LAW RESOURCE INDIA

The National Identification Authority of India Bill, 2010

Posted in CONSTITUTION, GOVERNANCE, UID IDENTITY by NNLRJ INDIA on June 19, 2011

PRS LEGISLATIVE RESEARCH

The central government plans to issue a unique identification number (called Aadhaar) to every resident of India.  The number shall be linked to a resident’s demographic and biometric information.  A resident can use his Aadhaar number to identify himself anywhere in the country in order to access certain benefits and services.  The Bill seeks to establish the National Identification Authority and lay down the properties of Aadhaar, process of issuing the Aadhaar and safeguards for protection of privacy of Aadhaar number holders.

Highlights of the Bill

  • The Bill seeks to establish the National Identification Authority of India (NIAI) to issue unique identification numbers (called ‘Aadhaar’) to residents of India.
  • Every person residing in India is entitled to obtain an Aadhaar number after furnishing relevant demographic and biometric information.  No information related to race, religion, caste, language, income or health shall be collected.
  • The information collected shall be stored in the Central Identities Data Repository.  This shall be used to provide authentication services.
  • Sharing of data is prohibited except by the consent of the resident; by a court order; or for national security, if directed by an authorised official of the rank of Joint Secretary or above.
  • The Bill also establishes an Identity Review Committee which shall monitor the usage patterns of Aadhaar numbers.

Key Issues and Analysis

  • The Bill does not make it mandatory for an individual to enroll with the NIAI.  However, it does not prevent any service provider from prescribing Aadhaar as a mandatory requirement for availing services.
  • The information collected by NIAI may be shared with agencies engaged in delivery of public benefits and services with prior written consent of the Aadhaar holder.  The safeguards provided for preventing misuse of this information may be inadequate.
  • The Bill requires the NIAI to disclose identity information in the interest of national security, if so directed by an authorised officer.  The safeguards for protection of privacy differ from the Supreme Court guidelines on telephone tapping.
  • The Bill states that no court shall take cognizance of any offence, except on a complaint made by the NIAI.  This could result in a conflict of interest situation if the offence is committed by a member of the NIAI.
  • Details of demographic and biometric information to be recorded have been left to regulations.  This empowers the NIAI to collect additional information without prior approval from Parliament.

PART A: HIGHLIGHTS OF THE BILL

Context


At present, the central and the state governments in India issue different identity documents for specific purposes. These documents may be issued to individuals (passport, Election Card, PAN Card, driving license), or to households (ration card, Rashtriya Swasthya Bima Yojana card).1

In April 2000, a Group of Ministers was set up to review the national security system and to consider the recommendations of the Kargil Review Committee. The report on “Reforming the National Security System”, submitted in 2001, recommended that a multi-purpose National Identity Card (MNIC) should be issued, starting from the border districts.2 The purpose was to prepare a National Register of Indian Citizens.3 In 2003, the Citizenship Act, 1955 was amended to allow the central government to compulsorily register every citizen and issue them with identity cards.4 In March 2006, another project called the “Unique ID for the Below Poverty Line families” was approved by the Department of Information Technology. It was decided to merge the two schemes for which an Empowered Group of Ministers (chaired by Shri Pranab Mukherjee) was set up in December 2006.5

In November 2008, the EGoM approved certain decisions: (i) initially the Unique Identification Authority of India (UIDAI) would be notified as an executive authority (statutory authority to be constituted later); (ii) an initial database would be created from electoral rolls; (iii) UIDAI would take its own decision on how to build the database; and (iv) it would be anchored in the Planning Commission for five years.6 The UIDAI was notified by the Planning Commission on January 28, 2009 and Shri Nandan Nilekani was appointed as the Chairman.5

The Bill seeks to establish the National Identification Authority (earlier UIDAI) as a statutory authority and to specify its functions. It also entitles every resident of India to obtain a unique identification number.

Key Features


  • The National Identification Authority of India (NIAI) will issue unique identification numbers (called ‘Aadhaar’ numbers) to residents of India and any other category of people that may be specified. The NIAI shall have a chairperson and two part-time members.

Aadhaar Numbers

  • Every resident of India (regardless of citizenship) shall be entitled to obtain an Aadhaar number after furnishing demographic and biometric information. Demographic information shall include items such as name, age, gender and address. Biometric information shall include some biological attributes of the individual. Collection of information pertaining to race, religion, caste, language, income or health is specifically prohibited.
  • The Aadhaar number shall be issued after the information provided by the person is verified. It shall serve as proof of identity, subject to authentication. However, it should not be construed as proof of citizenship or domicile. The Aadhaar number holder may be required to update his biometric and demographic information.
  • The Aadhaar number shall be a random number and shall not bear any information of the individual. An Aadhaar number issued to an individual shall not be re-assigned to any other person.

Process of Issuing and Authenticating Aadhaar Numbers

  • There are three main steps in the process. First, information for each person shall be collected and verified after which an Aadhaar number shall be allotted. Second, the collected information shall be stored in a database called the Central Identities Data Repository. Finally, this repository shall be used to provide authentication services.
  • The NIAI shall appoint registrars and enrolling agencies to collect demographic and biometric information for the purpose of issuing Aadhaar numbers. Special measures shall be taken to issue Aadhaar numbers to certain groups such as women, children, migrant workers and others without a permanent address.
  • Service providers (such as banks, fair price shops etc.) may ask a customer to provide his Aadhaar number and biometrics as proof of identity. The service provider shall submit this information to NIAI through an electronic channel for online authentication. The NIAI, after verifying the correctness of the information provided, shall respond to the query with a positive or negative response but shall not divulge any demographic or biometric information.
  • The NIAI shall establish a grievance redressal mechanism to redress grievances of residents, registrars, enrolling agencies and service providers.

