Section 17(1) in AADHAAR (AUTHENTICATION AND OFFLINE VERIFICATION) REGULATIONS, 2021
(1)A requesting entity shall ensure that:(a)the core biometric information collected from the Aadhaar number holder is not stored, shared orpublished for any purpose whatsoever, and no copy of the core biometric information is retained withit;(b)the core biometric information collected is not transmitted over a network without creation of encryptedPID block which can then be transmitted in accordance with specifications and processes laid down bythe Authority.(c)the encrypted PID block is not stored, unless it is for buffered authentication where it may be heldtemporarily on the authentication device for a short period of time, and that the same is deleted aftertransmission;(d)identity information received during authentication is only used for the purpose specified to theAadhaar number holder at the time of authentication, and shall not be disclosed further, except with theprior consent of the Aadhaar number holder to whom such information relates.(e)the identity information of the Aadhaar number holders collected during authentication and any otherinformation generated during the authentication process is kept confidential, secure and protectedagainst access, use and disclosure not permitted under the Act and its regulations;(f)the private key used for digitally signing the authentication request and the license keys are kept secureand access controlled; and(g)all relevant laws and regulations in relation to data storage and data protection relating to the Aadhaar-based identity information in their systems, that of their agents (if applicable) and with authenticationdevices, are complied with.
