COMPENDIUM

OF
REGULATIONS,
CIRCULARS & GUIDELINES
FOR
(AUTHENTICATION USER AGENCY (AUA)/E-KYC USER AGENCY (KUA), AUTHENTICATION
SERVICE AGENCY (ASA) AND BIOMETRIC DEVICE PROVIDER)

UNIQUE IDENTIFICATION AUTHORITY OF INDIA

Government of India (GoI)
Bangla Sahib Road, Behind Kali Mandir,
Gole Market,
New Delhi - 110001

Updated as on 30th June 2019

 Table of Contents
Sl. No. Contents Date of Issue Page No.
1 SECTION -1 : Aadhaar Regulations 1
1.1 Aadhaar (Authentication) Regulations, 2016 14-Sep-16 2
1.2 Aadhaar (Data Security) Regulations, 2016 14-Sep-16 23
1.3 Aadhaar (Sharing of Information) Regulations, 2016 14-Sep-16 27
2 SECTION -2 : Circulars, Guidelines etc
2.1 Up-gradation of existing biometric public devices to
25-Jan-17 32
Registered Devices
2.2 Instruction for providing Authentication or eKYC Services by
28-Feb-17 35
AUA KUA to Sub-AUA
2.3 Procurement of Registered Devices for Aadhaar
28-Feb-17 38
Authentication
2.4 Device Certification - Application Form and Undertaking 16-May-17 40
2.5 Registered Device Certification of Biometric Devices whose
22-May-17 45
STQC certificate is already expired
2.6 Circular for Registered Devices (Implementation Timelines) 24-May-17 47
2.7 Circular for AUA/KUA and ASA Agreements V 4.0. 31-May-17 51
2.8 Delta Certification process of Biometric Devices for Registered
9-Jun-17 53
Devices.
2.9 Implementation of HSM by AUA/KUA/ASA 22-Jun-17 55
2.10 Appointment of Sub-AUA –Application & Undertaking 6-Jul-17 57
2.11 Circular for Aadhaar Data Vault 25-Jul-17 62
2.12 Whitelisting of Aadhaar based applications developed by
27-Sep-17 64
AUAs, KUAs and Sub-AUAs.
2.13 Extension for the Migration of Registered Device till 31st
6-Oct-17 66
Oct’2017
2.14 DO’s & DONT’s FOR AADHAAR USER
20-Oct-17 67
AGENCIES/DEPARTMENTS
2.15 Sharing of eKYC data with their Sub-AUAs 27-Nov-17 70
2.16 Discontinuation of the provision of partial match in
27-Nov-17 71
Demographic Authentication
2.17 Timeline Extension for Registered Device implementation 30-Nov-17 72
2.18 Circular for Discontinuation of Partial Match 1-Dec-17 73
2.19 Frequently Asked Questions (FAQs) for Aadhaar vault and
13-Dec-17 74
Reference Keys
2.20 Circular for Implementation of Virtual ID, UID Token and
10-Jan-18 85
Limited KYC-(Circular No. 1)
2.21 Implementation of Face Authentication-(Circular No. 2) 15-Jan-18 90
2.22 Circular regarding clarification on GST for the License Fee,
15-Jan-18 93
Financial Disincentive and Late Payment-(Circular No. 3)
Sl. No. Contents Date of Issue Page No.
2.23 Enhancing Privacy of Aadhaar holders – Implementation
01-May-18 95
of Virtual ID, UID Token and Limited e-KYC-(Circular No.
4)
2.24 Implementation of Virtual ID, UID Token and Limited
04-June-18 97
KYC-(Circular No. 6)
2.25 Implementation Of Face Authentication-(Circular No. 7)
19-June-18 99
2.26 Use of Virtual ID and UID Token in Lieu of Aadhaar
29-June-18 101
number and Limited e-KYC by AUAs Classified as Local
AUAs-(Circular No. 8)
2.27 Implementation of Virtual ID and UID Token and Limited
29-June-18 103
e-KYC. (Circular No. 10)
2.28 Implementation of Face Authentication.
17-Aug-18 105
(Circular No. 11)
2.29 Implementation of Virtual ID and UID Token and Limited
30-Aug-18 108
e-KYC. (Circular No. 12)
2.30 Implementation of Virtual ID and UID Token and Limited
07-Feb-19 109
e-KYC. (Circular No. 01 of 2019)
2.31 Circular for License Renewal (Circular No. 02 of 2019)
02-Apr-19 110
2.32 Implementation of Virtual ID and UID Token and Limited
05-Apr-19 112
e-KYC. (Circular No. 3 of 2019)
2.33 Pricing of Aadhaar Authentication Transactions (Circular
23-Apr-19 113
No. 4 of 2019)
2.34 Circular for Reminder of License Fee Renewal 07-May-19 116
Implementation of Virtual ID and UID Token and Limited
2.35 06-Jun-19 117
e-KYC. (Circular No. 3 of 2019)
 SECTION 1
AADHAAR REGULATIONS

1 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

NOTIFICATION
New Delhi, the12th September, 2016
AADHAAR (AUTHENTICATION) REGULATIONS, 2016
(No. 3 of 2016)
No. 13012/64/2016/Legal/UIDAI (No. 3 of 2016).—In exercise of the powers conferred
by sub-section (1), and sub-clauses (f) and (w) of sub-section (2) of Section 54 of the Aadhaar
(Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, the
Unique Identification Authority of India hereby makes the following regulations, namely:—

CHAPTER I

PRELIMINARY
1. Short title and commencement.

(1) These regulations may be called the Aadhaar (Authentication) Regulations, 2016.
(2) These regulations shall come into force on the date of their publication in the Official
Gazette.

2. Definitions.--
(1) In these regulations, unless the context otherwise requires,—
(a) “Act” means the Aadhaar (Targeted Delivery of Financial and Other Subsidies,
Benefits and Services) Act 2016;
(b) “Aadhaar number holder” means an individual who has been issued an Aadhaar
number under the Act;
(c) “Authentication” means the process by which the Aadhaar number along with
demographic information or biometric information of an individual is submitted to
the Central Identities Data Repository for its verification and such Repository
verifies the correctness, or the lack thereof, on the basis of information available
with it;

(d) “Authentication facility” means the facility provided by the Authority for
verifying the identity information of an Aadhaar number holder through the process
of authentication, by providing a Yes/ No response or e-KYC data, as applicable;

(e) “Authentication record” means the record of the time of authentication and identity
of the requesting entity and the response provided by the Authority thereto;

(f) “Authentication Service Agency” or “ASA” shall mean an entity providing

necessary infrastructure for ensuring secure network connectivity and related
services for enabling a requesting entity to perform authentication using the
authentication facility provided by the Authority;

AADHAAR (AUTHENTICATION) REGULATION, 2016

2 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(g) “Authentication User Agency” or “AUA” means a requesting entity that uses the
Yes/ No authentication facility provided by the Authority;

(h) “Authority” means the Unique Identification Authority of India established under
sub-section (1) of section 11 of the Act;

(i) “Central Identities Data Repository” or “CIDR” means a centralised database in

one or more locations containing all Aadhaar numbers issued to Aadhaar number
holders along with the corresponding demographic information and biometric
information of such individuals and other information related thereto;

(j) “e-KYC authentication facility” means a type of authentication facility in which

the biometric information and/or OTP and Aadhaar number securely submitted with
the consent of the Aadhaar number holder through a requesting entity, is matched
against the data available in the CIDR, and the Authority returns a digitally signed
response containing e-KYC data along with other technical details related to the
authentication transaction;

(k) “e-KYC data” means demographic information and photograph of an Aadhaar

number holder;

(l) “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in
addition to being an AUA, uses e-KYC authentication facility provided by the
Authority;

(m) “License Key” is the key generated by a requesting entity as per the process laid
down by the Authority

(n) “PID Block” means the Personal Identity Data element which includes necessary
demographic and/or biometric and/or OTP collected from the Aadhaar number
holder during authentication.

(o) “Requesting entity” means an agency or person that submits the Aadhaar number,
and demographic information or biometric information, of an individual to the
Central Identities Data Repository for authentication; and

(p) “Yes/No authentication facility” means a type of authentication facility in which

the identity information and Aadhaar number securely submitted with the consent
of the Aadhaar number holder through a requesting entity, is then matched against
the data available in the CIDR, and the Authority responds with a digitally signed
response containing “Yes” or “No”, along with other technical details related to the
authentication transaction, but no identity information.

(2) Words and expressions used and not defined in these regulations shall have the meaning
assigned thereto under the Actor under the rules or regulations made there under or under
the Information Technology Act, 2000.

AADHAAR (AUTHENTICATION) REGULATION, 2016

3 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

CHAPTER II
AADHAAR AUTHENTICATION FRAMEWORK

3. Types of Authentication.—
There shall be two types of authentication facilities provided by the Authority,
namely—
(i) Yes/No authentication facility, which may be carried out using any of the
modes specified in regulation 4(2); and
(ii) e-KYC authentication facility, which may be carried out only using OTP and/ or
biometric authentication modes as specified in regulation 4(2).
4. Modes of Authentication. —
(1) An authentication request shall be entertained by the Authority only upon a request sent
by a requesting entity electronically in accordance with these regulations and
conforming to the specifications laid down by the Authority.
(2) Authentication may be carried out through the following modes:

(a) Demographic authentication: The Aadhaar number and demographic information of

the Aadhaar number holder obtained from the Aadhaar number holder is matched
with the demographic information of the Aadhaar number holder in the CIDR.

(b) One-time pin based authentication: A One Time Pin (OTP), with limited time
validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number
holder registered with the Authority, or generated by other appropriate means. The
Aadhaar number holder shall provide this OTP along with his Aadhaar number during
authentication and the same shall be matched with the OTP generated by the
Authority.

(c) Biometric-based authentication: The Aadhaar number and biometric information

submitted by an Aadhaar number holder are matched with the biometric information
of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-
based or iris-based authentication or other biometric modalities based on biometric
information stored in the CIDR.

(d) Multi-factor authentication: A combination of two or more of the above modes

may be used for authentication.
(3) A requesting entity may choose suitable mode(s) of authentication from the modes
specified in sub-regulation
(2) for a particular service or business function as per its requirement, including multiple
factor authentication for enhancing security. For the avoidance of doubt, it is clarified
that e-KYC authentication shall only be carried out using OTP and/ or biometric
authentication.

AADHAAR (AUTHENTICATION) REGULATION, 2016

4 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

5. Information to the Aadhaar number holder.—

(1) At the time of authentication, a requesting entity shall inform the Aadhaar number
holder of the following details:—
(a) the nature of information that will be shared by the Authority upon authentication;
(b) the uses to which the information received during authentication may be put; and
(c) alternatives to submission of identity information.
(2) A requesting entity shall ensure that the information referred to in sub-regulation (1)
above is provided to the Aadhaar number holder in local language as well.
6. Consent of the Aadhaar number holder.—
(1) After communicating the information in accordance with regulation 5, a requesting
entity shall obtain the consent of the Aadhaar number holder for the authentication.

(2) A requesting entity shall obtain the consent referred to in sub-regulation (1) above in
physical or preferably in electronic form and maintain logs or records of the consent
obtained in the manner and form as may be specified by the Authority for this purpose.

7. Capturing of biometric information by requesting entity.—

(1) A requesting entity shall capture the biometric information of the Aadhaar number
holder using certified biometric devices as per the processes and specifications laid
down by the Authority.
(2) A requesting entity shall necessarily encrypt and secure the biometric data at the time of
capture as per the specifications laid down by the Authority.
(3) For optimum results in capturing of biometric information, a requesting entity shall
adopt the processes as may be specified by the Authority from time to time for this
purpose.
8. Devices, client applications, etc. used in authentication.—

(1) All devices and equipment used for authentication shall be certified as required and as
per the specifications issued, by the Authority from time to time for this purpose.

