Section 18 in AADHAAR (AUTHENTICATION AND OFFLINE VERIFICATION) REGULATIONS, 2021
18. Maintenance of logs by requesting entity. —
(1)A requesting entity shall maintain logs of the authentication transactions processed by it, containing thefollowing transaction details, namely:—(a)specified parameters of authentication request submitted excluding Aadhaar number, Virtual ID, ANCSToken or UID token;(b)specified parameters received as authentication response including full Aadhaar number or maskedAadhaar, as the case may be;(c)the record of disclosure of purpose for which the authentication was performed, to the Aadhaar numberholder or parent or guardian, in case of a child, at the time of authentication; and(d)record of consent of the Aadhaar number holder, or parent or guardian, in case of a child, forauthentication, but shall not, in any event, retain the PID information.(2)The logs of authentication transactions shall be maintained by the requesting entity for a period of 2 (two)years, during which period an Aadhaar number holder shall have the right to access such logs, in accordancewith the procedure as may be specified.(3)Upon expiry of the period specified in sub-regulation (2), the logs shall be archived for a period of five yearsor the number of years as required by the laws or regulations governing the entity, whichever is later, andupon expiry of the said period, the logs shall be deleted except those records required to be retained upon theorder of a court not inferior to that of a Judge of a High Court or required to be retained for any pendingdisputes.(4)The requesting entity shall not share the authentication logs with any person other than the concernedAadhaar number holder upon his/her request or for grievance redressal and resolution of disputes or upon theorder of a court not inferior to that of a Judge of a High Court. The authentication logs shall not be used forany purpose other than those stated in this sub-regulation.(5)The requesting entity shall comply with all relevant laws, rules and regulations, including, but not limited to,the Information Technology Act, 2000 and the Evidence Act, 1872, for the storage of logs.(6)The obligations relating to authentication logs as specified in these regulations shall continue to remain inforce despite termination of appointment in accordance with these regulations.
