Govt to Keep Aadhaar Records for 7 Yrs, Prompts Fears of Surveillance

Govt to Keep Aadhaar Records for 7 Yrs, Prompts Fears of Surveillance is a Hindustan Times report published on 17 October 2016. The article examines newly notified UIDAI rules mandating seven-year retention of all Aadhaar authentication records, raising concerns amongst privacy advocates about the potential for comprehensive surveillance, particularly given provisions allowing joint secretary-level officers to access information on national security grounds.

Article Details
Full Text
Context and Background
External Link

Article Details

📰 Published in:: Hindustan Times
📅 Date:: 17 October 2016
👤 Authors:: Aloke Tikku
📄 Type:: News Report
📰 Newspaper Link:: Read Online

Full Text

The government will keep a record of all the services and benefits availed using the Aadhaar number for seven years, say new rules, prompting fears that the database could be used for surveillance.

The Unique Identification Authority of India (UIDAI), which issues the 12-digit biometric identity to all Indian residents, will be required to preserve its record of verification of an Aadhaar number for the duration.

"This is an unprecedented centralised data retention provision," said Sunil Abraham, director of the Bengaluru-based think tank, Centre for Internet and Society.

UIDAI chief executive officer ABP Pandey said the concerns were exaggerated. The agency was keeping records in case a dispute arose over a transaction.

The information will be retained online for two years and another five years in the offline archives, say the rules notified in September.

Users will be able to check the records but only for two years.

This restriction won't apply to security agencies. Pandey, however, said the records would not be available to them without a district judge's permission.

But, Hindustan Times found that the rules allow designated joint secretary-level officers at the Centre to order access to information on the grounds of national security.

"Once Aadhaar becomes mandatory for all services, it can be used by benign and malignant actors to conduct a 360-degree surveillance on any individual," Abraham said.

This is how the system, which will need millions of fingerprint-reading machines, works.

Every time a person fingerprints and quotes the Aadhaar number, the agency concerned sends the data to UIDAI to crosscheck the particulars.

The UIDAI authenticates about five million Aadhaar numbers, which are quoted to avail LPG subsidy, cheap ration and even passport, a day against a capacity to verify 100 million requests daily.

"You can think of it as Natgrid Plus," Abraham said, a reference to the National Intelligence Grid being built by the government.

A one-stop database for counter-terrorism agencies, Natgrid will collate information real time from databases of various agencies such as bank, rail and airline networks.

"…we do not record the purpose for which an authentication request was received but only the details of the agency that sent it," UIDAI's Pandey said.

But seven years is a long time. Only a select category of government files are kept for longer than five years.

Asked about two-year deadline for users, Pandey said it would have been a logistic nightmare to let people access the records once the information was offline.

The Supreme Court has a ruled that Aadhaar is not a must for availing welfare schemes and is to decide if collecting biometric data for the 12-digit number infringed an individual's privacy.

Context and Background

This report emerged at a critical juncture in the Aadhaar programme’s evolution. The rules notified in September 2016 came months after Parliament passed the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act in March 2016 as a Money Bill, enabling the government to mandate Aadhaar for various services despite ongoing constitutional challenges before the Supreme Court.

The seven-year data retention requirement represented a significant expansion of UIDAI’s record-keeping obligations. Each authentication event—whenever an individual used their Aadhaar number to access subsidies, open bank accounts, obtain SIM cards, or verify identity for government services—would generate a log retained by the authority. With UIDAI processing approximately five million authentications daily by 2016, this created an unprecedented repository of transaction metadata spanning citizens’ interactions with both state and private entities.

The surveillance concerns stemmed from multiple factors. Whilst UIDAI officials claimed records would only identify which agency requested authentication rather than the purpose, the sheer volume and duration of retained data meant that patterns of service usage could potentially be reconstructed. The provision allowing joint secretary-level officers to access information on national security grounds bypassed the judicial oversight that UIDAI officials had cited as a safeguard, creating an executive pathway for data access.

The comparison to Natgrid was particularly pointed. The National Intelligence Grid, proposed after the 2008 Mumbai attacks, aimed to aggregate data from immigration, banking, telecommunications and transport networks for counter-terrorism purposes. Critics argued that Aadhaar authentication logs, if centrally retained and linked to the growing list of services requiring the identifier, would function as a more comprehensive tracking system—documenting not just specific high-risk transactions but routine daily activities across the entire population.

The asymmetry in data access raised further concerns. Citizens could review their authentication history for only two years whilst the government retained records for seven, with five of those years archived offline and effectively inaccessible to the data subject. This created an imbalance where individuals had limited ability to audit how their data was being accessed whilst state agencies retained extended oversight capabilities.