(2) The client applications i.e. software used by requesting entity for the purpose of
authentication, shall conform to the standard APIs and specifications laid down by the
Authority from time to time for this purpose.
9. Process of sending authentication requests.—
(1) After collecting the Aadhaar number or any other identifier provided by the requesting
entity which is mapped to Aadhaar number and necessary demographic and / or
biometric information and/ or OTP from the Aadhaar number holder, the client
application shall immediately package and encrypt these input parameters into PID
block before any transmission, as per the specifications laid down by the Authority, and

AADHAAR (AUTHENTICATION) REGULATION, 2016

5 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

shall send it to server of the requesting entity using secure protocols as may be laid
down by the Authority for this purpose.

(2) After validation, the server of a requesting entity shall pass the authentication request to
the CIDR, through the server of the Authentication Service Agency as per the
specifications laid down by the Authority. The authentication request shall be digitally
signed by the requesting entity and/or by the Authentication Service Agency, as per the
mutual agreement between them.

(3) Based on the mode of authentication request, the CIDR shall validate the input
parameters against the data stored therein and return a digitally signed Yes or No
authentication response, or a digitally signed e-KYC authentication response with
encrypted e-KYC data, as the case may be, along with other technical details related to
the authentication transaction.

(4) In all modes of authentication, the Aadhaar number is mandatory and is submitted along
with the input parameters specified in sub-regulation (1) above such that authentication
is always reduced to a 1:1 match.
(5) A requesting entity shall ensure that encryption of PID Block takes place at the time of
capture on the authentication device as per the processes and specifications laid down
by the Authority.

10. Notification of authentication to Aadhaar number holder.—

The Aadhaar number holder may be notified of any biometric and/or OTP based
authentication, through the registered email and/or mobile number of the Aadhaar
number holder as determined by the Authority, at the time of authentication.
11. Biometric locking.—
(1) The Authority may enable an Aadhaar number holder to permanently lock his biometrics
and temporarily unlock it when needed for biometric authentication.
(2) All biometric authentication against any such locked biometric records shall fail with a
“No” answer with an appropriate response code.
(3) An Aadhaar number holder shall be allowed to temporarily unlock his biometrics for
authentication, and such temporary unlocking shall not continue beyond the time period
specified by the Authority or till completion of the authentication transaction, whichever
is earlier.

(4) The Authority may make provisions for Aadhaar number holders to remove such
permanent locks at any point in a secure manner.

AADHAAR (AUTHENTICATION) REGULATION, 2016

6 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

CHAPTER III
APPOINTMENT OF REQUESTING ENTITIES AND AUTHENTICATION SERVICE
AGENCIES

12. Appointment of Requesting Entities and Authentication Service Agencies.—

(1) Agencies seeking to become requesting entities to use the authentication facility provided
by the Authority shall apply for appointment as requesting entities in accordance with
the procedure as may be specified by the Authority for this purpose. Only those entities
that fulfill the criteria laid down in Schedule A are eligible to apply. The Authority may
by order, amend Schedule A from time to time so as to modify the eligibility criteria.

(2) Entities seeking appointment as Authentication Service Agencies shall apply for
appointment to the Authority in accordance with the procedure as may be specified by
the Authority for this purpose. Only those entities that fulfill the criteria laid down in
Schedule B are eligible to apply. The Authority may by order, amend Schedule B from
time to time so as to modify the eligibility criteria.

(3) The Authority may require the applicant to furnish further information or clarifications,
regarding matters relevant to the activity of such a requesting entity or Authentication
Service Agencies, as the case may be, which may otherwise be considered necessary by
the Authority, to consider and dispose of the application.

(4) The applicant shall furnish such information and clarification to the satisfaction of the
Authority, within the time as may be specified in this regard by the Authority.

(5) While considering the application, the information furnished by the applicant and its
eligibility, the Authority may verify the information through physical verification of
documents, infrastructure, and technological support which the applicant is required to
have.

(6) After verification of the application, documents, information furnished by the applicant
and its eligibility, the Authority may:

a. approve the application for requesting entity or Authentication Service Agency, as

the case may be; and

b. enter into appropriate agreements with the entity or agency incorporating the
terms and conditions for use by requesting entities of the Authority’s
authentication facility, or provision of services by ASAs, including damages and
disincentives for non-performance of obligations.

(7) The Authority may from time to time, determine the fees and charges payable by entities
during their appointment, including application fees, annual subscription fees and fees
for individual authentication transactions.

AADHAAR (AUTHENTICATION) REGULATION, 2016

7 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

13. Procedure where application for appointment is not approved. —

(1) In the event an application for appointment of requesting entity or Authentication

Service Agency, as the case may be, does not satisfy the requirements specified by the
Authority, the Authority may reject the application.

(2) The decision of the Authority to reject the application shall be communicated to the
applicant in writing within thirty days of such decision, stating therein the grounds on
which the application has been rejected.

(3) Any applicant, aggrieved by the decision of the Authority, may apply to the Authority,
within a period of thirty days from the date of receipt of such intimation for
reconsideration of its decision.

(4) The Authority shall reconsider an application made by the applicant and communicate
its decision thereon, as soon as possible in writing.
14. Roles and responsibilities of requesting entities. —
(1) A requesting entity shall have the following functions and obligations:—

(a) establish and maintain necessary authentication related operations, including own
systems, processes, infrastructure, technology, security, etc., which may be
necessary for performing authentication;

(b) establish network connectivity with the CIDR, through an ASA duly approved by
the Authority, for sending authentication requests;

(c) ensure that the network connectivity between authentication devices and the
CIDR, used for sending authentication requests is in compliance with the
standards and specifications laid down by the Authority for this purpose;

(d) employ only those devices, equipment, or software, which are duly registered with
or approved or certified by the Authority or agency specified by the Authority for
this purpose as necessary, and are in accordance with the standards and
specifications laid down by the Authority for this purpose;

(e) monitor the operations of its devices and equipment, on a periodic basis, for
compliance with the terms and conditions, standards, directions, and
specifications, issued and communicated by the Authority, in this regard, from
time to time,

(f) ensure that persons employed by it for performing authentication functions, and
for maintaining necessary systems, infrastructure and processes, possess requisite
qualifications for undertaking such works.
(g) keep the Authority informed of the ASAs with whom it has entered into
agreements;

AADHAAR (AUTHENTICATION) REGULATION, 2016

8 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(h) ensure that its operations and systems are audited by information systems auditor
certified by a recognised body on an annual basis to ensure compliance with the
Authority’s standards and specifications and the audit report should be shared
with the Authority upon request;

(i) implement exception-handling mechanisms and back-up identity authentication

mechanisms to ensure seamless provision of authentication services to Aadhaar
number holders;

(j) in case of any investigation involving authentication related fraud(s) or dispute(s),

it shall extend full cooperation to the Authority, or any agency appointed or
authorised by it or any other authorised investigation agency, including, but not
limited to, providing access to their premises, records, personnel and any other
relevant resources or information;

(k) in the event the requesting entity seeks to integrate its Aadhaar authentication
system with its local authentication system, such integration shall be carried out in
compliance with standards and specifications issued by the Authority from time to
time;

(l) shall inform the Authority of any misuse of any information or systems related to
the Aadhaar framework or any compromise of Aadhaar related information or
systems within their network. If the requesting entity is a victim of fraud or
identifies a fraud pattern through its fraud analytics system related to Aadhaar
authentication, it shall share all necessary details of the fraud with the Authority;

(m) shall be responsible for the authentication operations and results, even if it sub-
contracts parts of its operations to third parties. The requesting entity is also
responsible for ensuring that the authentication related operations of such third
party entities comply with Authority standards and specifications and that they are
regularly audited by approved independent audit agencies;

may agree upon the authentication charges for providing authentication services to
its customer, with such customer, and the Authority shall have no say in this
respect, for the time being; however, the Authority’s right to prescribe a different
mechanism in this respect in the future shall be deemed to have been reserved;

(n) shall, at all times, comply with any contractual terms and all rules, regulations,
policies, manuals, procedures, specifications, standards, and directions issued by
the Authority, for the purposes of using the authentication facilities provided by
the Authority.

AADHAAR (AUTHENTICATION) REGULATION, 2016

9 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

15. Use of Yes/ No authentication facility.—

(1) A requesting entity may use Yes/ No authentication facility provided by the Authority for
verifying the identity of an Aadhaar number holder for its own use or on behalf of other
agencies.
(2) A requesting entity may permit any other agency or entity to perform Yes/ No
authentication by generating and sharing a separate license key for every such entity
through the portal provided by the Authority to the said requesting entity. For the
avoidance of doubt, it is clarified that such sharing of license key is only permissible for
performing Yes/ No authentication, and is prohibited in case of e-KYC authentication.
(3) Such agency or entity:
a. shall not further share the license key with any other person or entity for any
purpose; and
b. shall comply with all obligations relating to personal information of the Aadhaar
number holder, data security and other relevant responsibilities that are applicable
to requesting entities.

(4) It shall be the responsibility of the requesting entity to ensure that any entity or agency
with which it has shared a license key, complies with the provisions of the Act,
regulations, processes, standards, guidelines, specifications and protocols of the
Authority that are applicable to the requesting entity.

(5) The requesting entity shall be jointly and severally liable, along with the entity or agency
with which it has shared a license key, for non-compliance with the regulations,
processes, standards, guidelines and protocols of the Authority.
16. Use of e-KYC authentication facility.—
(1) A KUA may use the e-KYC authentication facility provided by the Authority for
obtaining the e-KYC data of the Aadhaar number holder for its own purposes.
(2) A KUA may perform e-KYC authentication on behalf of other agencies, and share the e-
KYC data with such agency for a specified purpose, upon obtaining consent from the
Aadhaar number holder for such purpose.
(3) A KUA may store, with consent of the Aadhaar number holder, e-KYC data of an
Aadhaar number holder, received upon e-KYC authentication, in encrypted form and
subsequently share the e-KYC data with any other agency, for a specified purpose, upon
obtaining separate consent for every such sharing from the Aadhaar number holder for
that purpose.

(4) The agency with whom the KUA has shared the e-KYC data of the Aadhaar number
holder shall not share it further with any other entity or agency except for completing the
transaction for which the Aadhaar number holder has specifically consented to such
sharing.

AADHAAR (AUTHENTICATION) REGULATION, 2016

10 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(5) The Aadhaar number holder may, at any time, revoke consent given to a KUA for storing
his e-KYC data or for sharing it with third parties, and upon such revocation, the KUA
shall delete the e-KYC data and cease any further sharing.

(6) In addition to the restriction on further sharing contained in sub-regulation (4), all other
obligations relating to the personal information of the Aadhaar number holder, data
security and other relevant responsibilities applicable to requesting entities, shall also
apply to the agency or entity with whom e-KYC data has been shared in accordance with
this regulation 16.

(7) Upon request, a KUA shall provide a digitally signed electronic copy of the e-KYC data
to the Aadhaar number holder, and the Aadhaar number holder may subsequently share
the said copy with any agency:
Provided that the agency that is requesting e-KYC data from the Aadhaar number holder
shall inform the purpose of doing so and take the consent of the Aadhaar number;

Provided further that the agency with whom the Aadhaar number holder has shared the e-
KYC data shall not share it further with any other entity/agency except for completing the
transaction for which the Aadhaar number holder specifically consented to such sharing.
(8) The KUA shall maintain auditable logs of all such transactions where e-KYC data has
been shared with other agencies, for a period specified by the Authority.
17. Obligations relating to use of identity information by requesting entity.—
(1) A requesting entity shall ensure that:
(a) the core biometric information collected from the Aadhaar number holder is
not stored, shared or published for any purpose whatsoever, and no copy of the
core biometric information is retained with it;

(b) the core biometric information collected is not transmitted over a network without
creation of encrypted PID block which can then be transmitted in accordance with
specifications and processes laid down by the Authority.

