Roop's Law Assist
Waitlist

THE AADHAAR (DATA SECURITY) REGULATIONS, 2016 1

ddfd68a2ad0a2d1fae41fea7d8567a0086120c62 · 2016 · State unknown

Download PDFParent ActBack to Subordinates
Parent: THE AADHAAR (TARGETED DELIVERY OF FINANCIAL AND OTHER SUBSIDIES, BENEFITS AND SERVICES) ACT, 2016 (e5452e76268985edd128a049b6e27a9ff6b4f2fb)

Text

THE AADHAAR (DATA SECURITY) REGULATIONS, 2016 1 [Updated as on 15. 5. 2.2024] In exercise of the powers conferred by clause (p) of subsection (2) of section 54 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the Unique Identification Authority of India makes the following Regulations, namely:— 1. Short title and commencement. — (1) These regulations may be called the Aadhaar (Data Security) Regulations, 2016 . (2) These Regulations shall come into force on the date of their publication in the Official Gazette. 2. Definitions. — (1) In these regulations, unless the context otherwise requires,— (a) " Act " means the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); (b) " Authority " means the Unique Identification Authority of India established under subsection (1) of section 11 of the Act; (c) " Central Identities Data Repository " or " CIDR " means a centralised database in one or more locations containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto; (d) " enrolling agency " means an agency appointed by the Authority or a Registrar, as the case may be, for collecting demographic and biometric information of individuals under this Act; (e) " information security policy " means the policy specified by the Authority under regulation 3 of these regulations; (f) " personnel " means all officers, employees, staff and other individuals employed or engaged by the Authority or by the service providers for discharging any functions under the Act; (g) " registrar " means any entity authorised or recognised by the Authority for

Rule TOC

1 · Short title and commencement. — (1) These regulations may be called the Aadhaar (Data Security) Regulations, 2016 .
2 · Definitions. — (1) In these regulations, unless the context otherwise requires,—
1 · Published in the Gazette of India, Part III, Section 4, dated 14.9.2016, vide notification No. 13012/64/ 2016/ Legal/UIDAI (No. 4 of 2016), dated 12.9.2016.
3 · Measures for ensuring information security.—(1) The Authority may specify an information security policy setting out inter alia the technical and organisational measures to be adopted by the Authority and its personnel, and also security measures to be adopted by agencies, advisors, consultants and other service providers engaged by the Authority, registrar, enrolling agency, requesting entities, and Authentication Service Agencies.
4 · Security obligations of the personnel.—(1) The personnel shall comply with the information security policy, and other policies, guidelines, procedures, etc. issued by the Authority from time to time.
5 · Security obligations of service providers, etc.—The agencies, consultants, advisors and other service providers engaged by the Authority for discharging any function relating to its processes shall:
6 · Audits and inspection of service providers, etc.—(1) All agencies, consultants, advisors and other service providers engaged by the Authority, and ecosystem partners such as registrars, requesting entities, Authentication User Agencies and Authentication Service Agencies shall get their operations audited by an information systems auditor certified by a recognised body under the Information Technology Act, 2000 and furnish certified audit reports to the Authority, upon request or at time periods specified by the Authority.
7 · Confidentiality.—All procedures, orders, processes, standards and protocols related to security, which are designated as confidential by the Authority, shall be treated as confidential by all its personnel and shall be disclosed to the concerned parties only to the extent required for giving effect to the security measures. The nature of information that cannot be shared outside the Authority unless mandated under the Act includes, but not limited to, Information in CIDR, Technology details, Network Architecture, Information security policy and processes, software codes, internal reports, audit and assessment reports, applications details, asset details, contractual agreements, present and future planned infrastructure details, protection services, and capabilities of the system.
8 · Savings.—All procedures, orders, processes, standards and policies issued and MOUs, agreements or contracts entered by the Unique Identification Authority of India, established vide notification of the Government of India in the Planning Commission number A43011/02/2009 -Admin. I, dated the 28th January, 2009 or any officer of such authority, prior to the establishment of the Authority under the Act shall continue to be in force to the extent that they are not inconsistent with the provisions of the Act and regulations framed thereunder.
9 · Power to issue policies, process documents, etc.—The Authority may issue policies, processes, standards and other documents, not inconsistent with these regulations, which are required to be specified under these regulations or for which provision is necessary for the purpose of giving effect to these regulations.
10 · Power to issue clarifications, guidelines and removal of difficulties.—In order to clarify any matter pertaining to application or interpretation of these regulations, or to remove any difficulties in implementation of these regulations, the Authority shall have the power to issue clarifications and guidelines in the form of circulars which shall have effect of these regulations.