Section 19 in The Aadhaar (Authentication) Regulations, 2016
19. Roles, responsibilities and code of conduct of Authentication Service Agencies.
- An Authentication Service Agency shall have the following functions and obligations:-(a)provide secured connectivity to the CIDR to transmit authentication request from a requesting entity in the manner as may specified by the Authority for this purpose;(b)perform basic compliance and completeness checks on the authentication data packet before forwarding it to CIDR;(c)on receiving the response from CIDR, transmit the result of the transaction to the requesting entity that has placed the request;(d)only engage with the requesting entities approved by the Authority and keep the Authority informed of the list of requesting entities that it serves;(e)communicate to the Authority, all relevant information pertaining to any agreement that it may enter into with a requesting entity;(f)ensure that the persons employed by it for performing authentication and for maintaining necessary systems, infrastructure, processes, etc., possess requisite qualifications for undertaking such works;(g)ensure that its operations are audited by an information systems auditor certified by a recognized body on an annual basis, and provide a certified audit report, to the Authority, confirming its compliance with the policies, processes, procedures, standards, or specifications, issued by the Authority in this regard, from time to time;(h)ensure that all infrastructure and operations including systems, processes, devices, software and biometric infrastructure, security, and other related aspects, are in compliance with the standards and specifications as may specified by the Authority for this purpose;(i)at all times, comply with directions, specifications, etc. issued by the Authority, in terms of network and other Information Technology infrastructure, processes, procedures, etc.(j)comply with all relevant laws and regulations relating, in particular, to data security and data management;(k)any value added service that an ASA provides to a requesting entity under a contract shall not form part of the Aadhaar authentication process;(l)shall be responsible to the Authority for all its authentication related operations, even in the event the ASA sub-contracts parts of its operations to other entities, the responsibility shall remain with the ASA;(m)in case of investigations relating to authentication related fraud or dispute, the ASA shall extend full cooperation to the Authority (or their agency) and/or any other authorized investigation agency, including providing access to its premises, records, systems, personnel, infrastructure, any other relevant resource or information and any other relevant aspect of its authentication operations;(n)may agree upon the authentication charges for providing services to a requesting entity, with such requesting entity, and the Authority shall have no say in this respect, for the time being; however, the Authority's right to prescribe a different mechanism in this respect in the future shall be deemed to have been reserved;(o)shall, at all times, comply with any contractual terms and all rules, regulations, policies, manuals, procedures, specifications, standards, and directions issued by the Authority.
