UIDAI Aadhaar Data Protection: Compliance for AUAs, KUAs, and Sub-AUAs

Aadhaar in the BFSI Context

Aadhaar-based authentication is fundamental to KYC, eKYC, and AML processes in Indian banking and financial services. Banks, payment processors, and financial intermediaries operate as Authentication User Agencies (AUAs) or KYC User Agencies (KUAs) under the UIDAI ecosystem, subject to strict data protection obligations under:

• The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016
• The Aadhaar (Authentication) Regulations 2016
• UIDAI Circular on Aadhaar Data Vault (2018 and updates)
• UIDAI Circular on Use of Virtual ID (2018)
• Guidelines for use of Aadhaar Authentication Services (ongoing)

Core UIDAI Data Protection Obligations

1. No Aadhaar Number Storage

The Aadhaar number itself must NOT be stored in any AUA/KUA database. This is a hard prohibition — any storage of the 12-digit Aadhaar number is a violation.

What must be stored instead:

• Virtual ID (VID) — a temporary, revocable 16-digit number generated from the Aadhaar number
• Reference ID — a token returned by UIDAI after authentication
• Demographic data as returned by UIDAI (name, address) may be stored for KYC purposes

2. Aadhaar Data Vault

All AUAs/KUAs must implement an Aadhaar Data Vault (ADV):

• The vault encrypts all Aadhaar-related identifiers using hardware security modules (HSM)
• The encryption key must be stored in HSM or an equivalent tamper-proof device
• The vault must maintain an audit trail of all accesses
• Access to the vault must be role-restricted with multi-factor authentication

3. Purpose Limitation

Aadhaar authentication data may only be used for:

• The specific purpose for which authentication was obtained
• Regulatory or legal compliance purposes

It cannot be used for:

• Building profiles or databases of Aadhaar holders
• Fraud detection purposes beyond the original authentication
• Marketing or analytics
• Sharing with third parties except as required by law

4. Biometric Data Prohibitions

AUAs/KUAs are explicitly prohibited from:

• Storing, using, or transmitting biometric data (fingerprints, iris scans)
• Accessing biometric data from the UIDAI system
• Retaining biometric data in any form after authentication

Authentication transactions capture only the result (yes/no) — the biometric template is transmitted encrypted to UIDAI and the response is received. No biometric data is retained by the AUA/KUA.

5. Incident Reporting to UIDAI

Any security incident involving Aadhaar data or the authentication infrastructure must be reported to UIDAI within:

• Immediate notification: Any breach of the Aadhaar Data Vault or authentication system
• 24 hours: Any cyber incident affecting the AUA/KUA systems that could expose Aadhaar-related data

Intersection with DPDP Act

The DPDP Act 2023 classifies Aadhaar data as sensitive personal data. AUAs and KUAs operating under UIDAI guidelines must ensure their compliance programme covers both:

The Compliance Stack for BFSI Entities Using Aadhaar

A bank that uses Aadhaar for KYC, eKYC, and authentication is simultaneously subject to:

• UIDAI Aadhaar regulations
• DPDP Act 2023 (biometric data = sensitive personal data)
• RBI KYC Master Direction (documentation and storage requirements)
• RBI DPSC (AEPS consent record requirements)
• RBI Cybersecurity Framework (access controls and encryption)

This is the compliance stack. The CreativeCyber DPDP Assurance Platform’s ROPA templates include pre-built entries for Aadhaar-based KYC and eKYC activities, with all five regulatory frameworks mapped to each processing activity so gaps are visible across the entire stack simultaneously.