Section 27 in The Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act 2016

Title: Returns and annual report etc

Description: (1) The Authority shall furnish to the Central Government at such time and in such form and manner as may be prescribed or as the Central Government may direct, such returns and statements and particulars in regard to any matter under the jurisdiction of the Authority, as the Central Government may from time to time require. (2) The Authority shall prepare, once in every year, and in such form and manner and at such time as may be prescribed, an annual report giving— (a) a description of all the activities of the Authority for the previous years; (b) the annual accounts for the previous year; and (c) the programmes of work for coming year. (3) A copy of the report received under sub-section (2) shall be laid by the Central Government, as soon as may be after it is received, before each House of Parliament.

Title: Security and confidentiality of information

Description: (1) The Authority shall ensure the security of identity information and authentication records of individuals. (2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity information and authentication records of individuals. (3) The Authority shall take all necessary measures to ensure that the information in the possession or control of the Authority, including information stored in the Central Identities Data Repository, is secured and protected against access, use or disclosure not permitted under this Act or regulations made thereunder, and against accidental or intentional destruction, loss or damage. (4) Without prejudice to sub-sections (1) and (2), the Authority shall— (a) adopt and implement appropriate technical and organisational security measures; (b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for performing any function of the Authority under this Act, have in place appropriate technical and organisational security measures for the information; and (c) ensure that the agreements or arrangements entered into with such agencies, consultants, advisors or other persons, impose obligations equivalent to those imposed on the Authority under this Act, and require such agencies, consultants, advisors and other persons to act only on instructions from the Authority. (5) Notwithstanding anything contained in any other law for the time being in force, and save as otherwise provided in this Act, the Authority or any of its officers or other employees or any agency that maintains the Central Identities Data Repository shall not, whether during his service or thereafter, reveal any information stored in the Central Identities Data Repository or authentication record to anyone: Provided that an Aadhaar number holder may request the Authority to provide access to his identity information excluding his core biometric information in such manner as may be specified by regulations.

Title: Restriction on sharing information

Description: (1) No core biometric information, collected or created under this Act, shall be-- (a) shared with anyone for any reason whatsoever; or (b) used for any purpose other than generation of Aadhaar numbers and authentication under this Act. (2) The identity information, other than core biometric information, collected or created under this Act may be shared only in accordance with the provisions of this Act and in such manner as may be specified by regulations. 1[(3) No identity information available with a requesting entity or offline verification-seeking entity shall be-- (a) used for any purpose, other than the purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification; or (b) disclosed for any purpose, other than purposes informed in writing to the individual at the time of submitting any information for authentication or offline verification: Provided that the purposes under clauses (a) and (b) shall be in clear and precise language understandable to the individual.] (4) No Aadhaar number 2[, demographic information or photograph] collected or created under this Act in respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for the purposes as may be specified by regulations. 1. Subs. by Act 14 of 2019, s. 13, for sub-section (3) (w.e.f. 25-7-2019). 2. Subs. by Act 14 of 2019, s. 13, for "or core biometric information" (w.e.f. 25-7-2019).

Title: Biometric information deemed to be sensitive personal information

Description: The biometric information collected and stored in electronic form, in accordance with this Act and regulations made thereunder, shall be deemed to be "electronic record" and "sensitive personal data or information", and the provisions contained in the Information Technology Act, 2000 (21 of 2000) and the rules made thereunder shall apply to such information, in addition to, and to the extent not in derogation of the provisions of this Act. Explanation. — For the purposes of this section, the expressions— (a) "electronic form" shall have the same meaning as assigned to it in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000 (21 of 2000); (b) "electronic record" shall have the same meaning as assigned to it in clause (t) of sub-section (1) of section 2 of the Information Technology Act, 2000 (21 of 2000); (c) "sensitive personal data or information" shall have the same meaning as assigned to it in clause (iii) of the Explanation to section 43A of the Information Technology Act, 2000 (21 of 2000).

Title: Alteration of demographic information or biometric information

Description: (1) In case any demographic information of an Aadhaar number holder is found incorrect or changes subsequently, the Aadhaar number holder shall request the Authority to alter such demographic information in his record in the Central Identities Data Repository in such manner as may be specified by regulations. (2) In case any biometric information of Aadhaar number holder is lost or changes subsequently for any reason, the Aadhaar number holder shall request the Authority to make necessary alteration in his record in the Central Identities Data Repository in such manner as may be specified by regulations. (3) On receipt of any request under sub-section (1) or sub-section (2), the Authority may, if it is satisfied, make such alteration as may be required in the record relating to such Aadhaar number holder and intimate such alteration to the concerned Aadhaar number holder. (4) No identity information in the Central Identities Data Repository shall be altered except in the manner provided in this Act or regulations made in this behalf.