Disclosure of information

  • The NIAI shall be responsible for the security and confidentiality of information. It is required to take measures to protect information against loss or unauthorised access.
  • The NIAI or any agency which maintains the Central Identities Data Repository is forbidden from revealing any information stored in the repository.
  • There are four exceptions to this rule. First, an Aadhaar number holder may request the NIAI to provide access to his own identity information. He may also ask for information on authentication requests of his Aadhaar number. Second, the NIAI may share information of Aadhaar number holders, based on their written consent, with agencies engaged in delivery of public benefits and services. Third, the NIAI may reveal information in response to a court order. Finally, information may be revealed in the interest of national security, if directed by an authorised official of the rank of Joint Secretary or above in the central government.

Identity Review Committee

  • The central government may constitute an Identity Review Committee to analyse the extent and pattern of usage of Aadhaar numbers across the country. The Committee shall prepare a report annually and submit its recommendations to the central government. The report shall be laid before Parliament.
  • The Committee shall consist of a Chairperson and two members who shall be appointed on the advice of the Prime Minister, a Union Cabinet Minister and the Leader of Opposition in the Lok Sabha.

Offences and Penalties

  • The Bill lists several offences such as unauthorised collection of information, impersonation, manipulation of biometric information, and unauthorised access or damage to the Data Repository. Penalties vary from three years imprisonment and a fine of Rs 10,000 (for impersonation) to a fine of Rs 1 crore (for unauthorised access to the Data Repository). Penalties have also been prescribed for offences committed outside India.
  • The Bill states that no court shall take cognizance of any offence except on a complaint made by the NIAI.
PART B: KEY ISSUES AND ANALYSIS

The Bill aims to issue unique identification numbers to residents of India and to provide for a reliable method of identifying individuals. The UIDAI Strategy Overview7 states that identification will facilitate access to benefits and services, especially for vulnerable groups such as homeless persons, migrant labour etc. Issuance of biometric based identities is expected to reduce problems of identity frauds and ghost beneficiaries.

However, any database that stores personal information carries the risk of its misuse by various agencies (both public and private), which may affect an individual’s privacy. The UK National Identity Card scheme was scrapped in 2011. Some of the main reasons cited for scrapping the scheme were the cost of implementing the scheme and the infringement of civil liberties.8 The Real ID Act passed by the US in 2005 has also been opposed by many states on grounds of privacy and threat to data security.9

We discuss below the safeguards that are built into this Bill to protect Aadhaar holders against invasion of their privacy.

Enrolment – Voluntary or Mandatory


Clause 3(1)

The Bill does not make it mandatory for an individual to obtain an Aadhaar number. However, it does not prevent any service provider from prescribing Aadhaar as a mandatory requirement for availing services. This differs from the US where government agencies cannot deny benefits to individuals who do not possess or refuse to disclose their Social Security Number, unless specifically required by law.10

However, it must be noted that the success of Aadhaar in weeding out ‘ghost’ beneficiaries (in programmes such as the public distribution system) depends on mandatory enrollment. If enrollment is not mandatory, both authentication systems (identity card based and Aadhaar based) must coexist. In such a scenario, ‘ghost’ beneficiaries and people with multiple cards will choose to opt out of the Aadhaar system.

Safeguards for maintaining confidentiality and privacy of information


Information collected may be misused if safeguards to maintain privacy are inadequate. Though the Supreme Court has included privacy as part of the Right to Life,11 India does not have a specific law governing issues related to privacy. The government has formed a committee to draft a suitable law.12

We examine whether the Bill has sufficient safeguards if information is (a) shared with agencies engaged in delivery of public benefits and services; (b) disclosed to intelligence or law enforcement agencies; and (c) used to identify behaviour patterns through data mining.

Sharing information with agencies engaged in delivery of public benefits and services

Clause 23(1)(k)

The Bill allows NIAI to share the information of an Aadhaar number holder, based on his written consent, with agencies engaged in the delivery of public benefits and public services. However, it does not specify whether consent should be taken only once or at each instance a person avails of a new service. A one-time consent may be prone to misuse and this may affect an individual’s privacy.

Disclosure of information to intelligence or law enforcement agencies

Clause 33(b)

The Bill requires the NIAI to disclose information (including identity information of individuals) in the interest of national security. This will be on the direction of an authorised officer of the rank of Joint Secretary or above in the central government.

In 1996, the Supreme Court held that the state may tap telephones “only at the occurrence of any public emergency or in the interest of public safety” if (a) it is authorised by the Home Secretary of the central or state government; and (b) it is for a maximum period of six months. Each order of telephone tapping must also be investigated by a separate Review Committee within a period of two months from the date of issuance.13

The safeguards for protection of privacy in this Bill differ from those set out for phone tapping. First, the Bill permits sharing in the interest of ‘national security’ rather than for public emergency or public safety. Second, the order can be issued by an officer of the rank of Joint Secretary. Third, there is no limit for the time period for which the authentication data may be collected. Fourth, there is no mechanism for review.

Potential to profile individuals

The Bill does not specifically prohibit intelligence agencies from using the UID as a link (key) while running computer programmes across various datasets (such as telephone records, air travel records etc.) in order to recognise patterns of behaviour. Such techniques for pattern recognition can be used for various purposes such as detecting potential illegal activities.14 However, these can also lead to harassment of innocent individuals who get identified incorrectly as potential threats.15 As a safeguard against misuse, the US had introduced (but not passed) a legislation that required each agency that was engaged in data mining to submit an annual report to Congress on all such activities.16

Compensation for loss or unauthorised disclosure of information

Clauses 30, 37, 38, 39, 40

The Bill requires all persons with access to Aadhaar related information to keep it secure and confidential. It prescribes penalties for unauthorised access or intentional disclosure of information. However, it does not penalise any negligence that leads to loss of information. Also, it does not have a specific provision to compensate an individual in case his personal information is misused. This differs from the Information Technology Act, 2000, which states that a company handling ‘sensitive personal data’ is liable to pay compensation upto Rs 5 crore if it is ‘negligent in implementing and maintaining reasonable security practices and procedures’ with respect to such data.

Conflict of interest


Clause 46(1)

The Bill states that no court shall take cognizance of any offence punishable under the Act, except on a complaint made by the NIAI. Such a provision is usually included to ensure that the regulatory body vets all complaints before a criminal charge is filed.

However, unlike regulators such as the Securities and Exchange Board of India or the Reserve Bank of India, the NIAI also has a role in implementation and its members and employees have duties related to data security. This could result in a conflict of interest situation if the offence is committed by an employee of the NIAI.

Discretionary powers under delegated legislation


Regulation of demographic and biometric information to be recorded

Clause 2(e), (h)

Demographic information: The Bill empowers the NIAI to specify demographic information that may be recorded. The only restriction imposed on NIAI is that it shall not record information pertaining to race, religion, caste, language, income or health of the individual. Keeping this definition in the Regulations provides the NIAI with the power to collect additional personal information, without prior approval from Parliament.

It may be noted that the enrolment form currently being used contains fields for capturing information such as the National Population Register (NPR) receipt number, mobile number, bank account number, etc.17 Though these fields are labelled ‘optional’, it is unclear why this additional information is being recorded.

Biometric information: The definition of biometric information will be specified in the Regulations. Currently, the UIDAI is capturing 10 fingerprints, iris scan and photograph as biometric information of each resident.18 However, the Bill does not prevent it from collecting other biometric information such as DNA.

Storage of authentication information

Clause 32(1)

The NIAI is required to maintain details of every request for authentication and the response provided. The Bill does not specify the maximum duration for which authentication data may be stored by the NIAI. This has been left to Regulations. Authentication data provides insights into usage patterns of an Aadhaar number holder. Data that has been recorded over a long duration of time may be misused for activities such as profiling an individual’s behaviour.

Different dates for notification of different clauses

Clause 1(3)

Some clauses of the Bill provide the NIAI with the power to collect and maintain data. Some other clauses provide safeguards against misuse. The Bill contains a blanket provision that allows the central government to notify different clauses on different dates. There is no requirement that the safeguard clauses should come into force by the time the provisions enabling collection of data are notified.

Appendix 1: Possible Applications of UID


We list below some possible applications of the Aadhaar number in facilitating access to benefits and services.

Table 1: Potential benefits of UID

Application Potential Benefits Remarks
Proof of Identity The Aadhaar number would provide proof of identity to every resident including migrants, homeless people, etc. The number is unique to each individual and a person’s biometric information is linked to it. This could facilitate access to various services, which need identity proof. Presently, various identity cards such as PAN card, voter’s identity card, ration card etc are accepted as proof of identity. About 82% of the adult population have the election card, 74% of the population have ration cards and 38% of the population have Rashtriya Swasthya Bima Yojana card.
Public Distribution System The Aadhaar number can eliminate duplicate cards and cards for non-existent persons (estimated to be about 17% of all cards). It could also reduce diversion at Fair Price Shops by ensuring that goods are distributed to the beneficiaries only after their biometrics are verified. UID cannot address errors in targeting of Below Poverty Line (BPL) families. Some estimates suggest that about 61% of the eligible population is excluded from the BPL lists while 25% of the non-poor household are included in the BPL list.
Financial Inclusion RBI has declared Aadhaar to be sufficient proof of identity to open a bank account. It could also facilitate authentication with Business Correspondents in remote areas. Currently, 41% of the adult population do not have bank accounts.
National Rural Employment Guarantee Act, 2005 It would be possible to identify duplicate and fake beneficiaries of NREGA. UID cannot address other problems of NREGA such as incorrect measurement of work, payment delays etc.
Sources: “Envisioning a role for Aadhaar in the Public Distribution System,” Working Paper, UIDAI, 2010; Performance Evaluation of Targeted Public Distribution System, Planning Commission, March 2005; “Management of Food Grains,” 73rd Report of the Public Accounts Committee, 2007-08, “Report of the Expert Group to Advise the Ministry of Rural Development on the Methodology for Conducting the Below Poverty Line Census for the 11th Five Year Plan,” Chairperson: Shri N.C. Saxena, August 2009; Discussion Paper on Aadhaar based Financial Inclusion, Report of the Working Group to Review the Business Correspondent Model, RBI, August 2009, Know Your Customer Guidelines, RBI, 2004; UID and NREGA, Working Paper; Lok Sabha Unstarred Question No. 2357, Dec 3, 2009; Lok Sabha Unstarred Question no. 4135 Answered on Dec 15, 2009; Public Distribution System and Other Sources of Household Consumption, 2004-05, NSSO Report (see http://mospi.nic.in/press_note_510-Final.htm), Lok Sabha Unstarred Question no. 2838 Answered on March 14, 2011.

