The Unique Identification Authority of India, under the Aadhaar Act and Regulations, 2016 has made it compulsory for the centralized storage (collected by AUAs/KUAs/ Sub-AUAs/ or any other agency) of all the Aadhaar number in a different repository which is known an as ‘Aadhaar Data Vault’. The Aadhaar Act 2016 states an Aadhaar Number which identifies all the residents of India uniquely (but it is not a citizenship document).
An Aadhaar Card is a 12-digit number Unique Identification Number can be used to avail various government subsidies and acts as a vital document of proof of identity and proof of address for opening a fixed deposit account, applying for a passport, investing in mutual funds, etc. For filing an Income Tax Return, linking PAN with Aadhaar Card has been made compulsory.
However, as per the rules of the Unique Identification Authority of India, actual Aadhaar Number must not be stored in the database of any business for example. The Core Banking System (CBS), e-KYC System, APIs, etc. other than the Aadhar Data Vault.
What is the Objective of Aadhaar Data Vault?
Aadhaar Data Vault was developed by the Unique Identification Authority of India in order to reduce the footprint of Aadhaar numbers which will eventually result in low risk of unauthorized access of Aadhaar Card within the systems in the organization itself.
Who Needs an Aadhaar Data Vault?
All the agencies may or may not be AUAs/KUAs/Sub-AUA having Aadhaar Number are required to create an Aadhaar Data Vault. However, these agencies could be organizations having Aadhaar Numbers for the purpose of internal identification like the attendance management system or linking with the PF Account, etc. Agencies having stored the Aadhaar Numbers in structured and electronic form like the database are required to have an Aadhaar Data Vault.
What are the Guidelines for the Implementation of Aadhaar Data Vault?
The guidelines for the implementation of Aadhaar Data Vault is set by the organization itself with the help of their internal technical teams as the UIDAI did not issue any particular guidelines for every organization.
Get FREE Credit Report from Multiple Credit Bureaus Check Now
What are the benefits of Aadhaar Data Vault?
The benefits of an Aadhaar Data Vault are as follows:
- Aadhaar Data Vault helps to easily comply with the dynamic guidelines of UIDAI without the fear of change in the guidelines in future
- The Automatic key management, access control and policy management through the solution itself
- For easy and seamless integration, the API-based solutions help in the integration with other lines of business for organisations
What are the Reference Keys?
Every Aadhaar Number must be referred by an additional key which is known as the Reference Key and mapping of this Aadhaar Number must be maintained in the Aadhaar Data Vault. In the internal ecosystem of the agency, the multiple reference keys can also be generated in case there is a business which requires to refer to one Aadhaar Number by different reference keys. Moreover, these reference keys for the purpose of encryption are to be stored in HSM devices only.
The question usually asked is which version to opt for in the technical specification of HSM ( for example FIPS 140-2 Level 2 or FIPS 140-2 Level 3 HSM) The Unique Identification Authority of India does not recommend any specifications for HSM and the organizations can follow the Industry best practice such as NIST, etc.
It is also required to replace all the Aadhaar Numbers with the reference keys in the logs databases. As in future, only these reference keys will be used stored in the logs. However, in the case of business purpose if these transactions are to be provided outside the agency or the organisation then it has to be provided along with the Aadhaar Number.
Wherever Aadhaar number needs to be sent outside the agency for a genuine business, it may be sent to complete the transaction. However, when the details of the transaction are to be saved within the environment, corresponding reference keys should be stored instead of Aadhaar numbers. After completion of the transaction, a reference key for the corresponding Aadhaar number needs to be obtained from the Aadhaar Data vault through APIs.
What is the Process of Audit Required After the Implementation of Aadhaar Data Vault?
According to UIDAI, an audit is not mandatory for the implementation of an Aadhaar Data Vault. However, it is advisable to check in the next period external audit ( if it is required by the UIDAI). The agencies are required to have the documentation to be demonstrated as per the need of UIDAI. This external audit could either be in the form of an internal audit from an independent or on the basis of the confirmation of the points mentioned in the circular shared by the independent security team or the internal technology.
Things to Keep in Mind about the Aadhaar Data Vault
- Access to Aadhaar Data Vault must be done through internal systems only
- The reference keys are to be stored in the HSM devices only
- For the security reasons, the Aadhaar Data Vault must be kept in a highly restricted network zone that must be isolated from any other untrustworthy network zone
- According to UIDAI, these Aadhaar Data Vaults must implement strong encryption devices, strong access control, must raise necessary alerts for the unusual attempts to access the vault
- Any demographic data or photograph can be stored in other systems (for example customer base system) if the Aadhar Number is not stored in these databases
- Aadhaar Data Vault does not refer to any technology as it is only a concept of storing Aadhaar Numbers in one particular storage within the environment of the organization
- The Reference keys are local to the agency/organization and must not be shared either with UIDAI server or NPCI
- It is not allowed to store Aadhaar Number as the masked value in any system other than the Aadhaar Data Vault
- There should be a strong mechanism for the secured updation and deletion of Aadhaar Numbers in the Aadhaar Data Vault