(c) the encrypted PID block is not stored, unless it is for buffered authentication where it
may be held temporarily on the authentication device for a short period of time, and
that the same is deleted after transmission;

(d) identity information received during authentication is only used for the purpose
specified to the Aadhaar number holder at the time of authentication, and shall not
be disclosed further, except with the prior consent of the Aadhaar number holder to
whom such information relates;

(e) the identity information of the Aadhaar number holders collected during
authentication and any other information generated during the authentication process
is kept confidential, secure and protected against access, use and disclosure not
permitted under the Act and its regulations;

AADHAAR (AUTHENTICATION) REGULATION, 2016

11 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(f) the private key used for digitally signing the authentication request and the license
keys are kept secure and access controlled; and

(g) all relevant laws and regulations in relation to data storage and data protection
relating to the Aadhaar-based identity information in their systems, that of their
agents (if applicable) and with authentication devices, are complied with.
18. Maintenance of logs by requesting entity. —

(1) A requesting entity shall maintain logs of the authentication transactions processed by it,
containing the following transaction details, namely:—
(a) the Aadhaar number against which authentication is sought;
(b) specified parameters of authentication request submitted;
(c) specified parameters received as authentication response;
(d) the record of disclosure of information to the Aadhaar number holder at the time
of authentication; and
(e) record of consent of the Aadhaar number holder for authentication,
but shall not, in any event, retain the PID information.

(2) The logs of authentication transactions shall be maintained by the requesting entity for a
period of 2 (two) years, during which period an Aadhaar number holder shall have the
right to access such logs, in accordance with the procedure as may be specified.

(3) Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a
period of five years or the number of years as required by the laws or regulations
governing the entity, whichever is later, and upon expiry of the said period, the logs shall
be deleted except those records required to be retained by a court or required to be
retained for any pending disputes.

(4) The requesting entity shall not share the authentication logs with any person other than
the concerned Aadhaar number holder upon his request or for grievance redressal and
resolution of disputes or with the Authority for audit purposes. The authentication logs
shall not be used for any purpose other than stated in this sub-regulation.
(5) The requesting entity shall comply with all relevant laws, rules and regulations, including,
but not limited to, the Information Technology Act, 2000 and the Evidence Act, 1872, for
the storage of logs.
(6) The obligations relating to authentication logs as specified in this regulation shall
continue to remain in force despite termination of appointment in accordance with these
regulations.
19. Roles, responsibilities and code of conduct of Authentication Service
Agencies.—
An Authentication Service Agency shall have the following functions and obligations:—

AADHAAR (AUTHENTICATION) REGULATION, 2016

12 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(a) provide secured connectivity to the CIDR to transmit authentication request from a
requesting entity in the manner as may specified by the Authority for this purpose;

(b) perform basic compliance and completeness checks on the authentication data packet
before forwarding it to CIDR;
(c) on receiving the response from CIDR, transmit the result of the transaction to the
requesting entity that has placed the request;
(d) only engage with the requesting entities approved by the Authority and keep the
Authority informed of the list of requesting entities that it serves;
(e) communicate to the Authority, all relevant information pertaining to any agreement
that it may enter into with a requesting entity;
(f) ensure that the persons employed by it for performing authentication and for
maintaining necessary systems, infrastructure, processes, etc., possess requisite
qualifications for undertaking such works;

(g) ensure that its operations are audited by an information systems auditor certified by a
recognized body on an annual basis, and provide a certified audit report, to the
Authority, confirming its compliance with the policies, processes, procedures,
standards, or specifications, issued by the Authority in this regard, from time to time;

(h) ensure that all infrastructure and operations including systems, processes, devices,
software and biometric infrastructure, security, and other related aspects, are in
compliance with the standards and specifications as may specified by the Authority for
this purpose;
(i) at all times, comply with directions, specifications, etc. issued by the Authority, in
terms of network and other Information Technology infrastructure, processes,
procedures, etc.
(j) comply with all relevant laws and regulations relating, in particular, to data security
and data management;
(k) any value added service that an ASA provides to a requesting entity under a contract
shall not form part of the Aadhaar authentication process;
(l) shall be responsible to the Authority for all its authentication related operations, even
in the event the ASA sub-contracts parts of its operations to other entities, the
responsibility shall remain with the ASA;
(m) in case of investigations relating to authentication related fraud or dispute, the ASA
shall extend full co-operation to the Authority (or their agency) and/or any other
authorized investigation agency, including providing access to its premises, records,
systems, personnel, infrastructure, any other relevant resource or information and any
other relevant aspect of its authentication operations;

AADHAAR (AUTHENTICATION) REGULATION, 2016

13 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(n) may agree upon the authentication charges for providing services to a requesting
entity, with such requesting entity, and the Authority shall have no say in this respect,
for the time being; however, the Authority’s right to prescribe a different mechanism
in this respect in the future shall be deemed to have been reserved;
(o) shall, at all times, comply with any contractual terms and all rules, regulations,
policies, manuals, procedures, specifications, standards, and directions issued by the
Authority.
20. Maintenance of logs by Authentication Service Agencies.—
(1) An Authentication Service Agency shall maintain logs of the authentication transactions
processed by it, containing the following transaction details, namely:—
(a) identity of the requesting entity;
(b) parameters of authentication request submitted; and
(c) parameters received as authentication response:
Provided that no Aadhaar number, PID information, device identity related data and e-
KYC response data, where applicable shall be retained.

(2) Authentication logs shall be maintained by the ASA for a period of 2 (two) years,
during which period the Authority and/or the requesting entity may require access to
such records for grievance redressal, dispute redressal and audit in accordance with the
procedure specified in these regulations. The authentication logs shall not be used for
any purpose other than stated in this sub-regulation.

(3) Upon expiry of the period specified in sub-regulation (2), the authentication logs shall
be archived for a period of five years, and upon expiry of the said period of five years or
the number of years as required by the laws or regulations governing the entity
whichever is later, the authentication logs shall be deleted except those logs required to
be retained by a court or which are required to be retained for any pending disputes.
(4) The ASA shall comply with all applicable laws in respect of storage and maintenance of
these logs, including the Information Technology Act, 2000.
(5) The obligations relating to authentication logs as specified in this regulation shall
continue to remain in force despite termination of appointment in accordance with these
regulations.
21. Audit of requesting entities and Authentication Service Agencies.—
(1) The Authority may undertake audit of the operations, infrastructure, systems and
procedures, of requesting entities, including the agencies or entities with whom they
have shared a license key or the entities on whose behalf they have performed
authentication, and Authentication Service Agencies, either by itself or through audit
agencies appointed by it, to ensure that such entities are acting in compliance with the
Act, rules, regulations, policies, procedures, guidelines issued by the Authority.

AADHAAR (AUTHENTICATION) REGULATION, 2016

14 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(2) The Authority may conduct audits of the operations and systems of the entities referred
to in sub-regulation
(1), either by itself or through an auditor appointed by the Authority. The frequency,
time and manner of such audits shall be as may be notified by the Authority from time
to time.
(3) An entity subject to audit shall provide full co-operation to the Authority or any agency
approved and/or appointed by the Authority in the audit process, and provide to the
Authority or any agency approved and/or appointed by the Authority, complete access
to its procedures, records and information pertaining to services availed from the
Authority. The cost of audits shall be borne by the concerned entity.

(4) On identification of any deficiency by the Authority, the Authority may require the
concerned entity to furnish necessary clarifications and/or information as to its activities
and may also require such entity either to rectify the deficiencies or take action as
specified in these regulations.
22. Data Security. —
(1) Requesting entities and Authentication Service Agencies shall have their servers used
for Aadhaar authentication request formation and routing to CIDR to be located within
data centres located in India.

(2) Authentication Service Agency shall establish dual redundant, secured leased lines or
MPLS connectivity with the data centres of the Authority, in accordance with the
procedure and security processes as may be specified by the Authority for this purpose.
(3) Requesting entities shall use appropriate license keys to access the authentication
facility provided by the Authority only through an ASA over secure network, as may be
specified by the Authority for this purpose.
(4) Requesting Entities and Authentication Service Agencies shall adhere to all regulations,
information security policies, processes, standards, specifications and guidelines issued
by the Authority from time to time.
23. Surrender of the access to authentication facility by requesting entity or
Authentication Service Agency. —
(1) A Requesting Entity or ASA, appointed under these regulations, desirous of
surrendering the access to the authentication facility granted by Authority, may make a
request for such surrender to the Authority.

(2) While disposing such surrender request under these regulations, the Authority may
require the requesting entity or ASA to satisfy the Authority about any matter necessary
for smooth discontinuance or termination of services, including–

(a) the arrangements made by the requesting entity for maintenance and preservation
of authentication logs and other documents in accordance with these regulations
and procedures as may be specified by the Authority for this purpose;

AADHAAR (AUTHENTICATION) REGULATION, 2016

15 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(b) the arrangements made by the requesting entity for making authentication record
available to the respective Aadhaar number holder on such request;
(c) records of redressal of grievances, if any;

(d) settlement of accounts with the Authority, if any;

(e) in case of surrender by ASAs, the ASA, prior to the surrender of its access, shall
ensure that its associated requesting entities are given adequate time to migrate to
other ASAs in operation.

24. Agencies appointed before commencement of these regulations. —

(1) Any Authentication User Agency (AUA) or e-KYC User Agency (KUA), appointed
prior to the commencement of these regulations shall be deemed to be a requesting
entity, and any Authentication Service Agency (ASA) or e-KYC Service Agency (KSA)
shall be deemed to be an Authentication Service Agency, under these regulations, and
all the agreements entered into between such agencies and the Unique Identification
Authority of India, established vide notification of the Government of India in the
Planning Commission number A-43011/02/2009-Admin. I, dated the 28th January,
2009 or any officer of such authority shall continue to be in force to the extent not
inconsistent with the provisions of the Act, these regulations, and other regulations,
policies, processes, procedures, standards and specifications issued by the Authority.

(2) Notwithstanding anything contained in sub-regulation (1), any deemed requesting entity
or Authentication Service Agency referred to in sub-regulation (1) shall be required to
comply with the provisions of the Act, these regulations, other regulations framed by
the Authority, and the policies, processes, procedures, standards and specifications
issued by the Authority.

(3) In the event any such agency referred to in sub-regulation(1) seeks to discontinue using
the authentication facility as specified in these regulations, it may immediately make an
application for termination of its credentials and stop its functions forthwith: Provided
that in such cases, no compensation shall be payable to the agency or to the Authority
upon such termination.

(4) On discontinuance under sub-regulation (3), the concerned entity shall be required to
comply with the closure requirements listed in regulation 23(2).
25. Liability and action in case of default. —

(1) Where any requesting entity or an ASA appointed under the Act,
(a) fails to comply with any of the processes, procedures, standards, specifications or
directions issued by the Authority, from time to time;
(b) is in breach of its obligations under the Act and these regulations;

AADHAAR (AUTHENTICATION) REGULATION, 2016

16 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

(c) uses the Aadhaar authentication facilities for any purpose other than those
specified in the application for appointment as requesting entity or ASA,
(d) fails to furnish any information required by the Authority for the purpose of these
regulations; or
(e) fails to cooperate in any inspection or investigation or enquiry or audit conducted
by the Authority ,the Authority may, without prejudice to any other action which
may be taken under the Act, take such steps to impose disincentives on the
requesting entity or an ASA for contravention of the provisions of the Act, rules
and regulations there under, including suspension of activities of such entity or
agency, or other steps as may be more specifically provided for in the agreement
entered into by such entities with the Authority: Provided that the entity or agency
shall be given the opportunity of being heard before the termination of
appointment and discontinuance of its operations relating to Aadhaar
authentication.
(2) Any such action referred to in sub-regulation (1) may also be taken against any entity or
agency with which an AUA has shared its license key for Yes/ No authentication and
any entity with which a KUA has shared e-KYC data.

(3) Upon termination of appointment by the Authority, the requesting entity or the ASA
shall, forthwith, cease to use the Aadhaar name and logo for any purposes, and in any
form, whatsoever, and may be required to satisfy the Authority of necessary aspects of
closure, including those enumerated in regulation 23(2).

CHAPTER IV
AUTHENTICATION TRANSACTION DATA AND AUTHENTICATION
RECORDS
26. Storage and Maintenance of Authentication Transaction Data. —
(1) The Authority shall store and maintain authentication transaction data, which shall
contain the following information:—
(a) authentication request data received including PID block;

(b) authentication response data sent

(c) meta data related to the transaction.
(d) any authentication server side configurations as necessary

Provided that the Authority shall not, in any case, store the purpose of authentication.
27. Duration of storage. —
(1) Authentication transaction data shall be retained by the Authority for a period of 6
months, and thereafter archived for a period of five years.
(2) Upon expiry of the period of five years specified in sub-regulation (1), the
authentication transaction data shall be deleted except when such authentication

AADHAAR (AUTHENTICATION) REGULATION, 2016

17 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

transaction data are required to be maintained by a court or in connection with any

pending dispute.
28. Access by Aadhaar number holder. —
(1) An Aadhaar number holder shall have the right to access his authentication records
subject to conditions laid down and payment of such fees as prescribed by the Authority
by making requests to the Authority within the period of retention of such records
before they are archived.

