When sensitive data is 'shared' between two entities, it is theoretically no longer secure. This is because each of the two entities can now claim that any data-leakage happened from the other entity.(i.e., It provides each of them an avenue to repudiate any possible data leakage).
Any entity, large or small that wants eKYC data of residents should therefore obtain it from UIDAI directly, submit itself to the rules and regulations of UIDAI, and maintain all data securely. (This seems to be the view of several large companies as well - which encourage entities to directly work with UIDAI rather than go via them.)
Here is a blog link that makes for an interesting read & has some more relevant information on the topic: