NEW DELHI: An expert panel headed by Justice BN Srikrishna on Friday proposed amendments to the Aadhaar Act to bolster data protection by restricting access to a select band of entities and said the Unique Identification Authority of India ( UIDAI ) should be empowered to take action against errant companies.

Recognising that the Supreme Court is looking into several aspects related to privacy, the panel suggested that safeguards need to be built into the law to provide statutory backing to measures such as virtual ID and offline verification introduced by UIDAI.

The committee recommended that the law should be amended to ensure that the facility to authenticate data be restricted to entities performing a public function and requiring the information for their functioning. The entities which get the facility should either be mandated by law or should be an authority performing a public function that has been approved by UIDAI.

The agency responsible for Aadhaar has to classify entities seeking authentication power into those that can directly access the UID number and those that only get the virtual ID, a temporary 16-digit random number, the panel said. "This distinction is significant to ensure that only those entities which require Aadhaar number for their functioning collect them and other entities only collect the virtual ID. This is how collection limitation can be upheld in the Aadhaar framework," the report said.

Pointing to the need for some entities that do not perform a public function but yet need Aadhaar, the panel said this segment represented a "privacy concern" since it asked for the number as "a matter of course".

For this, the committee recommended only offline verification of Aadhaar number with the consent of the individual. "This mechanism would ensure that sensitive information such as Aadhaar number is not disclosed to requesting entities for routine activities and transactions," it said.

The second set of amendments has been proposed to ensure autonomy of the UIDAI, which has issued over 121 crore Aadhaar numbers. The committee said the agency needed to be autonomous in its decision-making, functioning independently of the user agencies in the government and outside it, and must be equipped with powers akin to a regulator for enforcement actions.

It has recommended that powers should be given to impose civil penalties on entities (including requesting entities, registrars, and authentication agencies) that are errant or non-compliant.

