Section 5 in Aadhaar (Data Security) Regulations, 2016
5. Security obligations of service providers, etc.
The agencies, consultants, advisors and other service providers engaged by the Authority for discharging any function relating to its processes shall:(a)ensure compliance with the information security policy specified by the Authority;(b)periodically report compliance with the information security policy and contractual requirements, as required by the Authority;(c)report promptly to the Authority any security incidents affecting the confidentiality, integrity and availability of information related to the Authoritys functions;(d)ensure that records related to the Authority shall be protected from loss, destruction, falsification, unauthorised access and unauthorised release;(e)ensure confidentiality obligations are maintained during the term and on termination of the agreement;(f)ensure that appropriate security and confidentiality obligations are provided for in their agreements with their employees and staff members;(g)ensure that the employees having physical access to CIDR data centers and logical access to CIDR data centers undergo necessary background checks;(h)define the security perimeters holding sensitive information, and ensure only authorised individuals are allowed access to such areas to prevent any data leakage or misuse; and(i)where they are involved in the handling of the biometric data, ensure that they use only those biometric devices which are certified by a certification body as identified by the Authority and ensure that appropriate systems are built to ensure security of the biometric data.