Notes

[1].  Report of the Committee on Financial Sector Reforms, Planning Commission, Govt of India, 2009

[2].  “Group of Ministers’ Report on Reforming the National Security System,” Press Information Bureau, May 23, 2001

[3].  “Parliamentary Consultative Committee of MHA discusses Multi-purpose National Identity Card Project,” Press Information Bureau, Aug 21, 2003

[4].  Section 12 of The Citizenship (Amendment) Act, 2003

[5].  Unique Identification Authority of India, Planning Commission, Govt of India (see http://uidai.gov.in)

[6].  “Government approves issue of unique identity (UID) number to all residents,” PIB, Nov, 10, 2008

[7]. “UIDAI Strategy Overview”, UIDAI, Planning Commission, Govt of India, April 2010

[8].   Identity Documents Act, 2010 cancelled the ID card; “Identity cards scheme will be axed ‘within 100 days,’ BBC News, May 27, 2010; House of Commons debate on Identity Documents Bill on 9th July, 2010 (see http://www.publications.parliament.uk/pa/cm201011/cmhansrd/cm100609/debtext/100609-0006.htm).

[9].  Real ID Act, 2005 (see http://thomas.loc.gov/cgi-bin/bdquery/z?d109:H.R.418:).

[10]. Section 7 of the Privacy Act, 1974 (see http://www.justice.gov/opcl/1974ssnu.htm).

[11].  See, for example, Kharak Singh vs State of UP, 1 SCR 332 (1964) and R. Rajagopal v. State of T.N (1994) 6 SCC 632.

[12].  “Approach Paper for a Legislation on Privacy,” Oct 18, 2010, Ministry of Personnel, Public Grievances and Pensions, Govt of India.

[13]. Writ Petition (C) No. 256 of 1991, People’s Union of Civil Liberties (PUCL) Vs. Union of India (UOI)

[14].  “Data Mining: Federal Efforts Cover a Wide Range of Uses,” US General Accounting Office, May 2004.

[15].  Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms

while countering terrorism, Martin Scheinin, UN Human Rights Council, Dec 28, 2009.

[16].  US Federal Agency Data Mining Reporting Act of 2007 (Introduced on Jan 10, 2007) (see http://thomas.loc.gov/cgi-bin/bdquery/z?d110:SN00236:@@@L&summ2=m&).

[17].  Enrolment Form of UID (see http://uidai.gov.in/images/FrontPageUpdates/ROB/D9%20Enrolment%20Form.JPG).

[18]. Biometrics Design Standards for UID Applications, UIDAI Committee on Biometrics, December 2009.


Prepared by:

Kaushiki Sanyal and Rohit Kumar  June 02, 2011

Relevant Links

The National Identification Authority of India Bill, 2010.pdf  Bill Text  (233.11 KB)
Legislative Brief - UID Bill 2010_June 2.pdf  Legislative Brief  (160.07 KB)
National Identification Authority Bill Summary.pdf  PRS Bill Summary  (129.92 KB)
UIDAI STRATEGY OVERVIEW.pdf  UIDAI Strategy Overview  (3.72 MB)
aproach_paper.pdf  Approach Paper for a Legislation on Privacy  (96.86 KB)
Circulated_Aadhaar_PDS_Note.pdf  Role for Aadhaar in PDS  (738.52 KB)

Advertisements

UNIQUE IDENTIFICATION PROJECT

Posted in UID IDENTITY by NNLRJ INDIA on January 22, 2010

The UIDAI – evolving an approach to identity The Government of India undertook an effort to provide a clear identity to residents first in 1993, with the issue of photo identity cards by the Election Commission. Subsequently in 2003, the Indian Government approved the Multipurpose National Identity Card (MNIC). The Unique Identification Authority of India (UIDAI) was established in February 2009, attached to the Planning Commission. The purpose of the UIDAI is to issue a unique identification number (UID) to all Indian residents that is (a) robust enough to eliminate duplicate and fake identities, and (b) can be verified and authenticated in an easy, costeffective way. The UIDAI’s approach will keep in mind the learnings from the government’s previous efforts at issuing identity.

The UIDAI will be created as a statutory body under a separate legislation to fulfill its objectives. The law will also stipulate rules, regulations, processes and protocols to be followed by different agencies partnering with the Authority in issuing and verifying unique identity numbers.

Features of the UIDAI model

The UID number will only provide identity: The UIDAI’s purview will be limited to the issue of unique identification numbers linked to a person’s demographic and biometric information. The UID number will only guarantee identity, not rights, benefits or entitlements.

The UID will prove identity, not citizenship: All residents in the country can be issued a unique ID. The UID is proof of identity and does not confer citizenship.

A pro-poor approach: The UIDAI envisions full enrolment of residents, with a focus on enrolling India’s poor and underprivileged communities. The Registrars that the Authority plans to partner with in its first phase – the NREGA, RSBY, and PDS – will help bring large numbers of the poor and underprivileged into the UID system. The UID method of authentication will also improve service delivery for the poor.

Enrolment of residents with proper verification: Existing identity databases in India are fraught with problems of fraud and duplicate/ghost beneficiaries. To prevent this from seeping into the UIDAI database, the Authority plans to enrol residents into its database with proper verification of their demographic and biometric information. This will ensure that the data collected is clean from the start of the program. However, much of the poor and underserved population lack identity documents, and the UID may be the first form of identification they have access to. The Authority will ensure that the Know Your Resident (KYR) standards don’t become a barrier for enrolling the poor, and will devise suitable procedures to ensure their inclusion without compromising the integrity of the data.

