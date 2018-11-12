UIDAI’s circular dated July 25, 2017, mandates entities collecting and storing Aadhaar to build an Aadhaar data vault.

By Chaitanya Peddi

With the Supreme Court recently upending key provisions of Aadhaar Act 2016, what are the verdict’s implications for employers in India with respect to the HR technology they use? Over the years, corporates in India have have built significant infrastructure for collecting, authenticating and storing Aadhaar data. This data pertains to their own employees and the larger customer base as well. Some of the most common Aadhaar-based technology tools being used by employers are:

* Authenticating identity of employees using Aadhaar-based biometric/OTP verifications as part of background check;

* Collecting Aadhaar numbers through applicant tracking systems to get a unique pool of candidates across hiring channels;

* DigiLockers for collection and storage of candidate and employer documents;

* Usage of Aadhaar-based e-signature tools for signing key documents (offer letters, on-boarding and exit documents);

* Linkage of Aadhaar numbers to EPFO for generating UANs for employees.

The Supreme Court, in its September 26 verdict—Section 386 (11)—clarified the following: “…Section 57, to the extent, which permits use of Aadhaar by the State or anybody corporate or person, in pursuant to any contract to this effect is unconstitutional and void.”

This patently invalidates the authority of an employer to collect and authenticate Aadhaar information of an employee. As employers have been setting up processes to effectively use Aadhaar data, this ruling places constraints on the current operations of employers. However, with the data privacy Act expected soon, it is imperative for employers to prioritise employee and individual privacy, and adopt technologies that comply with the ‘new normal’.

While clarifications from both the government and UIDAI are awaited, we recommend steps that employers can adopt to stay compliant with the verdict.

* Avoid usage of any technology that relies on verification/authentication using Aadhaar: Authentication of an individual’s identity using Aadhaar for uses other than distribution of subsidies by the government is now prohibited.

* Exclude use of Aadhaar for de-duplication of candidate database: Companies cannot mandate collection of either physical/digital copies of Aadhaar card or Aadhaar number from individuals for employment purposes. Other identifiers like PAN, email and mobile number can be used in place of Aadhaar.

* Stay away from Aadhaar e-signature of documents: Since Aadhaar-based e-signatures use Aadhaar authentication, they would not be allowed as per the verdict. It is advisable to prefer standard e-signature solutions that are not dependent on Aadhaar for all corporate uses.

* Opt for HR technology tools that provide built-in privacy restrictions by design: These are key elements for companies to focus on, going forward.

UIDAI’s circular dated July 25, 2017, mandates entities collecting and storing Aadhaar to build an Aadhaar data vault. This separates the storage of Aadhaar data on a secure database consisting of only Aadhaar data, preferably in an encrypted format, and is referenced with the main employee database through a unique reference key. There should be an easy way of auto-deletion of Aadhaar data for all inactive employees and after a particular service period for all active employees. This makes it easier for complying with the Supreme Court’s recommendation on purging Aadhar data after six months from the date of addition. Also, self-service features for employees to request deletion of Aadhaar data stored in a particular employer database are recommended.

The author is co-founder, Darwinbox—the unified employee life cycle platform