(2) The Authority may provide mechanisms such as online portal or mobile application or
designated contact centers for Aadhaar number holders to obtain their digitally signed
authentication records within the period of retention of such records before they are
archived as specified in these regulations.
(3) The Authority may provide digitally signed e-KYC data to the Aadhaar number holder
through biometric or OTP authentication, subject to payment of such fees and processes
as specified by the Authority,
(4) The authentication records and e-KYC data shall not be shared with any person or entity:

(a) other than with the Aadhaar number holder to whom the records or e-KYC data
relate in accordance with the verification procedure specified. Aadhaar number
holder may share their digitally signed authentication records and e-KYC data
with other entities which shall not further share with any other agencies without
obtaining consent of the Aadhaar holder every time before such sharing.
(b) except in accordance with the Act.

CHAPTER V
MISCELLANEOUS
29. Savings.—
All procedures, orders, processes, standards, specifications and policies issued and MOUs,
agreements or contracts entered by the Unique Identification Authority of India, established
vide notification of the Government of India in the Planning Commission number A-
43011/02/2009-Admin. I, dated the 28th January, 2009 or any officer of such authority,
prior to the establishment of the Authority under the Act shall continue to be in force to the
extent that they are not inconsistent with the provisions of the Act and regulations framed
thereunder.
30. Power to issue clarifications, guidelines and removal of difficulties. —
In order to remove any difficulties or clarify any matter pertaining to application or
interpretation of these regulations, the Authority may issue clarifications and guidelines in
the form of circulars.

AADHAAR (AUTHENTICATION) REGULATION, 2016

18 of 117
 Schedule A

Eligibility criteria for appointment as requesting entities

1. Entities seeking to use authentication facility provided by the Authority as requesting entities are
classified under following categories for appointment as Authentication User Agency (AUA) and/or e-KYC User
Agency (KUA), as the case may be:

S. No. Organisation Category

Category 1 Government Organisation
1.1 A Central/ State Government Ministry/Department and their attached or sub-ordinate offices.
1.2 An undertaking owned and managed by Central / State Government (PSU)
1.3 An Authority constituted under the Central / State Act/Special Purpose Organisation
constituted by Central/State govt.
Category 2 Regulated Service Providers
2.1 Regulated / Licensed by RBI – Banks and Payment & Settlement System
2.1.1 Public Sector Banks (PSB)
2.1.2 Private Banks, Foreign Banks Licensed by RBI to operate in India, Payment Banks,
Small Finance Banks
2.1.3 Regional Rural Banks
2.1.4 Co-operative Banks
1. State Co-operative Banks
2. District Co-operative Banks
3. Scheduled Urban Cop-operatives Banks
4. Non Scheduled Urban Co-operative Banks
2.1.5 Payment& Settlement System Network
1. Financial market infrastructure
2. Retails payments Organisation
3. Cards payment network
4. ATM networks
5. Pre-paid payment instruments
6. White label ATM operators
7. Instant Money Transfer
2.1.6 Non-Banking Financial Company
2.2 Regulated by IRDA/PFRDA - Financial Institutions
2.3 Regulated by TRAI – Telecom
2.4 Regulated by CCA – Certifying Authority, Digital Locker providers, e-Sign providers
2.5 Regulated by SEBI – KYC Registration Agency (KRA),Depository Participant (DP), Asset
Management Company (AMC), Trading Exchanges, Registrar and Transfer Agents
2.6 Regulated by National Housing Bank
2.7 Regulated by DGCA/AAI(AAI Act)- Duly licensed-
1. Airport operators having scheduled civil aviation operations, and
2. Scheduled Airline operators.

19 of 117
 S. No. Organisation Category

Category 3 Other Entities

3.1 3.1.1 Company registered in India under the Companies Act 1956 / The companies Act 2013
(Company under group of companies has to apply individually)
3.1.2 Partnership registered under the India Partnership Act 1932 or under the Limited Liability
Partnership Act, 2008
3.1.3 Proprietorship firm
3.1.4 Not-for-profit Organisations (under section 25 under The Companies Act 1956)
3.1.5 Academic Institutions / Research and Development Organisations
3.1.6 Societies registered under Indian Societies Registration Act, 1860or The Indian Trust Act,
1882 or The companies Act, 2013 (Sec 8) / Co-operative Society Act 1912
3.1.7 Any entity other than above mentioned categories

2. Technical and Financial criteria for entities for appointment as requesting entity are as under:-

Authentication User Agency (AUA) Additional requirements for eKYC

S. No
Technical Requirements Financial Requirements User Agency (KUA)

Category 1 1. Backend infrastructure, No financial No additional requirement for

such as servers, databases requirement KUA
etc. of the entity, required
Category 2 No financial No additional requirement for
specifically for the purpose of
Aadhaar authentication, requirement KUA
should be located within the
territory of India.

2. Entity should have IT

Infrastructure owned or
outsourced capable of
carrying out minimum 1 Lakh
Authentication transactions
per month.

3. Organisation should have a

prescribed Data Privacy policy
to protect beneficiary privacy.

4. Organisation should have

adopted data security
requirements as per the IT Act
2000
Category 3 1. Backend infrastructure, 1. Paid up capital of Entity should meet
such as servers, Minimum₹1 (one) Crore. Authentication Transaction Criteria as

20 of 117
databases etc. of the entity, OR laid down by the
required specifically for the Annual turnover of Authority from time to time.
purpose of Aadhaar Minimum₹5 (Five)
authentication, should be Crore during the last
located with in the territory of Financial year.
India.
2. Entity should have IT
Infrastructure owned or
outsourced capable of
carrying out minimum 1 Lakh
Authentication transaction
per month.

3. Organisation should have a

prescribed Data Privacy policy
to protect beneficiary
privacy.

4. Organisation should have

adopted Data security
requirements as per the IT
Act2000.

5. Entity should be in business

for minimum of 1 year from
date of commencement of
Business.

21 of 117
 Schedule B
Eligibility criteria of Authentication Service Agencies
See Regulation 10(2)

1. Entities seeking to provide secure access to CIDR to requesting entities for enabling authentication
services are classified under following categories for appointment as Authentication Service Agency:

S. No Organisation Category
Category 1 A Central/ State Government Ministry / Department or an undertaking owned
and managed by Central / State Government
Category 2 An Authority constituted under the Central / State Act
Category 3 Any other entity of national importance as determined by the Authority

Category 4 A company registered in India under the Indian Companies Act 1956
Category 5 Any AUA or KUA meeting authentication transaction criteria as laid down by the
Authority from time to time

2. Technical and Financial criteria for entities for appointment as Authentication Service
Agency:

Category Financial Requirement Technical Requirement

Category 1, 2 No financial
No technical requirements
and 3 requirements
Category 4 An annual turnover of at A Telecom Service Provider (TSP) including All Unified
least Rs. 100 crores in last Licensees (having Access Service Authorization) /
three financial years Unified Licensees (AS) / Unified Access Services
Licensees / Cellular Mobile Telephone Service
Licensees operating pan India fiber optics network
and should have a minimum of 100 MPLS Points of
Presence (PoP) across all states
OR
Should be a Network Service Provider (NSP) or System
Integrator having pan-India network connectivity for
data transmission and should have 100 MPLS PoPs in
India,
Category 5 No Financial requirements Any AUA or KUA meeting authentication transaction
criteria as laid down by the Authority from time to time

22 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

NOTIFICATION
New Delhi, the12th September, 2016
AADHAAR (DATA SECURITY) REGULATIONS, 2016
(No. 4 of 2016)
No. 13012/64/2016/Legal/UIDAI (No. 4 of 2016).—In exercise of the powers conferred
by clause (p) of sub-section (2) of section 54 of the Aadhaar (Targeted Delivery of Financial and
Other Subsidies, Benefits and Services) Act, 2016, the Unique Identification Authority of India
makes the following Regulations, namely: -
1. Short title and commencement. —
(1) These regulations may be called the Aadhaar (Data Security) Regulations, 2016
(2) These Regulations shall come into force on the date of their publication in the
Official Gazette.
2. Definitions. —
(1) In these regulations, unless the context otherwise requires,—
(a) “Act” means the Aadhaar (Targeted Delivery of Financial and Other Subsidies,
Benefits and Services) Act, 2016 (18 of 2016);
(b) “Authority” means the Unique Identification Authority of India established under
sub-section (1) of section 11 of the Act;
(c) “Central Identities Data Repository” or “CIDR” means a centralised database in
one or more locations containing all Aadhaar numbers issued to Aadhaar number
holders along with the corresponding demographic information and biometric
information of such individuals and other information related thereto;
(d) “enrolling agency” means an agency appointed by the Authority or a Registrar, as
the case may be, for collecting demographic and biometric information of
individuals under this Act;
(e) “information security policy” means the policy specified by the Authority under
regulation 3 of these regulations;
(f) “personnel” means all officers, employees, staff and other individuals employed or
engaged by the Authority or by the service providers for discharging any functions
under the Act;
(g) “registrar” means any entity authorised or recognised by the Authority for the
purpose of enrolling individuals under this Act;
(h) “regulations” means the regulations made by the Authority under this Act;
(i) “requesting entity” means an agency or person that submits the Aadhaar number,
and demographic information or biometric information, of an individual to the
Central Identities Data Repository for authentication;
(j) “service provider” includes all entities engaged by the Authority for discharging
any function related to its processes.
(2) All other words and expressions used but not defined in these regulations, but defined in
the Act or the Information Technology Act, 2000 and/or the rules and regulations made

AADHAAR (DATA SECURITY) REGULATION, 2016

23 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

thereunder shall have the same meaning as respectively assigned to them in such Acts or
rules or regulations or any statutory modification or re-enactment thereto, as the case
may be.
3. Measures for ensuring information security. —
(1) The Authority may specify an information security policy setting out inter alia the
technical and organisational measures to be adopted by the Authority and its personnel,
and also security measures to be adopted by agencies, advisors, consultants and other
service providers engaged by the Authority, registrar, enrolling agency, requesting
entities, and Authentication Service Agencies.

(2) Such information security policy may provide for:—

(a) identifying and maintaining an inventory of assets associated with the information
and information processing facilities;
(b) implementing controls to prevent and detect any loss, damage, theft or
compromise of the assets;
(c) allowing only controlled access to confidential information;
(d) implementing controls to detect and protect against virus/malwares;
(e) a change management process to ensure information security is maintained during
changes;
(f) a patch management process to protect information systems from vulnerabilities
and security risks;
(g) a robust monitoring process to identify unusual events and patterns that could
impact security and performance of information systems and a proper reporting
and mitigation process;
(h) encryption of data packets containing biometrics, and enabling decryption only in
secured locations;
(i) partitioning of CIDR network into zones based on risk and trust;
(j) deploying necessary technical controls for protecting CIDR network;
(k) service continuity in case of a disaster;
(l) monitoring of equipment, systems and networks;
(m) measures for fraud prevention and effective remedies in case of fraud;
(n) requirement of entering into non-disclosure agreements with the personnel;
(o) provisions for audit of internal systems and networks;
(p) restrictions on personnel relating to processes, systems and networks.
(q) inclusion of security and confidentiality obligations in the agreements or
arrangements with the agencies, consultants, advisors or other persons engaged by
the Authority.
(3) The Authority shall monitor compliance with the information security policy and other
security requirements through internal audits or through independent agencies.
(4) The Authority shall designate an officer as Chief Information Security Officer for
disseminating and monitoring the information security policy and other security-related
programmes and initiatives of the Authority.

