The issue of Aadhaar data, and privacy is far from over, it seems.

In a shocking revelation, it has been found that knowingly or unknowingly, private foreign firms have been granted full access to classified Aadhaar data of billions of Indians.

And the scary part is that, Govt. has been denying the allegations from the start; even as the contract details for Aadhaar clearly proves otherwise.

The question is: Is Govt. of India hiding something from us?

RTI Reply On Aadhaar Data Is Shocking!

Col. Matthew Thomas from Bengaluru is one of the parties in the ongoing Right to Privacy case, being heard in Supreme Court. Earlier, the apex court had declared that Right to Privacy is a fundamental right of every Indian.

For this case, Col. Matthew had filed a RTI request, asking the details about contract given by UIDAI to private firms for collecting Aadhaar data.

As per the reply received under RTI, the Aadhaar contract has given full access to classified data of Indians, to the private firms based out of India.

In fact, the contract requests these companies to store the data for 7 full years as well.

Which Companies Have Been Asked To Store Aadhaar Data?

Govt. has chosen several Biometric Service Providers or BSPs, who are providing hardware and software for collecting Aadhaar related data like biometric scans, iris details, fingerprints etc.

L-1 Identity Solutions Operating Co Pvt Ltd is one such BSP, based out of USA. This company has now been taken over by Safran Group from France. Morpho and Accenture Services Pvt Ltd are other BSPs, who were provider the contract, albeit for 2 years.

What Does The Contract Say?

Now, while providing the contract to BSPs, Govt. formed a various clauses, and it seems that no attention was provided to the aspect of privacy and protection of data by foreign firms.

For instance, Clause 15.1 of the contract, under the heading ‘Data and Hardware’, states that the firm “may have access to personal data of the purchaser (UID), and/or a third party or any resident of India…”

Clause 3, under Privacy, states that the BSPs can “collect, use, transfer, store and process the data”.

Note here, that personal data, in relation to Aadhaar includes everything: biometric data, which includes fingerprint scans and IRIS data, demographic data which includes name, date of birth, address, mobile number; and connected data such as bank details, licence number, PAN number, passport number and any other data provided by the law-abiding citizen as part of KYC.

Not Only Access, But Store The Data As Well!

Accessing sensitive Aadhaar data was, it seems, not enough. Govt. also allowed these private firms to store the data, for 7 years.

As per the contract, in the event of expiry of contract, the concerned BSP “shall transfer all the proprietary templates to UIDAI”

This statement clearly proves that Govt. has asked these private, foreign firms to store the data as well.

Col Matthew rightly asks, “If the firms did not have the biometric data, what were they expected to transfer? Why can’t the UIDAI just come out in the open with all the contract details?”

On their part, the private firms have said that they are doing what the contract actually says.

L-1 has said that they have accessed to sensitive Aadhaar data “as part of its job”.

It seems that while drafting the regulations and the contract for BSPs, Govt. officials clearly failed to comprehend the dangers of sharing such sensitive data with foreign firms, and ignored the risks involved.

Who is responsible for this data breach?

Lots of questions, but very few answers.