As a five-judge bench of the Supreme Court gets ready to hear petitions on Tuesday and Wednesday challenging the government’s decision to make Aadhaar mandatory for accessing vital services, Ajay Bhushan Pandey, chief executive officer of the Unique Identification Authority of India, spoke with Scroll.in on Monday. The Authority is the nodal agency that maintains the database of the biometrics-based 12-digit unique identification number that the Centre wants all Indian residents to have.

Pandey said the Unique Identification Authority of India is vigilant about data breaches and citizens should not be too concerned even if their Aadhaar numbers are leaked. His comments come in the backdrop of numerous reports of the personal details of Aadhaar holders being leaked, and close on the heels of an alleged security breach of telecommunications major Reliance Jio Infocomm’s database last week.

Affirming that Aadhaar data sits securely on the Authority’s servers, Pandey, however, said there have been several instances of the Aadhaar Act’s enrolment guidelines being violated. As a result of this, the Authority has penalised close to 5,000 operators. These violations ranged from sending people away when they showed up at the enrolment centre to demanding money for enrolment or updating of information in the Aadhaar database.

Excerpts from the interview:

Many private companies are building parallel databases using Aadhaar authentication, which adds Aadhaar numbers to their data banks. Are there enough safeguards and legal recourses available to people in case of a breach?
You see, Aadhaar data is not with anyone. Aadhaar data means your biometric and demographic data and Aadhaar number are securely with us. What private companies have is their own database and the corresponding Aadhaar number. It is just that the 12-digit number is there. We have a very strict protocol saying that the number should not be misused and should be used only for the purpose it was obtained for, and that it must not be leaked or shared and so on.

If anything happens, then it is a criminal offence. If the person does it knowingly, then it is a criminal offence. If the person fails to protect Aadhaar data, then it is a case of criminal negligence for which the person can be held criminally liable under the Aadhaar Act, and for such cases we do this.

This is the punishment that can be taken against a person who has leaked Aadhaar data.

But those who get impacted…
What I would like people to understand is that Aadhaar is not a secret number like your password or PIN [personal identification number], which can materially affect your life tomorrow if it is leaked without your knowledge. It is not like your Aadhaar number is leaked and your bank account gets emptied out.

In case of Aadhaar, let us say the 12 digits are leaked. The question is, by merely knowing your Aadhaar number, will someone be able to harm you? My answer is no. The Aadhaar number by itself does not give away any information. It has to be used with biometrics. Or, you know, it has to be used with the one-time-password that is sent to your phone for a transaction.

Let us take another example. Aadhaar is not a secret number but it is personally sensitive information. Let me give you a parallel. The bank account number is also a personally sensitive number. We say that it should not be publicly disclosed. But suppose it is known to the public, is your bank account then at risk? Even if your bank account number is known, it does not put you at any risk.

But at the same time, you would not like sensitive personal information to be freely available to the outer world. We are being so particular that even though we say that your Aadhaar number is not secret, we also say that you should protect it. But in case the number does get out, should people be worried? My answer is no. People reveal their Aadhaar number, bank account number and address all the time. Your biometrics are with you, you cannot be impersonated. But if your biometrics are disclosed, then that could be a problem.

Recently, there have been multiple leaks from the government end with ministries and departments found to be sharing Aadhaar and other information of people on their websites.
What happened was that several government departments were disclosing Aadhaar numbers, names, addresses and bank account numbers. And the reason they gave us when we asked them was that they had divulged this data under the Right to Information Act. When we told them that they should not display such information, they immediately complied. We have asked them to be careful in future. However, by publishing these numbers, the people have not been put at risk.

Why then are we bothered about these data breaches if the leaking of the Aadhaar number cannot hurt its holder?
If everyone starts publishing Aadhaar numbers, there is a danger that someone will make a 360-degree profile of you. So, unless and until we can prevent everyone from publishing your Aadhaar information freely, I cannot prevent such a profiling. If one person does it and if I stop it, I nip the problem in the bud and the threat of a 360-degree profiling ceases to exist.

Basically, we have prohibited publishing Aadhaar numbers to ensure that nobody can make a full profile of you and connect databases. That kind of harm has not been done yet. But at the same time, we will be very very tough on anyone who does it; we will hold them accountable.

Did you file a case against any of these government departments for publishing Aadhaar numbers?
We did not file a case because there was no criminal intent. It was a question of understanding. They thought they were doing something under the Right to Information Act. We asked them not to do it and they complied. But suppose they had continued to do so, then they would have become liable for action.

Earlier, there were reports of the licences of around 34,000 private operators who enrol people for Aadhaar being suspended. What has happened since then? Do you continue to monitor and take action against such operators?
See, our enrolment happens through the registrar. The registrar goes to an enrolment agency, which employs the operators. We have a strict quality control process, so we not only depend on complaints that we receive but also proactively monitor and see what is happening in the field.

Whenever such violations have been brought to our notice from the field, either through our own monitoring or through complaints, we have taken action. So we have taken action against these 34,000 people and imposed fines and we have also blacklisted some.

One complaint that we have been getting of late is that people visiting Aadhaar enrolment centres are being turned away or they are being asked to pay. In the case of information updates, they are being charged more than the amount specified. In all such instances, we impose a fine of Rs 10,000 for the first violation. In the case of a second violation, the fine goes up to Rs 50,000. We blacklist the operator on the third instance.

We have data on this. In the last seven months, we have fined or blacklisted about 4,700 private operators. We are also setting up an internal cell. The good thing about Aadhaar is that we have the address and number of every person enrolled. So instead of waiting for people to register a complaint, we call them and ask them how their Aadhaar enrolment experience was.