AADHAAR (DATA SECURITY) REGULATION, 2016

24 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

4. Security obligations of the personnel —

(1) The personnel shall comply with the information security policy, and other policies,
guidelines, procedures, etc. issued by the Authority from time to time.
(2) Without prejudice to any action that may be taken under the Act, personnel may be liable
to action in accordance with procedures specified by the Authority for this purpose:
Provided that no such action shall be taken without giving the concerned personnel a
reasonable opportunity of being heard.
5. Security obligations of service providers, etc. —
The agencies, consultants, advisors and other service providers engaged by the
Authority for discharging any function relating to its processes shall:
(a) ensure compliance with the information security policy specified by the Authority;
(b) periodically report compliance with the information security policy and contractual
requirements, as required by the Authority;
(c) report promptly to the Authority any security incidents affecting the confidentiality,
integrity and availability of information related to the Authority’s functions;
(d) ensure that records related to the Authority shall be protected from loss, destruction,
falsification, unauthorised access and unauthorised release;
(e) ensure confidentiality obligations are maintained during the term and on
termination of the agreement;
(f) ensure that appropriate security and confidentiality obligations are provided for in
their agreements with their employees and staff members;
(g) ensure that the employees having physical access to CIDR data centers and logical
access to CIDR data centers undergo necessary background checks;
(h) define the security perimeters holding sensitive information, and ensure only
authorised individuals are allowed access to such areas to prevent any data leakage
or misuse; and

(i) where they are involved in the handling of the biometric data, ensure that they use
only those biometric devices which are certified by a certification body as identified
by the Authority and ensure that appropriate systems are built to ensure security of
the biometric data.
6. Audits and inspection of service providers, etc. —
(1) All agencies, consultants, advisors and other service providers engaged by the Authority,
and ecosystem partners such as registrars, requesting entities, Authentication User
Agencies and Authentication Service Agencies shall get their operations audited by an
information systems auditor certified by a recognised body under the Information
Technology Act, 2000 and furnish certified audit reports to the Authority, upon request
or at time periods specified by the Authority.
(2) In addition to the audits referred to in sub-regulation (1), the Authority may conduct
audits of the operations and systems of such entities or persons, either by itself or
through an auditor appointed by the Authority.

AADHAAR (DATA SECURITY) REGULATION, 2016

25 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

7. Confidentiality. –
All procedures, orders, processes, standards and protocols related to security, which are
designated as confidential by the Authority, shall be treated as confidential by all its
personnel and shall be disclosed to the concerned parties only to the extent required for
giving effect to the security measures. The nature of information that cannot be shared
outside the Authority unless mandated under the Act includes, but not limited to,
Information in CIDR, Technology details, Network Architecture, Information security policy
and processes, software codes, internal reports, audit and assessment reports, applications
details, asset details, contractual agreements, present and future planned infrastructure
details, protection services, and capabilities of the system.
8. Savings. —
All procedures, orders, processes, standards and policies issued and MOUs, agreements or
contracts entered by the Unique Identification Authority of India, established vide
notification of the Government of India in the Planning Commission number A-
43011/02/2009-Admin. I, dated the 28th January, 2009 or any officer of such authority, prior
to the establishment of the Authority under the Act shall continue to be in force to the extent
that they are not inconsistent with the provisions of the Act and regulations framed
thereunder.
9. Power to issue policies, process documents, etc. —
The Authority may issue policies, processes, standards and other documents, not inconsistent
with these regulations, which are required to be specified under these regulations or for
which provision is necessary for the purpose of giving effect to these regulations.
10. Power to issue clarifications, guidelines and removal of difficulties. —
In order to clarify any matter pertaining to application or interpretation of these regulations,
or to remove any difficulties in implementation of these regulations, the Authority shall have
the power to issue clarifications and guidelines in the form of circulars which shall have
effect of these regulations.

AADHAAR (DATA SECURITY) REGULATION, 2016

26 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

NOTIFICATION
New Delhi, the 12th September, 2016
AADHAAR (SHARING OF INFORMATION) REGULATIONS, 2016
(No. 5 of 2016)
No. 13012/64/2016/Legal/UIDAI (No. 5 of 2016).—In exercise of the powers conferred by
sub-section (1), and sub-clause (o) of sub-section (2), of Section 54 read with sub-clause (k) of
sub-section (2) of Section 23, and sub-sections
(2) and (4) of Section 29, of the Aadhaar (Targeted Delivery of Financial and Other Subsidies,
Benefits and Services) Act,2016,the Unique Identification Authority of India hereby makes the
following regulations, namely:-
CHAPTER I
PRELIMINARY
1. Short title and commencement. —
(1) These regulationsmay be called the Aadhaar (Sharing of Information) Regulations,
2016.
(2) These regulations shall come into force on the date of their publication in the Official
Gazette.
2. Definitions. —
(1) In these regulations, unless the context otherwise requires,-
(a) “Act” meansthe Aadhaar (Targeted Delivery of Financial and Other Subsidies,
Benefits and Services) Act, 2016;
(b) “Aadhaar Letter” means a document for conveying the Aadhaar number to a
resident;
(c) “Aadhaar number holder” means an individual who has been issued anAadhaar
number under the Act;
(d) “Authority” means the Unique Identification Authority of India established under
sub-section (1) of section 11;
(e) “requesting entity” means an agency or person that submits the Aadhaar number,
and demographic information or biometric information, of an individual to the
Central Identities Data Repository for authentication.
(2) All other words and expressions used in these regulations but not defined, and defined in
the Act and the rules and other regulations made there under, shall have the meanings
respectively assigned to them in the Act or the rules or other regulations, as the case may be.

AADHAAR (SHARING OF INFORMATION) REGULATION, 2016

27 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

CHAPTER II
RESTRICTIONS ON SHARING OF IDENTITY INFORMATION
3. Sharing of information by the Authority. —
(1) Core biometric information collected by the Authority under the Act shall not be shared
with anyone for any reason whatsoever.
(2) The demographic information and photograph of an individual collected by the Authority
under the Act may be shared by the Authority with a requesting entity in response to an
authentication request for e-KYC data pertaining to such individual, upon the requesting entity
obtaining consent from the Aadhaar number holder for the authentication process, in accordance
with the provisions of the Act and the Aadhaar (Authentication) Regulations, 2016.
(3) The Authority shall share authentication records of the Aadhaar number holder with him
in accordance with regulation 28 of the Aadhaar (Authentication) Regulations, 2016.

(4) The Authority may share demographic information and photograph, and the
authentication records of an Aadhaar number holder when required to do so in accordance with
Section 33 of the Act.
4. Sharing of information by a requesting entity. —
(1) Core biometric information collected or captured by a requesting entity from the Aadhaar
number holder at the time of authentication shall not be stored except for buffered authentication
as specified in the Aadhaar (Authentication) Regulations, 2016, and shall not be shared with
anyone for any reason whatsoever.
(2) The identity information available with a requesting entity:
(a) shall not be used by the requesting entity for any purpose other than that specified to the
Aadhaar number holder at the time of submitting identity information for authentication; and
(b) shall not be disclosed further without the prior consent of the Aadhaar number holder.
(3) A requesting entity may share the authentication logs of an Aadhaar number holder with
the concerned Aadhaar number holder upon his request or for grievance redressal and resolution
of disputes or with the Authority for audit purposes, as specified in regulation 18 of the Aadhaar
(Authentication) Regulations, 2016.
5. Responsibility of any agency or entity other than requesting entity with respect to
Aadhaar number. —
(1) Any individual, agency or entity which collects Aadhaar number or any document
containing the Aadhaar number, shall:
(a) collect, store and use the Aadhaar number for a lawful purpose;
(b) inform the Aadhaar number holder the following details:—
i. the purpose for which the information is collected;
ii. whether submission of Aadhaar number or proof of Aadhaar for such purpose is
mandatory or voluntary, and if mandatory, the legal provision mandating it;

AADHAAR (SHARING OF INFORMATION) REGULATION, 2016

28 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

iii. alternatives to submission of Aadhaar number or the document containing Aadhaar

number, if any;
(c) obtain consent of the Aadhaar number holder to the collection, storage and use of his
Aadhaar number for the specified purposes.
(2) Such individual, agency or entity shall not use the Aadhaar number for any purpose other
than those specified to the Aadhaar number holder at the time of obtaining his consent.
(3) Such individual, agency or entity shall not share the Aadhaar number with any person
without the consent of the Aadhaar number holder.
6. Restrictions on sharing, circulating or publishing of Aadhaar number. —
(1) The Aadhaar number of an individual shall not be published, displayed or posted publicly
by any person or entity or agency.
(2) Any individual, entity or agency, which is in possession of Aadhaar number(s) of
Aadhaar number holders, shall ensure security and confidentiality of the Aadhaar numbers and
of any record or database containing the Aadhaar numbers.
(3) Without prejudice to sub-regulations (1) and (2), no entity, including a requesting entity,
which is in possession of the Aadhaar number of an Aadhaar number holder, shall make public
any database or record containing the Aadhaar numbers of individuals, unless the Aadhaar
numbers have been redacted or blacked out through appropriate means, both in print and
electronic form.
(4) No entity, including a requesting entity, shall require an individual to transmit his
Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is
transmitted in encrypted form except where transmission is required for correction of errors or
redressal of grievances.
(5) No entity, including a requesting entity, shall retain Aadhaar numbers or any document or
database containing Aadhaar numbers for longer than is necessary for the purpose specified to
the Aadhaar number holder at the time of obtaining consent.
7. Liability for contravention of the regulations. —
Without prejudice to any action that may be taken under the Act, any contravention of
regulations 3, 4, 5 and 6 of these regulations shall constitute a violation of sub-section (2) of
Section 29 of the Act.

8. Redressal of grievances of Aadhaar number holders. —

In the event the identity information of an Aadhaar number holder has been shared or published
in a manner contrary to the provisions of the Act or regulations, the Aadhaar number holder may
raise queries and grievances in accordance with the regulation 32 of the Aadhaar (Enrolment and
Update) Regulations, 2016.

AADHAAR (SHARING OF INFORMATION) REGULATION, 2016

29 of 117
 THE GAZETTE OF INDIA: EXTRAORDINARY [PART III—SEC. 4]

CHAPTER III
MISCELLANEOUS

9. Information dissemination about sharing of Aadhaar numbers. —

The Authority may take necessary measures to educate Aadhaar number holders about the uses
of Aadhaar numbers and implications associated with its sharing.
10. Savings. —
All procedures, orders, processes, standards and policies issued and MOUs, agreements or
contracts entered by the Unique Identification Authority of India, established vide notification of
the Government of India in the Planning Commission number A-43011/02/2009-Admin. I, dated
the 28th January, 2009 or any officer of such authority, prior to the establishment of the
Authority under the Act shall continue to be in force to the extent that they are not inconsistent
with the provisions of the Act and regulations framed thereunder.
11. Power to issue clarifications and guidelines. —
In order to remove any difficulties or clarify any matter pertaining to application or interpretation
of these regulations, the Authority may issue clarifications and guidelines in the form of
circulars.

AADHAAR (SHARING OF INFORMATION) REGULATION, 2016

30 of 117
 SECTION 2
CIRCULARS, GUIDELINES etc

31 of 117
32 of 117
33 of 117
34 of 117
35 of 117
36 of 117
37 of 117
38 of 117
39 of 117
40 of 117
 Application for Biometric Device Certification under Regulation 8(1) of
Aadhaar (Authentication) Regulations, 2016

Organization Details
Name of the Device
Provider
Registered Office address

Correspondence address

Management Point of
Contact
Technical Point of
Contact
Webpage link,
e-mail address,
Helpdesk number
Details of Service Centers
in India

Name and address of

OEM

Device Details
Device Make and Model
Type of device
(Fingerprint/Iris)
Details of device

End of Service date

(End of Service date would
mean the date by which the
device provider will provide
technical support to the
purchasers)
STQC Certification details
Type of Registered Device
(Level 0 / Level 1)
Certified for Operating
Systems
STQC Certification number
Date of issue of STQC
certification
Certification is valid up to
(date)

41 of 117
 Undertaking

This Undertaking is executed by ( Device provider name ), a

<nature of constitution of the biometric authentication device provider>, having
its registered office/principal place of business at <insert the registered office
or principal place of business>duly represented by its authorized representative
<insert the name of the authorized signatory>

By this writing, the undersigned on behalf of …………….………affirms,

declares and undertakes the following:

1. That ( Device provider name ) is desirous to

receive UIDAI certification for its biometric device as specified in the
application enclosed herewith.
2. That ( Device provider name )hereby
declares that it is fully aware and understands the provisions of The
Aadhaar (Targeted Delivery of Financial And Other Subsidies, Benefits
and Services) Act, 2016 (“Aadhaar Act, 2016) and its Regulations
made thereunder and undertakes that it shall at all times abide by
the same.
3. That ( Device provider name ) is also fully
aware that it shall be liable for penal provisions, as applicable for any
contravention of the Aadhaar Act 2016 and any regulations made
thereunder.
4. That ( Device provider name ), after the
receipt of UIDAI certification, shall implement all changes in all
biometric devices or its software which may be required by UIDAI from
time to time for the purposes of security, improving the performance
parameters etc. as per device specifications issued by UIDAI from time
to time till the End of Service date.
5. That ( Device provider name ) undertakes
toprovide support to the entity to which it has supplied the biometric
devices and shall keep the device certification and
authorization/approval from UIDAI valid for all the biometric device
models in use for Aadhaar Authentication till declared End of Service
(EOS) date for the device. Provided that in case, the ( Device
provider name ) are not able to obtain the certification
and approval from UIDAI for the updated specifications, the (
Device provider name ) undertakes to replace such

42 of 117
 biometric devices with the new UIDAI certified biometric devices at no
additional cost to the purchaser, for the sale concluded on or after
15th March 2017.
6. That ( Device provider name ) is fully aware
that itshall be liable to an appropriate amount which shall be
mutually decided between us and AUA /KUA, in case:

 it is discovered that the device provider private key has been

compromised due to incorrect or buggy implementation or due to
negligence on the part of management server setup and
administration.
 it is discovered that the device key has been compromised
due to a defect or backdoor or lack of proper security
implementation within the Registered Device(RD) service.
 it is discovered that the biometric replay/injection is possible
within RD service due to a defect or a backdoor or lack of proper
implementation of RD service.
UIDAI shall have no role and / or liability in any condition.
7. That the ( Device provider name )
understands and agrees that the UIDAI shall have the right to audit the
biometric device provider manufacturing facility and continuously
monitor and audit the performance and security of all devices in
production. Based on this monitoring / audit, UIDAI may decide to
temporarily suspend any individual devicemodel from the ecosystem. In
the event of temporary suspension, the ( Device provider name )
undertakes to resolve the identified issue within time period as specified
by UIDAI, failing which the UIDAI certification of device model may be
permanently revoked for which the ( Device provider name
) undertakes to replace all such devices in use in field with UIDAI
certified devices at its own cost. The inspection/audit report will remain
confidential between UIDAI and the device provider.
8. That the ( Device provider name )affirms
and declares that the information filled up in the application form and
that this undertaking was placed before the board of directors / partners
of the ( Device provider name ) in its meeting
dated _________ and has been read over and verified to be true and
correct.

43 of 117
 9. That no particulars have been concealed and upon verification of
the application, the board / partners have approved the same for
submission at the hands of ________________. Any change in the name,
contact details, addresses etc. as filled up in this application form shall
also be immediately conveyed to UIDAI.
10. That the board resolution / minutes of the meeting dated _________
approving the application form and authorizing ________________ to
submit the same is/are being annexed herewith as Document No. 1.
11. That the application form being duly filled up and all its
particulars being verified by all the directors / partners each one of them
shall be jointly and severally liable for any discrepancy in the information
supplied herein above and as may be found by the authority.

This undertaking is being executed on this ……………….day of

……………..2017 at ………………..

(Authorized signatory)

Signature: ___________________________________
Name: _____________________________________
Designation: __________________________________
Organization: __________________________________
Date: _______________________________________

44 of 117
45 of 117
46 of 117
47 of 117
48 of 117
49 of 117
50 of 117
51 of 117
52 of 117
53 of 117
54 of 117
55 of 117
56 of 117
57 of 117
 Letter Head of AUA

To,
Deputy Director (Authentication)
9th Floor, Tower I,
Jeevan Bharati Building
Connaught Circus
New Delhi-110001

Subject: Appointment of M/s ______________________________ as Sub-

AUA.

This is w.r.t. UIDAI letter No. F-No. K-11022/460/2016-UIDAI

(Auth-II) dated 28-02-2017 where in AUAs were asked to take
permission from UIDAI before appointment of an entity as Sub-AUA.

In this regard we request you to grant permission for appointment of

M/s __________________________________ as Sub-AUA.

Thanks & Regards

(Authorized Signatory)

Name
Designation
Mobile no.

Enclosure: 1. Application Form along with Undertaking

58 of 117
 Application for SUB AUA under Regulation 15 of Aadhaar
(Authentication) Regulations, 2016

Sub AUA Organization Details

Name of the Sub AUA
Sub AUA Code
Registered Office address

Correspondence address

Management Point of Contact

Technical Point of Contact
Purpose for which
Authentication Services will be 1.
used. 2.

(Authorized signatory: Sub-AUA)

Signature: ___________________________________
Name: _____________________________________
Designation: __________________________________
Organization: _________________________________
Date: _____________________________________

All the details mentioned above are verified by AUA

(Authorized signatory: AUA)

Signature: ___________________________________
Name: _____________________________________
Designation: __________________________________
Organization: _________________________________
Date: _____________________________________

59 of 117
 Joint Undertaking
We ( AUA Organization name ) intend to appoint ( Sub AUA
organization name ) as Sub Authentication User Agency (Sub AUA) and both of
us are fully aware and understand the provisions of The Aadhaar (Targeted
Delivery of Financial And Other Subsidies, Benefits and Services) Act, 2016 and
Regulations made thereunder and further warrant that we shall at all times abide
by the same.

We ( AUA Organization name ) and ( Sub AUA organization name )

jointly and severally certify that the information filled up in the application form
and supplied therewith has been read over and verified to be true and correct to
our personal knowledge and belief and no particulars have been concealed.

By this writing, the undersigned on behalf of ( AUA Organization name) and

(Sub AUA Organization name ) affirm, declare and undertake the following:

1. We ( AUA Organization name ) shall ensure that the Aadhaar

authentication services are used by Sub AUA ( Sub AUA Organization
name ) only for the purpose as mentioned in the application form.

2. ( AUA Organization name ) shall create separate License Key and

assign unique Sub-AUA code to the Sub-AUA ( Sub AUA Organization
name ), which shall not further be shared with any other person or
entity for any purpose.

3. ( AUA Organization name ) shall ensure that the Sub AUA ( Sub
AUA Organization name ) complies with the provisions of the Aadhaar
Act, 2016 and its Regulations, processes, standards, guidelines,
specifications and protocols of the Authority that are applicable to the
requesting entity.

4. We, ( AUA Organization name ) and ( Sub AUA Organization

name ) shall be jointly and severally liable for non-compliance of the
Aadhaar Act, 2016 and its Regulations, processes, standards, guidelines
and protocols of the Authority and shall be liable for disincentives and
penalties as per the schedule of disincentives of AUA agreement and other
provisions of the Aadhaar Act, 2016 and its Regulations.

5. We ( AUA Organization name ) shall ensure that the client

application to be used for Aadhaar authentication is developed and digitally
signed by us OR Sub-AUA ( Sub AUA Organization name ) shall
integrate digitally signed SDK developed by us in their client application for

60 of 117
 capturing Aadhaar information like Aadhaar number, biometric details,
demographic details etc.

6. ( AUA Organization name ) shall ensure that the ( Sub AUA

Organization name ) client application or SDK, as the case may be, for
Aadhaar authentication is audited, at the time of appointment of ( Sub
AUA Organization name ) and also every year thereafter, by information
systems auditor(s) certified by STQC / CERT-IN and compliance audit report
is submitted to UIDAI

7. ( AUA Organization name ) and ( Sub AUA Organization name

) have ensured that the declared information filled up in the application
form as well as this undertaking was placed before the board of directors /
partners of our respective organizations in their meetings dated _________
and dated __________ and has been read over and verified to be true and
correct.

8. No particulars have been concealed and upon verification of the application,

the board / partners have approved the same for submission at the hands of
________________. Any change in the name, contact details, addresses etc. as
filled up in this application form shall also be immediately conveyed to
UIDAI.

9. The board resolutions / minutes of the meetings dated _________ and dated
__________ approving the application form and authorizing ________________
to submit the same are being annexed herewith.

10. The application form having been duly filled up and all its particulars having
been verified by all the directors / partners, each one of them shall be jointly
and severally liable for any discrepancy in the information supplied herein
above and as may be found by the authority.

This undertaking is being executed on this __________ day of

_____________2017 at __________________.

Authorized signatory of (AUA Organization Authorized signatory of (Sub AUA Organization

name ) name )

Signature: _______________ Signature: _______________

Name: __________________ Name: __________________ ___________
Designation: ______________ Designation: ______________
Organization: _____________ Organization: _____________
Date: ___________________ Date: ___________________
___________

61 of 117
62 of 117
63 of 117
64 of 117
65 of 117
66 of 117
DO’s FOR AADHAAR USER AGENCIES/DEPARTMENTS
1. Read Aadhaar Act, 2016 and its Regulations carefully and ensure
compliance of all the provisions of the Aadhaar Act, 2016 and its
Regulations.
2. Ensure that everyone involved in Aadhaar related work is well conversant
with provisions of Aadhaar Act, 2017 and its Regulations as well as
processes, policies specifications, guidelines, circular etc issued by UIDAI
from time to time.
3. Create internal awareness about consequences of breaches of data as per
Aadhaar Act, 2016.
4. Follow the information security guidelines of UIDAI as released from time
to time.
5. Full Aadhaar number display must be controlled only for the Aadhaar
holder or various special roles/users having the need within the
agency/department. Otherwise, by default, all displays should be masked.
6. Verify that all data capture point and information dissemination points
(website, report etc) should comply with UIDAI’s security requirements.
7. If agency is storing Aadhaar number in database, data must be encrypted
and stored. Encryption keys must be protected securely, preferably using
HSMs. If simple spreadsheets are used, it must be password protected and
securely stored.
8. Access controls to data must be in place to make sure Aadhaar number
along with personally identifiable demographic data is protected.
9. For Aadhaar number look up in database, either encrypt the input and
then look up the record or use hashing to create Aadhaar number based
index.
10. Regular audit must be conducted to ensure Aadhaar number and linked
data is protected.
11. Ensure that employees and officials understand the implications of the
confidentiality and data privacy breach.

67 of 117
12. An individual in the organization must be made responsible for protecting
Aadhaar linked personal data. That person should be in charge of the
security of system, access control, audit, etc.
13. Identify and prevent any potential data breach or publication of personal
data.
14. Ensure swift action on any breach personal data.
15. Ensure no Aadhaar data is displayed or disclosed to external agencies or
unauthorized persons.
16. Informed consent - Aadhaar holder should clearly be made aware of the
usage, the data being collected, and its usage. Aadhaar holder consent
should be taken either on paper or electronically.
17. Authentication choice - When doing authentication, agency should provide
multiple ways to authenticate (fingerprint, iris, OTP) to ensure all Aadhaar
holders are able to use it effectively.
18. Multi-factor for high security - When doing high value transactions, multi-
factor authentication must be considered.
19. Create Exception handling mechanism on following lines-
20. It is expected that a small percentage of Aadhaar holders will not be
able to do biometric authentication. It is necessary that a well-defined
exception handling mechanism be put in place to ensure inclusion.
21. If fingerprint is not working at all even after using multi-finger
authentication, then alternate such as Iris or OTP must be provided.
22. If the schemes is family based (like PDS system), anyone in the family must
be able to authenticate to avail the benefit. This ensures that even if one
person is unable to do any fingerprint authentication, someone else in the
family is able to authenticate. This reduces the error rate significantly.
23. If none of the above is working (multi-finger, Iris, anyone in family, etc.),
then agency must allow alternate exception handling schemes using card or
PIN or other means.
24. All authentication usage must follow with notifications/receipts of
transactions.

68 of 117
 25. All agencies implementing Aadhaar authentication must provide effective
grievances handling mechanism via multiple channels (website, call-center,
mobile app, sms, physical-center, etc.).
26. Get all the applications using Aadhaar audited & certified for its data
security by appropriate authority such as STQC/CERT-IN.
27. Use only STQC/UIDAI certified biometric devices for Aadhaar
authentication.

DONT’s FOR AADHAAR USER AGENCIES/DEPARTMENTS

1. Do not publish any personal identifiable data including Aadhaar in public
domain/websites etc. Publication of Aadhaar details is punishable under
Aadhaar act.
2. Do not store biometric information of Aadhaar holders collected for
authentication.
3. Do not store any Aadhaar based data in any unprotected endpoint devices,
such as PCs, laptops or smart phones or tablets or any other devices.
4. Do not print/display out personally identifiable Aadhaar data mapped with
any other departmental data such as on ration card/birth certificate/caste
certificate/any other certificate/document. Aadhaar number if required to
be printed, Aadhaar number should be truncated or masked. Only last four
digits of Aadhaar can be displayed/printed.
5. Do not capture/store/use Aadhaar data without consent of the resident as
per Aadhaar act. The purpose of use of Aadhaar information needs to be
disclosed to the resident.
6. Do not disclose any Aadhaar related information to any
external/unauthorized agency or individual or entity.
7. Do not locate servers or other IT storage system/ devices having Aadhaar
data outside of a locked, fully secured and access-controlled room
8. Do not permit any unauthorized people to access stored Aadhaar data
9. Do not share Authentication license key with any other entity.

69 of 117
70 of 117
71 of 117
72 of 117
73 of 117
 Unique Identification Authority of India

Frequently Asked Questions (FAQs) – Aadhaar Data vault / Reference keys

Ref: UIDAI circular dated 25.07.2017

1. What is Aadhaar Data Vault

Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the AUAs/KUAs/Sub-AUAs/ or any other
agency for specific purposes under Aadhaar Act and Regulations, 2016. It is a secure system inside the respective agency’s
infrastructure accessible only on need to know basis.

2. What is the objective of Aadhaar Data Vault

Aadhaar number has been identified as “Identity Information” under the Aadhaar Act 2016 and can uniquely identify residents in
India. Since Aadhaar number is a lifetime identity for Indians and shall be used to avail various services including services involving
financial transactions, unauthorized access to Aadhaar number may be misused in many ways.

74 of 117
 Unique Identification Authority of India

Objective of Aadhaar Data Vault is to reduce the footprint of Aadhaar numbers within the systems / environment of the
organization hence reduce the risk of unauthorized access.

3. Does Aadhaar Data Vault refer to any technology?

Aadhaar Data vault is a concept for storage of Aadhaar numbers in one particular storage within the environment of the
organization to reduce the footprint of Aadhaar numbers. It does not refer to any technology. The decision of procuring a
technology to implement Aadhaar Data vault or implementing Aadhaar Data vault internally lies with the respective organization.

4. Who needs to implement Aadhaar Data Vault

All agencies which store Aadhaar number are required to create an Aadhaar data vault. These agencies may or may not be
AUAs/KUAs/Sub-AUAs. They could be an organization that stores Aadhaar numbers for internal identification purposes such as
attendance management, linking with PF etc. All the agencies that store Aadhaar numbers in a structured and electronic form such
as a Database need to implement Aadhaar Data Vault.

75 of 117
 Unique Identification Authority of India

5. Are there any implementation guidelines for Aadhaar Data Vault?

The implementation of Aadhaar Data vault needs to be decided by the respective organization with the assistance of their internal
technical teams. The implementation should meet the objective of the circular.

6. Which encryption algorithm is required for encryption of Aadhaar numbers and related data in the Aadhaar
Data Vault as per the requirement of the circular?

UIDAI has not specified any encryption algorithm or key strength for the encryption of Aadhaar data vault, however other
standards / specifications of UIDAI may be referred for algorithm and key length such as Auth api specifications or eKYC api
specifications where it states RSA 2048 for Public key encryption and AES 256 for symmetric encryption (this is as per current
version and the standards may change with time). Industry standards / Best practices should be followed in absence of such
specifications.

7. Is it required to have separate VLAN for the Aadhaar Data Vault

The Aadhaar Data Vault containing Aadhaar number/data and the referencing system must be kept in a highly restricted network
zone that is isolated from any untrusted zone and other internal network zones. Agencies may create only a virtual separation for
Aadhaar data vault, however such agencies need to ensure they comply with the requirements of the notice such as access control,
logical segregation in zones etc.

76 of 117
 Unique Identification Authority of India

8. What are reference keys

In order to reduce the footprint of Aadhaar numbers in the ecosystem, each Aadhaar number is to be referred by an additional key
called as Reference Key. These keys will replace Aadhaar numbers in the organizations ecosystem and mapping of reference key
and Aadhaar number is to be maintained in the Aadhaar Data Vault.

9. Is it possible to use existing unique values for a user to be used as reference keys. Such as Bank account
numbers or PAN numbers be used as reference keys?

The organization may use any reference keys as long as it can be uniquely mapped to the respective Aadhaar numbers and meets
the requirement of the circular such as Aadhaar numbers should not be predictable if corresponding reference keys or set of keys
are available. Organization should consider other implications of using Bank account / PAN card as reference keys which may be
local to the environment.

10. Can existing HSMs be used for storing the encryption keys

Agencies may use the existing HSMs. HSMs used to store the keys for encryption of Aadhaar data vault cannot be shared with any
other agency / legal entity. Security of the partitions storing Aadhaar data vault keys need to be ensured by the agency.

77 of 117
 Unique Identification Authority of India

11. If the Aadhaar number needs to be sent to UIDAI server or NPCI , how would it be communicated using
reference keys?

Reference keys are local to agency/organization and is not required to be shared with UIDAI server or NPCI. Wherever Aadhaar
number needs to be sent outside the agency for a genuine business, it may be sent to complete the transaction. However when the
details of the transaction are to be saved within the environment, corresponding reference keys should be stored instead of Aadhaar
numbers. After completion of the transaction, reference key for the corresponding Aadhaar number needs to be obtained from the
Aadhaar Data vault through APIs.

12. How are the scanned/physical copies of the Aadhaar numbers be stored in the Aadhaar Data vault?

For the agencies which store the scanned images of Aadhaar cards or physical copies of Aadhaar cards as per TRAI / RBI etc., the
storage of scanned images or physical cards do not come in scope of this notice or requirement. The agencies need to keep the
scanned copies encrypted and ensure security of both scanned copies and physical copies as per Aadhaar Act 2016 and Regulations.
Agency should ensure compliance to the security and privacy requirements for storage of scanned images or hard copies as per
Aadhaar Act 2016 and Regulations.

13. Is it allowed to store Aadhaar number as masked value in any systems apart from Aadhaar Vault? Ex : 1234
**** 5678

Aadhaar numbers either in encrypted form or masked form should not be stored in any other storage except Aadhaar Data vault.

78 of 117
 Unique Identification Authority of India

14. Can Aadhaar number be used for resetting password as security questions?

Some agencies are storing Aadhaar number to be able to answer the security question for a password reset request. These agencies
cannot store the Aadhaar number anywhere else apart from the Aadhaar data vault and they come in scope of the requirement.
However if these agencies want to store only the last 4 digits of the Aadhaar number for internal authentication purposes such as
a security question they may store the same. In no situation Aadhaar number except the last 4 digits may be stored outside the
Aadhaar Data vault.

15. Can multiple reference be generated and used with a single Aadhaar card

Multiple reference keys may be generated for a single Aadhaar if there is such business case which requires to refer one Aadhaar
number by different reference keys in the internal ecosystem of the agency. In such case, the agency shall ensure compliance to the
other requirements of the circular.

16. Is it required to replace all the Aadhaar number with the reference keys which are being used in the existing
infrastructure in multiple databases

Agency needs to create an Aadhaar data vault and replace Aadhaar numbers in all existing databases with the respective reference
keys even if Aadhaar number is stored encrypted in several databases within the agency.

79 of 117
 Unique Identification Authority of India

17. Aadhaar (Authentication) regulations 2016 require to store the Aadhaar number in the transaction logs. Is it
required to replace all these Aadhaar number with the reference keys?

For the requirement of mandatory storage of Aadhaar number in the logs for authentication / e-KYC transactions, the agencies
need to replace the Aadhaar numbers in the Logs Databases with the corresponding reference keys. For future transactions, only
reference keys shall be stored in the logs and if for any regulatory or genuine business purpose the transaction logs need to be
provided outside the agency / organization same shall be provided along with the Aadhaar number.

18.There are backups already taken of the databases containing Aadhaar numbers by some agencies. Is it
required to replace all the Aadhaar number with the reference keys in the back up of logs/databases already
taken in the past

These agencies may continue to store such backups which have existing Aadhaar numbers as long as the data is kept encrypted.

19. Can the hash of Aadhaar card be used as reference keys

Agency / Organization may choose any method for generation of reference key. The chosen Reference Key generation method is to
ensure that the recovery of the original Aadhaar number must not be computationally feasible knowing only the reference key or
number of reference keys. It is suggested that a UUID (Universally Unique Identifier represented via hex string) scheme be used
to create such reference key so that from such reference key, Aadhaar number can neither can be guessed nor reverse engineered.
7

80 of 117
 Unique Identification Authority of India

20. Which industry standard to be followed for key generation/ encryption

The organization may choose appropriate industry standard as per its requirement as long as it meets the requirement of the
circular.

21. Whether a particular agency can provide reference key provisioning as a central service to its Sub – AUAs?

Since the AUAs are already obligated for the compliance of its Sub-AUAs and already has all Aadhaar numbers of its Sub-AUAs as
part of the transaction logs, AUAs may provide reference provisioning as a central service to its Sub-AUAs. Access to mapping
databases / Aadhaar Data vault need to be on a need to know basis. Other risks of providing reference key service as a central
service need to be considered by the Sub-AUA / AUA.

22. Can HSM service be stored on cloud and provide service to sub-AUA's

Since an AUA already is obligated for the compliance of its Sub-AUAs and already has all Aadhaar numbers of its Sub-AUAs as
part of the transaction logs, HSM may be provided by the AUA as a central service to its Sub-AUAs. In no other circumstance HSM
shall be shared with other agencies / organizations as it implies sharing of Aadhaar numbers and other related data with that
organization.

81 of 117
 Unique Identification Authority of India

23. Can we use the same VM for business application & Aadhaar vault application

The Aadhaar Data Vault containing Aadhaar number/data and the referencing system must be kept in a highly restricted network
zone that is isolated from any untrusted zone and other internal network zones. Compliance with circular and Aadhaar act needs
to be ensured.

24. Is it allowed to store Aadhaar Number in other systems than vault if the system provides HSM level
encryption for storage / usage of Aadhaar Number

All entities / agencies are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML
containing Aadhaar number and data) only on a separate secure database/vault/system. Aadhaar numbers shall not be stored in
any other systems. If the agency wants to term the existing Database as Aadhaar Data vault and can meet the other requirements
of the circular, such agency may do so. In that case the agency must ensure that Aadhaar numbers are only stored on this database
and removed from other databases.

25. Can we use any method to generate reference key or only UUID to be used as recommended in the circular?

Any method may be used to generate the reference key as long as it meets the requirements of the circular.

82 of 117
 Unique Identification Authority of India

26. What is the nomenclature / convention to be followed for Unique_Ref_Number_Generation for Aadhaar?

This is left to organization to choose nomenclature/convention as long as it ensure that the recovery of the original Aadhaar number
must not be computationally feasible knowing only the reference key or number of reference keys.

27. By when agencies must be compliant to the system of implementing Aadhaar Vault?

The organizations must start the implementation of the Aadhaar Data vault immediately. The same shall be checked during the
next independent audit to be conducted by the agency itself or by UIDAI.

28. Which version to opt for in the technical specification of HSM. Ex: FIPS 140-2 Level 2 or FIPS 140-2 Level
3 HSM?

UIDAI has not recommended any specifications for HSM. Organization may follow the Industry best practice such as NIST etc.

