Sunday, May 13, 2018

Aadhaar Data Vault - who needs it?

UIDAI had made it mandatory for AUAs/KUAs/Sub-AUAs to implement a Aadhaar Data Vault. However, the Aadhaar eKYC landscape has undergone significant changes in the past few weeks.

1) UIDAI stopped sub-AUAs from availing the eKYC services. This is a step in the right direction, because "becoming a sub-AUA" was essentially a way to avail of eKYC data without having to satisfy the audit and other registration / financial requirements imposed by UIDAI on KUAs. Clearly, there was very little control that KUAs could exercise on their sub-AUAs. Now the choice is to either become a KUA (and be audited) or not avail of eKYC.

2) UIDAI has issued an FAQ on Aadhaar Data Vault, which essentially states that any entity (not just AUA/KUA/sub-AUA) that stores Aadhaar numbers needs to implement an Aadhaar Data Vault. (For example, this would cover Schools and Colleges that ask students for their Aadhaar numbers.)

3) In its circular dated May 1 2018, UIDAI states that only Global AUA / KUAs will be allowed to store Aadhaar numbers. Local AUA/KUAs, would not be permitted to store Aadhaar numbers, but could only store UID tokens. If there are no Aadhaar numbers to store, why would they need Aadhaar Data Vaults?

4) At present time therefore it appears that Global KUAs would need to implement Aadhaar Data Vaults. Because these would be audited, ensuring compliance.

As things stand, Local AUAs will not be able to store Aadhaar numbers, but other entities such as Educational Institutes, Employers, etc can. It is not clear how UIDAI would ensure compliance with the Aadhaar Data Vault requirement by schools, colleges, employers and various other agencies that take people's Aadhaar numbers & who don't undergo any sort of an audit at all.