A partnership model: The UIDAI approach leverages the existing infrastructure of government and private agencies across India. The UIDAI will be the regulatory authority managing a Central ID Data Repository (CIDR), which will issue UID numbers, update resident information, and authenticate the identity of residents as required. In addition, the Authority will partner with agencies such as central and state departments and private sector agencies who will be ‘Registrars’ for the UIDAI. Registrars will process UID applications, and connect to the CIDR to de-duplicate resident information and receive UID numbers. These Registrars can either be enrollers, or will appoint agencies as enrollers, who will interface with people seeking UID numbers. The Authority will also partner with service providers for authentication.

The UIDAI will emphasize a flexible model for Registrars: The Registrars will retain significant flexibility in their processes, including issuing cards, pricing, expanding KYR (Know Your Resident) verification, collecting demographic data on residents for their specific requirements, and in authentication. The UIDAI will provide standards to enable Registrars maintain uniformity in collecting certain demographic and biometric information, and in basic KYR. These standards will be finalized by the KYR and biometric committees the Authority constitutes.

Enrolment will not be mandated: The UIDAI approach will be a demand-driven one, where the benefits and services that are linked to the UID will ensure demand for the number. This will not however, preclude governments or Registrars from mandating enrolment. The UIDAI will issue a number, not a card: The Authority’s role is limited to issuing the number. This number may be printed on the document/card that is issued by the Registrar.

The number will not contain intelligence: Loading intelligence into identity numbers makes them susceptible to fraud and theft. The UID will be a random number.

The Authority will only collect basic information on the resident:

The UIDAI may seek the following demographic and biometric information in order to issue a UID number:
Name
Date of birth
Gender
Father’s name1
Father’s UID number (optional for adult residents)
Mother’s name
Mother’s UID number (optional for adult residents)
Address (Permanent and Present)
Expiry date
Photograph
Finger prints

Process to ensure no duplicates: Registrars will send the applicant’s data to the CIDR for deduplication. The CIDR will perform a search on key demographic fields and on the biometrics for each new enrolment, to ensure that no duplicates exist.

1 Individuals with both parents deceased can provide a Guardian’s name and UID number. The incentives in the UID system are aligned towards a self-cleaning mechanism. The existing patchwork of multiple databases in India gives individuals the incentive to provide different personal information to different agencies. Since de-duplication in the UID system ensures that residents have only one chance to be in the database, individuals will provide accurate data. This incentive will become especially powerful as benefits and entitlements are linked to the UID.

Online authentication: The Authority will offer a strong form of online authentication, where agencies can compare demographic and biometric information of the resident with the record stored in the central database. The Authority will support Registrars and agencies in adopting the UID authentication process, and will help define the infrastructure and processes they need.

The UIDAI will not share resident data: The Authority envisions a balance between ‘privacy and purpose’ when it comes to the information it collects on residents. The agencies may store the information of residents they enrol if they are authorized to do so, but they will not have access to the information in the UID database. The UIDAI will answer requests to authenticate identity only through a ‘Yes’ or ‘No’ response. The Authority will also enter into contracts with Registrars to ensure the confidentiality of information they collect and store.

Technology will undergird the UIDAI system: Technology systems will have a major role across the UIDAI infrastructure. The UID database will be stored on a central server. Enrolment of the resident will be computerized, and information exchange between Registrars and the CIDR will be over a network. Authentication of the resident will be online. The Authority will also put systems in place for the security and safety of information.

Benefits

For residents: The UID will become the single source of identity verification. Once residents enrol, they can use the number multiple times – they would be spared the hassle of repeatedly providing supporting identity documents each time they wish to access services such as obtaining a bank account, passport, driving license, and so on. By providing a clear proof of identity, the UID will also facilitate entry for poor and underprivileged residents into the formal banking system, and the opportunity to avail
services provided by the government and the private sector. The UID will also give migrants mobility of identity.

For Registrars and enrollers: The UIDAI will only enrol residents after de-duplicating records. This will help Registrars clean out duplicates from their databases, enabling significant efficiencies and cost savings. For Registrars focused on cost, the UIDAI’s verification processes will ensure lower KYR costs. For Registrars focused on social goals, a reliable identification number will enable them to broaden their reach into groups that till now, have been difficult to authenticate. The strong authentication that the UID number offers will improve services, leading to better resident satisfaction.

For Governments: Eliminating duplication under various schemes is expected to save the government exchequer upwards of Rs. 20,000 crores a year. It will also provide governments with accurate data on residents, enable direct benefit programs, and allow government departments to coordinate investments and share information.

READ THE DETAILS OF UID PROJECT

Creating a unique identity for every resident in India

FREQUENTLY ASKED QUESTIONS

What is the Unique Identification Authority of India (UIDAI) and where does it get its authority from?

The Unique Identification Authority of India (UIDAI) was constituted as an attached office under the Planning Commission, to develop and implement the necessary legal, technical and institutional infrastructure to issue unique identity to residents of India.  On June 25th 2009, the Cabinet approved the creation of the position of the Chairperson of the UIDAI, and appointed Mr. Nandan Nilekani as the first Chairperson with the rank of the Cabinet Minister.On August 3rd 2009, the Prime Minister constituted a Council under his chairmanship to advise the UIDAI and ensure coordination between the Ministries, Departments, stakeholders and partners. The Council will advise the UIDAI on the program, methodology and implementation to ensure this coordination. The Council will also identify specific milestones for the early completion of the project.

What is the problem the UIDAI seeks to address?

One of the key challenges that people in India face is the difficulty of establishing identity. People have multiple identity documents, with each serving a different purpose. There are often separate sets of requirements to be fulfilled in order to get these documents. The singular problem that the UIDAI will seek to solve is that of “identity”. Once a person has a UID number, their basic identity linked to their biometrics is established and can be used to uniquely identify the individual.

What will the UIDAI do?

  • Issue a unique identity number to a resident.
  • Authenticate the identity of a person who is in the UID database

CREATION OF THE UID DATABASE

What will the institutional framework created by the UIDAI be?

The UIDAI will establish an institutional microstructure to facilitate issuance of UID. This will include a Central Identity Data Repository, which will manage the central system and a network of Registrars, which will establish resident touch points through Enrolling Agencies.The Registrars would include both Government and Private Sector Agencies which already have the infrastructure in place to interface with the public to provide specified services for e.g. Insurance companies, LPG marketing companies,  RSBY, NREGA etc. The UIDAI also expects that the creation of the national population register process will provide data on residents which will add to the UIDAI database and this will also enable the Authority access “hard to reach” and marginalized groups. The UIDAI will also engage with Outreach Groups which will essentially be civil society groups working on social issues to target women, children, the homeless, urban poor, tribals, the differently-abled population of the country.

What will be the nature of relationship between UIDAI and the players in the eco system?

CIDR and UIDAI – The CIDR is essentially a service provider to the UIDAI and will provide services which include the processing of enrolment and authentication requests as prescribed, and following pre-defined service standards. The CIDR will also develop the operating procedure for interface between the CIDR and Registrars. The CIDR will also establish and maintain a grievance redressal system to address grievances about the failure of service of any of the service providers.

  • Registrar and UIDAI – This is a partnership where the Registrar and UIDAI will work together to enrol people into the UID database as per the regulations and specifications laid down by the Authority for relevant fields and operating procedures. The Registrar delivers services to the people and has a keen business and social interest in ensuring the authentic identity of the people availing their services.
  • Registrar and Enrolling Agencies – The Enrolling Agencies are the agents of the Registrar and the touch points on the ground to enrol people into the UID database. The Enrolling Agency will directly interact with and enrol residents into the CIDR and will be monitored by the Registrars.

Why is the UIDAI following the partnership model? Would it not be better to go door to door and register people, or use the already available database of the Election Commission, PAN, PDS etc?

The UIDAI recognizes that the only way to uniquely establish identity of a resident is through the biometric attributes of each individual. The Authority will use registrars who may have basic demographic information of the resident, and confirm the relevant fields and seek biometric information for each resident while enrolling the resident for the UID. Upon collecting and de-duplicating the biometric information, a unique ID database can be created.
There is no established database in the country that can serve the purpose of a Unique ID. The available databases act as a starting point to get a register of residents in place, but cannot do anything towards identity. Further, they exist in manual and varied electronic forms that do not allow for comparison or creation of an authentic database. The UIDAI is primarily using the partnership model to leverage the existing infrastructure of registrars, instead of creating something new and expensive – some registrars may use the door to door methodology and others may use other means.

Why should service providers such as banks and government agencies want to be Registrars? What are the benefits for Registrars?

The UIDAI will only enrol residents after de-duplicating records. This will help registrars clean out duplicates from their databases, enabling significant efficiencies and cost savings. For registrars and enrollers focused on cost, the UIDAI’s verification processes will ensure lower KYR costs. For registrars focused on social goals, a reliable identification number will enable them to broaden their reach into groups that till now, have been difficult to authenticate.

RESIDENT AND UNIQUE IDENTITY

Who can get a UID number?

Any person who is a temporary or ordinary resident of India can get a UID number.

Who is a resident? Will this include illegal migrants and also visitors (with visas) to India?

It will include all residents who are in India and who may want to avail services. The decision on the legal status of immigrants is the role of other Government Departments.

Will getting a UID be compulsory?

No, it will not be compulsory to get a UID, it is voluntary. However in time, certain service providers may require a person to have a UID to deliver services.

What are the benefits for the resident? Why should a person get on the UID database and get a UID number?

Once a person is on the UID database the person will be able to establish identity easily. The UID will become the single source of identity verification. Residents would be spared the hassle of repeatedly providing supporting identity documents each time they wish to access services such as obtaining a bank account, passport, driving license, and so on.By providing a clear proof of identity, the UID will also facilitate entry for poor and underprivileged residents into the formal banking system, and the opportunity to avail services provided by the government and the private sector.  The UID will also give migrants mobility of identity.

INCLUSION

How will the UIDAI ensure that the poor and marginalized are covered and that there is no identity divide created as a result of this process?

The UIDAI recognizes that inability to prove identity is one of the biggest barriers preventing the poor from accessing benefits and subsidies. The Authority is committed to inclusion and ensuring that woman, children, differently-abled persons, the poor and marginalized are able to secure a unique id. To this end the UIDAI will have an extensive registrar network which will include agencies of the government that implement schemes such as National Rural Employment Guarantee Scheme and Rashtriya Swastya Bhima Yojana. In addition, the UIDAI will be working with outreach groups to access hard to reach communities like tribals, the differently-abled and people in remote areas of the country.

PROCEDURE OF SECURING A UID NUMBER

What is the process that will be followed to issue a UID number?

  • A resident will have to go to an enrolling agency, fill up an application form and provide the supporting documentation including photo and finger print.
  • The enrolling agency will collect this information and send the data, either singly or in batches, to the registrar who will pass this on to the UID database.
  • The system will engage in a de-duplication exercise.
  • If the individual is not already in the database, a UID number will be issued and sent to the person at their residence. The UID number will also be sent to the Registrar for use in their service database.
  • If the individual is already in the database the registration will be rejected and the person will be informed of the same.
  • The registrar will scan the supporting documentation and send it to the UIDAI and keep the physical copies with themselves.

What is the verification process that will be followed by the enrolling agency before processing the documents for a UID number?

A Know Your Resident Committee is being formed to establish what would be acceptable forms of supporting documentation. The recommendations should be made within 6 months of being set up and these standards would be used for verification.

Will there be a card issued? How will the resident know what their number is?

No card will be issued by the UIDAI, but the resident will receive a letter from the UID authority giving the person the UID number and the information of the person that was collected. If there are any inaccuracies in the information, the person can correct them. There will be a tear away portion in the letter that can act as a card for referencing the number. The registrar may issue a card for their purpose in which they may include the UID number.

Why no card?

The UIDAI is focused on the identity of the person and not the identity document.  The best match is the individual’s biometric and a card cannot be a substitute. The UID can only establish unique identity if authentication is done against the central database. Further, cards can be forged, stolen, faked and identity process diluted. While the UID authority only guarantees online authentication, the service providers are free to issue cards to people if it serves their purpose.

INFORMATION FROM RESIDENT AND ACCESS TO DATABASE AND SECURITY

What is the information that the UIDAI will seek from the resident?

  • NameDate of birthGenderFather’s nameFather’s UID number (optional for adult residents)Mother’s nameMother’s UID number (optional for adult residentsAddress (Permanent and Present)Expiry datePhotograph
  • Finger print

How will the information in the database be used? What does authentication mean and how will it work on a daily basis?

The information in the database will be used only for authentication purposes. If anyone seeks to authenticate the identity of another person using the UID database, they will only receive a response in the affirmative or the negative. The UID database will not transmit information or share data with anyone.

Will the resident be allowed to access their own information and make corrections if necessary?

A procedure will be established through which a resident will be able to view their complete information on the UID database and a procedure for correcting information will be laid down.

Who will have access to the UID database? How will the security of the database be ensured?

The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured with the best encryption, and in a highly secure data vault. All access details will be properly logged.

AUTHENTICATION

How will the authentication process work?

The only 100% accurate authentication service that the UIDAI can provide is online authentication. In this, the biometric of the person will be matched online with the biometric in the system – a one is to one match will be run. There are other types of authentication which the registrar can choose for their use and which the UIDAI does not guarantee.  Such authentication will be offline – the finger print is stored on a card issued by the Registrar for delivery of their services and can be authenticated against a finger scan. In addition a basic photo authentication can also be done, similar to what is now done in the airports.

What happens if the authenticating agency denies that a person has been authenticated in order to wrongfully deny services?

The person can contact the UIDAI/CIDR and prove that she has been positively authenticated and a grievance lodged with the concerned Registrar or service provider.

PROTECTION FROM EXPANDING DATA FIELDS

How will the UIDAI protect against functional creep?

The full board of the UIDAI may add additional data fields related to identity, and the law will contain a prescription against collecting any other information besides the information permitted, with specific prohibitions against collection of information regarding religion, race, ethnicity, case and other similar matters and the facilitation of analysis of the data for anyone or to engage in profiling or any similar activity.

CHILDREN

How will children be captured in the database?

The biometric of young children are not stable. However, it is crucial to capture children in the database. Children’s fingerprint and photograph will be taken and updated in the UID database every 5 years until the age of 18 (the exact details will be specified by the biometric committee). This will be enforced by an expiry-date attached to the UID number, which will become invalid after the expiry date. Until the time the biometric of the child stabilizes, any one of the parents/guardian will need to provide their biometric information for authentication.

DIFFERENTLY-ABLED

How will the biometric of the Differently-abled and people with no finger prints or rugged hands e.g. beedi workers or people with no fingers be captured?

The policy will take into consideration these exceptions and the biometric standards prescribed will ensure that these groups are not excluded. In the case of people without hands/ fingers only photo will be used for identity determination and there will be markers to determine uniqueness.

LANGUAGE

In what language will the database be maintained? In what language will authentication services be provided? In what language will communication between UIDAI and the resident take place?

The database will be maintained in English. The communication between resident and UIDAI will be in English and the local language. Authentication services will be provided in English.

CORRECTION OF INFORMATION ON THE UID DATABASE

What happens when wrong information is entered into the UID database?

A procedure for correction of data will be laid down and wrong information can be corrected at specified enrolling agencies.

PRIVACY AND FRAUD

What are the privacy protections in place to protect the right to privacy of the resident?

The information being sought from the person is basic information which is currently available with several government and private agencies. The information that is unique to UIDAI is the biometric information. In order to protect the right to privacy of the individual the information on the database will not be shared with anyone; all queries will get a ‘Yes’ or ‘No’ response. The UIDAI will also put in place regulations and protocols which have to be followed by the Central Identification Data Repository, Registrar and Enrolling agencies to protect the right to privacy.

What are the kinds of fraud that can occur in the UID system?

Two different kinds of fraud can occur in the UID system, Document fraud and Identity fraud. This distinction is important in the context of UIDAI. The UID is focused on identity fraud where a person intentionally impersonates another, dead or alive, and doesn’t necessarily require the use of an identity document.  Document fraud, however – the use of counterfeited documents or those with misleading information – is the responsibility of the registrar issuing the relevant document like passport, PAN card etc.

What happens in case of identity fraud or the system not working properly? • “X” registers in the name of “Y” with Y’s demographic details. “Y” could be living or dead?

“X” will have to live with the identity of “Y” for the rest of his life because if he tries to get one more UID it will be rejected.  If “Y” comes to register, the system will be able to pick up that there are similarities between “X” and “Y” and an investigation will be launched and Ys identity will be enrolled after the amending X.  If “Y” is a dead person it would be more difficult to detect. In either case it will be an offence to take on the identity of another person and there may be legal action against this offence.