10

83 of 117
 Unique Identification Authority of India

29. As Aadhaar number is used for carrying out DBT transactions, AEPS transactions etc., will the Aadhaar
number will be continued to be used while processing the transactions?

Aadhaar number may be used wherever necessary to process the transactions, however when the transaction related data or
Aadhaar related data is stored, Aadhaar numbers should not be stored in any other storage than Aadhaar Data Vault.

30. At the time of transaction processing the application will refer to Aadhaar vault only to derive the account
to which the amount is to be credited or debited and the transaction will be carried out accordingly.

The Aadhaar Data vault should ideally maintain only the mapping of Aadhaar numbers and corresponding reference numbers.
Hence any access to data vault (except for maintenance purposes / Administration purposes) should only be to refer this mapping.

31. Will there be an audit required after the implementation of Aadhaar Data Vault.

UIDAI does not mandate an audit after the implementation of Aadhaar Data vault. However same should be checked in the next
periodic external audit as per UIDAI requirement. However the agency should maintain some documentation to demonstrate that
the implementation meets the requirement of UIDAI circular. This could be in the form of an internal audit from an independent
team or confirmation on the points of the circular by the internal technology or security team (independent).

11

84 of 117
85 of 117
86 of 117
87 of 117
88 of 117
89 of 117
90 of 117
91 of 117
92 of 117
93 of 117
94 of 117
95 of 117
96 of 117
97 of 117
98 of 117
99 of 117
100 of 117
jftLVªh laö Mhö ,yö&33004@99 REGD. NO. D. L.-33004/99

vlk/kj.k
EXTRAORDINARY
Hkkx III—[k.M 4
PART III— Section 4
izkf/dkj ls izdkf'kr
PUBLISHED BY AUTHORITY
la- 245] ubZ fnYyh] 'kqØokj] twu 29] 2018@vk"kk<+ 8] 1940
No. 245] NEW DELHI, FRIDAY, JUNE 29, 2018/ASHADHA 8, 1940

भारतीय िविशट पहचान ािधकरण

अिधसूचना

नई दली, 28 जून, 2018

परप सं. 2018 का 08
िवषय : माणीकरण योता एजिसय ारा वग"कृ त $था
थानीय
नीय माणीकरण योता एजिसय अथा'त टेलीकॉम सेवा दाता, रा,ीय
आवास ब/क िनयंित िव0तीय क1पिनय
पिनय, नॉन-
नॉन-ब/क पीपीआई इ4यूअस'
अस', सीसीए िनयंित ई-साइन दाता, गैर-बीमा क1पिनय
पिनय,
एनबीएफसी इ0या7द
या7द ारा आधार सं8या और सीिमत ई- ई-के वाईसी के $थान
थान पर वचुअ' ल आईडी और यूआईडी टोकन का उपयोग
करना

माणीकरण भाग फा.सं.के .11020/217/2018-यूआईडीएआई (माणीकरण-I).—यूआईडीएआई ने अपने परप सं

ईडीएआई . 1

दनांक 10.01.2018 (वचु!अल आईडी, यूआईडी टोकन और सीिमत ई-के वाईसी का "या#वयन) और परप सं. 5 दनांक 16.05.2018
(वैि(क )माणीकरण )यो-ता एज0िसय1 और 2थानीय )माणीकरण )यो-ता एज0िसय1 का वग5करण) के 6ारा )माणीकरण )यो-ता
एज0िसय1 (ए.यू.ए) और )माणीकरण सेवा एज0िसय1 (ए.एस.ए) को वचु!अल आईडी, यूआईडी टोकन और सीिमत ई-के वाईसी के )भावी
"या#वयन हेतु अपने )माणीकरण िस2टम म0 आव:यक परवत!न करने के िनद;श दए थे।
2. डाटा सुर>ा और आधार धारक1 क@ गोपनीयता को Aयान म0 रखते Cए यूआईडीएआई ने परप संDया 5 दनांक 16.05.2018
के 6ारा कु छ )माणीकरण )यो-ता एज0िसय1 को 2थानीय )माणीकरण )यो-ता एज0िसय1 अथा!त् टेलीकॉम सेवा )दाता, राHIीय आवास
बKक िनयंित िवLतीय कMपिनय1 के Nप म0 वग5कृ त )माणीकरण )यो-ता एज0िसय1, नॉन-बKक पीपीआई इ:यूअस!, सीसीए िनयंित
ई-साइन )दाता, गैर-बीमा कMपिनय1, एनबीएफसी आद को वग5कृ त करने का िनण!य िलया था। ये एज0िसयां आधार संDया के 2थान पर

वचु!अल आईडी और यूआईडी टोकन का उपयोग करके सीिमत ई-के वाईसी )माणीकरण हेतु ए-सेस उपलSध कराएंगी।
3. यह उलेखनीय है क उपयु!-त )माणीकरण )यो-ता एज0िसय1 को अपने Tाहक1 से आधार संDया लेनी होगी और संबंिधत
कानून1 अथा!त् धन शोधन िनवारण (अिभलेख1 का अनुर>ण) िनयम, 2005 के िनयम 9 (4) और िनयम 9(15), समय-समय पर जनसंचार
िवभाग (डीओटी) 6ारा जारी िनद;श1 के तहत अपने िनयंक1 6ारा )दLत )ािधकार के अनुसार आधार )माणीकरण करना होगा।

3675 GI/2018 (1)

101 of 117
2 THE GAZETTE OF INDIA : EXTRAORDINARY [PART III—SEC. 4]

4. चूंक वचु!अल आईडी और यूआईडी टोकन आधार संDया के िविभ#न Nप हK, अत: )ािधकरण आधार ()माणीकरण) िविनयम,
2016 के िविनयम, 30 के अधीन )दLत शिWय1 का )योग करते Cए एतXारा यह 2पHट करता है क वचु!अल आईडी और यूआईडी टोकन
2थानीय )माणीकरण )यो-ता एज0सी/के वाईसी )यो-ता एज0िसय1 (एयूए/के यूए) 6ारा )ािधकरण 6ारा अिधकृ त कए जाने पर आधार
संDया के 2थान पर िविधवत् 2वीकार कया जाए और इ#ह0 संबंिधत िविनयम1 के अनुपालनाथ! आधार संDया के Nप म0 माना जाएगा।
5. उपयु!-त को दृिZगत करते Cए 2थानीय )माणीकरण )यो-ता एज0िसय1 को तदनुसार िनद;श दया जाता है क वे अपने संबंिधत
िनयंक1 क@ अपे>ा[ के अनुपालन म0 आधार संDया और सीिमत ई-के वाईसी के 2थान पर वचु!अल आईडी और यूआईडी टोकन के उपयोग
हेतु अपने )माणीकरण िस2टम म0 आव:यक परवत!न कर0।
Nिप#दर \सह, उप महािनदेशक ()माणीकरण)
[िव]ापन-III/4/असा./120/18-19]
THE UNIQUE IDENTIFICATION AUTHORITY OF INDIA
NOTIFICATION
New Delhi, the 28th June, 2018
CIRCULAR No. 08 of 2018
Sub: Use of Virtual ID and UID Token in lieu of Aadhaar number and Limited e-KYC by AUAs classified as
Local AUAs viz. Telecom Service Providers, National Housing Bank regulated Finance Companies, Non-
bank PPI Issuers, CCA regulated eSign Providers, non-Life Insurance Companies, NBFCs etc.
Authentication Division F. No. K-11020/217/2018-UIDAI (Auth-I).—UIDAI vide its Circular No. 1 dated
10.01.2018 (Implementation of Virtual ID, UID Token and Limited KYC) and Circular No. 5 dated 16.05.2018
(Classification of Global AUAs and Local AUAs), had directed AUAs and ASAs to make necessary changes in their
authentication systems for effective implementation of Virtual ID, UID Token and Limited e-KYC.
2. In the interest of data security and privacy of Aadhaar holders, UIDAI vide circular No. 5 dated 16.05.2018, had
decided to classify certain AUAs as Local AUAs viz. Telecom Service Providers, National Housing Bank regulated
Finance Companies, Non-bank PPI Issuers, CCA regulated eSign Providers, non-Life Insurance Companies, NBFCs etc
which will be provided access to limited e-KYC authentication using Virtual ID and UID Token in lieu of Aadhaar
number.
3. It is noted that the aforesaid AUAs are required to collect the Aadhaar number of their clients and undertake
Aadhaar authentication as mandated by their Regulators under respective laws viz. Rule 9(4) and Rule 9(15) of the
Prevention of Money Laundering (Maintenance of Records) Rules, 2005, instructions issued by Department of
Telecommunication (DoT) from time to time etc.
4. Since Virtual ID and UID Token are different forms of Aadhaar number the Authority, in exercise of its powers
under Regulation 30 of the Aadhaar (Authentication) Regulations, 2016, hereby clarifies that Virtual ID and UID token
may therefore be duly accepted by Local AUAs/KUAs in lieu of Aadhaar number when so mandated by the Authority
and will be deemed as the Aadhaar number for the purposes of compliance of their respective Regulations.
5. In view of the above, the Local AUAs are accordingly directed to make necessary changes in their
authentication systems for use of virtual ID, UID Token in lieu of Aadhaar number and limited e-KYC to comply with
requirements of their respective Regulators.
RUPINDER SINGH, Dy. Director General (Auth.)
[ADVT.-III/4/Exty./120/18-19]

Uploaded by Dte. of Printing at Government of India Press, Ring Road, Mayapuri, New Delhi-110064
and Published by the Controller of Publications, Delhi-110054.
ALOK Digitally signed
by ALOK KUMAR

KUMAR Date: 2018.06.29

23:08:30 +05'30'

102 of 117
103 of 117
104 of 117
105 of 117
106 of 117
107 of 117
108 of 117
109 of 117
 F. No.K-l 1022/630/201 7-UIDAI (Auth.II)
Govern ment of India
Uniouc Identification Authoritv of India
(Authcntication Division)

3'd floor, UIDAI Headquarters

Bangla Sahib Road, Gole Market
New Delhi - ll0 001:

Date: 02.04.2019

CIRCULAR NO. 02 OF 2OI9

Reference is invited to UIDAI's Circular oleven number dated 31" May 2017 whereby
all the AUAs/KUAs/ASAs, who were either in pre-production or production or both
environments, were directed to deposit License Fee at prescribed rates valid for aperiod of2
years with effect lrom l'r June, 201 7.
2. Now the validity period of 2 ycars stated above is going to expire on 31.05.2019. t-lence,
all such A UAs/KL.lAs/ASAs rvho are rvilling to continue their Aadhaar usage are directed to
deposit the license lee at the rales prcscribed below by 31.05.2019 along with CST @ I8%
thereupon:

st. Typc of
Sta tus Liccnsc fee Validity
No. entity
Pre-Product ion Rs. l0 lakh 3 months
I ASA
Live/ Production Rs. I crore 2 years

Pre-Production Rs.5lakh 3 months

2 AUA/ KUA
Live/ Production Rs. 20 lakh 2 years

3. Any delay in deposit o f license f'ees beyond 3 I .05.20 I 9 will attract lare payment charges
@ l% of licensc f'ccs pcr month or part thcrcofalong with GST @ l8% thereupon. Further, non-
payment of license I'ee by 31.05.2019 may lcad to immediate suspension of authentication
license key.

4. The above mentioned licensc fce is non-rel'undablc under any circumstances. including
but not limited to the cvent of the entity (AUA/Kl.lAlASn ) closing its business before the period
for which fee has bcen paid or in casc thc ALrlhoriry cancels the licensc/ Agreement.

110 of 117
5. l-hose AUAs/ KUAs/ ASAs who do not agree to the
above terms and conditions may
initiate process of surrendering their license in accordance with
Regulation 23 of Aadhaar
(A uthentication) Regulations. 2016 and relevant
clauses of Agreement with UIDAI within l5
days of issue of this circular. Accordingly their authentication
license will be revoked from
0 L06.20 t9.

6. ]'his issues with the approval of the Competent Authority.

G
grl
To
All ASAs/ AUAs/ KUAs

111 of 117
112 of 117
113 of 117
114 of 117
115 of 117
116 of 117
117 of 117