Section 17 in The Aadhaar (Authentication) Regulations, 2016
17. Obligations relating to use of identity information by requesting entity.
(1)A requesting entity shall ensure that:(a)the core biometric information collected from the Aadhaar number holder is not stored, shared or published for any purpose whatsoever, and no copy of the core biometric information is retained with it;(b)the core biometric information collected is not transmitted over a network without creation of encrypted PID block which can then be transmitted in accordance with specifications and processes laid down by the Authority.(c)the encrypted PID block is not stored, unless it is for buffered authentication where it may be held temporarily on the authentication device for a short period of time, and that the same is deleted after transmission;(d)identity information received during authentication is only used for the purpose specified to the Aadhaar number holder at the time of authentication, and shall not be disclosed further, except with the prior consent of the Aadhaar number holder to whom such information relates;(e)the identity information of the Aadhaar number holders collected during authentication and any other information generated during the authentication process is kept confidential, secure and protected against access, use and disclosure not permitted under the Act and its regulations;(f)the private key used for digitally signing the authentication request and the license keys are kept secure and access controlled; and(g)all relevant laws and regulations in relation to data storage and data protection relating to the Aadhaarbased identity information in their systems, that of their agents (if applicable) and with authentication devices, are complied with.