X” appears to get one more UID number and presents different information?

De – duplication process returns the application, person will be sent a response with reasons for rejection.

Person appears as himself hoping for a second UID number.

De – duplication process returns the application, person will be sent a response with reasons for rejection and be informed about the existing UID existing number and warning against misuse. If all the details given are the same, the person can be sent one more letter informing the person about their UID no.

Person appears to get second card in another person’s name.

De – duplication process returns the application, person will be sent a response with reasons for rejection and warning against misuse.

De-duplication works incorrectly and throws up a false positive on the biometric

There will be a process defined for resolving such false rejection and the person concerned could also access the grievance redressal mechanism.

GRIEVANCE REDRESSAL MECHANISM

Will there be a grievance redressal mechanism?

For Further Details Visit :http://uidai.gov.in/

Tagged with:

The personal is the personal

Posted in UID IDENTITY by NNLRJ INDIA on January 6, 2010

USHA RAMANATHAN IN THE INDIAN EXPRESS

The air is thick with schemes that will enable the state, and its agencies, to identify every resident, and to track what they are doing. A home ministry project for creating a National Population Register which will be prepared along with the 2011 Census has been propelled through its pilot stage. Now, an ambitious programme has been launched to load all the residents of the country on to a data base, providing each of us with a unique identity number. What distinguishes this exercise from any other undertaken so far?

First of all, the intention is provide a Unique Identity Number to the whole population, including the just born. The state is to have data on each individual literally from birth to death; and beyond, for a person’s UID is not destroyed at death, merely disabled. The numbers are to be so generated that it will not have to be repeated for between a hundred and two hundred years.

The UIDAI, in its working paper, says that enrolment will not be mandatory, but acknowledges that in practice it is expected not to be voluntary. The ‘Registrars’, who will enroll people on to the data base, will be both private operators and government agencies, and they will be encouraged to insist that they will entertain only those who are willing to enroll. Over a short time, only those with UID numbers may find themselves able to access services. That is the effort.

The UID has nothing to do with citizenship. The information on the UID database is expected to be basic, and to cover all residents: name, date of birth, place of birth, gender, the name and UID numbers of both parents, address, date of death and photograph and fingerprints. This is because the UID is only to identify the individual to the agency that is looking for authentication.

Just on its own, it could even seem benign.

There are two phenomena that take the innocence out of the exercise. The first is ‘convergence’. ‘Convergence’ is about combining information. There are presently various pieces of information available separately, and held in discrete ‘silos’. We give information to a range of agencies; as much as is necessary for them to do their job. The passport agencies do not need to know how many bank accounts you have, or whether you drive a car. The telephone company need not know how you have insured your house. The police do not need to know how often you travel, not unless you are a suspect anyway. It is this that makes some privacy possible in a world where there are so many reasons why, and locations where, we give information about ourselves. The ease with which technology has whittled down the notion of the private has to be contained, not expanded. The UID, in contrast, will act as a bridge between these silos of information, and it will take the control away from the individual about what information we want to share, and with whom.

This is poised to completely change norms of privacy, confidentiality and security of personal information. There are already indications about how convergence will work. Consider the reports that the Apollo Hospitals group has offered to manage health records through the UIDAI. It has already invested in a company called Health Highway that reportedly connects doctors, hospitals and pharmacies who would be able to communicate with each other and access health records. In August 2009, Business Standard reported that Apollo Hospitals had written to the UIDAI and to the Knowledge Commission to link the UID number with health profiles of those provided the ID number, and offered to manage the health records. The terms ‘security’ and ‘privacy’ seem to be under threat, where technological possibility is dislocating many traditional concerns.

The second phenomenon is ‘tracking’. Once the UID is in place, and convergence becomes commonplace, the movement of people, their monies, their activities can be brought together, especially since transactions from buying rice in a PDS shop to receiving wages to bank withdrawals to travel could begin to require the number. There is a difference between people tracking a state, and the state, and the ‘market’ tracking people. The UID is clearly not what it is presented as being: it is not benign, nor a mere number which will give an identity to those who the state had missed so far.

Interestingly, the working paper of the UIDAI starts with a claim that the UID will bring down barriers that prevents the poor from accessing services and subsidies by providing an identity, but soon goes on to clarify that the “UID number will only guarantee identity, not rights, benefits or entitlements”. Given that it is the powerlessness of the poor, inefficiency, the perception of the poor as not deserving of support, sympathy or rights, and the status of illegality foisted on them that stops them from getting what is due to them, and given that corruption and leakages in the system mutate and persist, this quick stepping back is wise indeed.

In the excitement about technology being deployed to do something that has not been done anywhere in the world, the importance of privacy and protection from misuse of personal information is getting eclipsed.

It is significant that the UIDAI working paper makes no mention of national security concerns, and the surveillance, and profiling, possibilities it will create. Yet, the UID is not a project in isolation. The NATGRID, which the UID will facilitate, places the whole population under surveillance; and the home minister is talking about a DNA bank.

Fallibility, the difficulties inherent in reaching those in extreme poverty, the choiceless existence on a database and the possibility of undesirable others getting hold of information only add to the scariness of the scenario that we seem to have accepted without discussion, challenge or debate. And, once accomplished, we would have reached a point of no return.

The writer is an independent law researcher.

http://www.indianexpress.com/news/the-personal-is-the-personal/563920/0

Tagged with:
%d bloggers like this: