JAIPUR: At a time when concerns are being raised over the security of Aadhaar data, TOI has learnt that the project's managing authority - the Unique Identification Development Authority of India (UIDAI) - had shared large samples of data with private companies for proof of concept (PoC) studies.

Documents with TOI reveal that the UIDAI had shared millions of identity records with at least two private companies between 2012 and 2013. One such revelation is in a letter (F No 4 (4)/57/199/2013-RoB) dated September 12, 2013, written by then UIDAI deputy director Sanjay Kumar to the head of Managed Service, HCL UIDAI. HCL had been hired by UIDAI as 'Managed Service Provider'.

"The competent authority has approved to share 1 million records for PoC of data quality tool to be done by your partners, ie, IxSight Technologies Pvt Ltd, Mumbai...in UIDAI premises in terms of clause 1 to 18 of non-disclosure agreement (NDA) dated 6 July, 2013...," the letter states.

Another correspondence, dated January 17, 2012, mentions an undisclosed amount of data given to Mumbai private company SAS Insitute (India) directly by the UIDAI for PoC studies . In the letter (no 4 (4)/57/2-11-RoB/862), the then UIDAI ADG writes, "The required software and hardware requirement as per PoC proposal has been made available."

Both letters approving the sharing of records were issued during UPA-II, when UIDAI was headed by Nandan Nilekani.

Though the data was shared under terms and conditions of a non-disclosure agreement (NDA), experts said in case of a leak by these private companies, there was little the UIDAI could do except sue the company for breach of contract. They said at stake here is the privacy of an individual - held by the Supreme Court as a fundamental right - without a chance for corrective action. The Aadhaar Act also restricts sharing and use of data without the prior consent of the individual.

The UIDAI maintained that all necessary precautions were taken. "The said data 'shared' in 2013 for PoC studies was sanitised sample data created for the specific purpose and internal uses. The PoC study was done on a dedicated server of UIDAI at the UIDAI's data centre. It was configured standalone and was not on the network. All necessary precautions like external port disabling etc were strictly observed and monitored and the system was sanitised pre and post PoC activity. All such sample sanitised data was deleted after the study. There has been no sharing, transfer or handover of any original actual data whatsoever," the authority said.

UIDAI officials added that the sanitised data cannot be used for any other purposes and has never been reported misused. "UIDAI, for its proper functioning, infrastructure development and knowledge innovation, keeps working on PoC studies but that never means sharing of data to anyone in an unsecured and non-sanitised manner," an official said.

However, legal researcher and scholar Usha Ramanathan felt that the UIDAI's explanation wasn't enough to allay fears. "When they say there have been no known breaches, that is saying nothing. How will we ever know unless there is some transparency?" she said.

"The UIDAI has worked on an outsourcing model from its inception and brought in private companies with whom they signed contracts for every aspect of the project. Naturally, then, various ways of sharing the data emerged," Ramanathan said.

Ramanathan said the UIDAI's dealings haven't been transparent. "What the Aadhaar regulations do is to say that contracts between companies and the UIDAI will be subject to rules of confidentiality. And only the UIDAI is allowed to do anything about it if there is a breach, or misuse of the data, leaving us all vulnerable to the ambitions of those handling the data ."

