) by the UPA Government, the Aadhaar (Targeted delivery of financial and other subsidies, benefits and services) Bill, 2016 provides for establishment of a Unique Identification Authority of India (UIDAI). Coming on the back of a pending Supreme Court case to address the apprehensions about the lack of adequate provisions to protect the privacy of citizens, this bill is expected to have far reaching impacts on the way citizen’s data is collected, used, shared and protected from misuse by government agencies.
The bill, while defining a subsidy as any form of aid, support, grant, subvention, or appropriation, in cash or kind, to an individual or a group of individuals provided by the central government, mandates that the beneficiary furnish or enroll for an Aadhaar number while seeking benefits. However, it goes on to inform that if an Aadhaar number is not assigned to an individual, the individual shall be offered alternate and viable means of identification for delivery of the subsidy or service by the government.
The bill draws heavily from the National Identification Authority of India (NIAI) Bill (2010) in nature and scope, but has some significant additions, primarily focused on bringing in more clarity in definitions, incorporating provisions protecting citizen data privacy and widening the scope of penal provisions for unauthorized access to citizen’s personal information. It categorises the personal information collected from citizens in four main categories.
*Biometric Information, which includes photograph, finger prints, iris scan and other biographic attributes.
*Core Biographic Information, which includes all Biographic Information except for photograph of the individual.
*Demographic Information, which includes individual’s name, date of birth, address but does not include information about race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history.
*Identity Information, which includes an individual’s Aadhaar number, biometric information and demographic information.
In an attempt to incorporate privacy principles in the legislation, the bill mandates that the agency in charge of enrolling the citizens in the Aadhaar database is supposed to inform the citizen about how the information will be used, with whom it might be shared and the citizen’s right to access this information for making changes, if necessary. As for storage of information, the bill mandates the creation of a Central Identities Data Repository (CIDR) by the UIDAI and set in place measures to ensure security of this database. The bill also introduces the concept of ‘Requesting Agency’ i.e. the agency that collects identity information from the citizens to authenticate it against the CIDR. The requesting agency is supposed to obtain explicit consent of the individual before collecting information for purpose of authentication. Further, it should also ensure that the information is only sent to the CIDR and inform the user about how this information will be used.
The government has already been reprimanded by the Supreme Court over the possible misuse of citizen information and the lessons learnt are reflected in the various clauses of the bill. The bill puts the entire onus of ensuring the security of citizen’s identity information and authentication records on the UIDAI. It strictly mandates that core biometric information cannot be shared with anyone for any reason and should not be used for any reason other than generating an Aadhaar number. More importantly, the bill has provisions against government agencies disclosing citizen’s identity information in the public domain.
Interestingly, these penal provisions apply for offences committed outside India by any person, irrespective of his nationality.
There are special clauses in the Aadhaar Bill that allow for access to the CIDR through a court order issued by a District Magistrate or above after a hearing has been granted to the UIDAI in this regards. There is also a special “National Interest” clause inserted that allows for an officer above the rank of Joint Secretary to the Government of India to issue directives on behalf of the central government for access to information with the CIDR. Such a directive however needs to be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology and would be valid only for a period of three months. It is expected that this is used in the rarest of rare cases and not for blanket surveillance activities.
In its present form, the bill manages to tick most of the boxes that guarantee citizens a high degree of control over the personally identifiable information that they share with different government agencies. It is however found lacking on the aspect of having sufficient parliamentary oversight on the operation of the UIDAI, as there is no provision for constitution of a parliamentary selection committee to appoint the Chairman of the UIDAI and the clause of having an Identity Review Committee to annually review the work of the UIDAI is missing from this bill as well. While the Finance Minister talked about putting in place ‘sun set’ clauses for all schemes announced after the Budget, this Bill does not incorporate any time lines for ensuring speedier enrollments for Aadhaar nor does it incentivise enrollment. It is expected that the UIDAI will also put in place a grievance redressal mechanism for citizens to report irregularities with their personally identified information; as such a provision is presently missing in the Bill.
While the debate was centered on the constitutionality of introducing the bill as a Money Bill in the Lok Sabha, the need of the hour is to have a public debate around the various shortcomings of this bill. This bill will lay the foundation for including terms to secure citizen’s personal information by agencies that collect and process it. The government should also look at introducing amendments to other acts that permit for collection of information such as the Census Tax Act (1948), Income Tax Act (1961), Passport Act (1967) etc. and align them with the strong penal provisions in this bill.
The author is a policy analyst in the information security and data privacy domain.