New Delhi: The latest report on the administration of Aadhaar by the Comptroller and Auditor General (CAG) highlights the related deficiencies on the part of the Unique Identification Authority of India (UIDAI) in securing the data of the world’s largest biometric identification system.

UIDAI was “neither able to obtain the necessary assurance” that the information systems of entities involved in the authentication ecosystem – Requesting Entities (REs) and Authentication Service Agencies (ASAs) – were in compliance with its prescribed standards. Reports, and auditing by the bodies authorized thereto “nor ensured”.


UIDAI has thus failed to perform a basic function with which it is entrusted – Regulation 12 of the Aadhaar (Authentication) Regulation entrusts the identification authority with the responsibility of verifying the information provided by the RE and ASA.

While the proportion of audited REs out of the entire pool increased from 36% in 2016-17 to around 56% in 2018-19, the proportion of audited ASAs remained below 50%. As of March 21, most REs were private parties. So, if there is no progress since the audit levels of 2018-19, there should be a lot of red signals about UIDAI’s data security management. This does not mean that the issue of data security is limited to private companies; The identifying authority should ensure that both private and public entities participate in the annual audit process.


Even if UIDAI has discretionary powers to issue exemptions, such use cases should be made public in advance and based on well-defined benchmarks, the CAG said in its report.

UIDAI was unable to assure on the security of “accessing and storing RE and ASA” personal information of Aadhaar users through unregistered biometric devices (used before April 2018). Similarly, despite the fact that UIDAI implemented dedicated vault storage of all Aadhaar numbers and related data collected by listed companies in 2017—with consequences for non-compliance—it failed to satisfy the CAG that it had The entities involved were following due process. According to the CAG, the UIDAI “did not evolve any measures/systems to confirm that the entities involved adhere to the protocols and relied solely on the report submitted subsequently”.


These are serious cases of the identity authority failing to fulfill its obligation to ensure data security. The CAG audit also highlighted the lack of a system to check the compliance of an Aadhaar applicant with the residence requirements of the Aadhaar Act. The large number of cancellations of “duplicate” Aadhaar violates the core goal of the Aadhaar system of establishing uniqueness of identity, and the large number of voluntary modifications of biometric data is evidence of low registration quality.

There is no argument that Aadhaar has been a game changer for India, as seen by the JAM system, which has helped curb subsidy leakages and better targeting for government benefits. The Aadhaar-enabled payment system has resulted in greater financial inclusion. One of its kind unique ID has also accelerated the process of passport. However, there is a need to increase public confidence.

As pointed out by the CAG, UIDAI has fallen short on several points, all of which would erode such trust. Apart from improving the curriculum, UIDAI should also actively develop trust by increasing transparency in the monitoring of the ecosystem. The government can play a facilitating role if it so desires, as Section 50 of the Aadhaar Act allows it to offer UIDAI policy guidelines that the authority should follow. Given that UIDAI has sought exemption from the purview of the Personal Data Privacy Act, if it is adopted, it may be in the interest of maintaining public confidence in the Aadhaar system that UID holders will be provided with a strong and secure The ecosystem is assured.