Section 14(1) in AADHAAR (AUTHENTICATION AND OFFLINE VERIFICATION) REGULATIONS, 2021
(1)A requesting entity shall have the following functions and obligations:—(a)establish and maintain necessary authentication related operations, including own systems,processes, infrastructure, technology, security, etc., which may be necessary for performingauthentication;(b)establish network connectivity with the CIDR, through an ASA duly approved by the Authority, forsending authentication requests;(c)ensure that the network connectivity between authentication devices and the CIDR, used for sendingauthentication requests is in compliance with the standards and specifications laid down by theAuthority for this purpose;(ca)ensure that the Aadhaar number/Virtual ID/ANCS Token provided by the resident for authenticationrequest shall not be retained by the device operator or within the device or at the AUA server(s);(cb)ensure that the provision of authentication using Virtual ID is provided;(d)employ only those devices, equipment, or software, which are duly registered with or approved orcertified by the Authority or agency specified by the Authority for this purpose as necessary, and arein accordance with the standards and specifications laid down by the Authority for this purpose;(e)monitor the operations of its devices and equipment, on a periodic basis, for compliance with theterms and conditions, standards, directions, and specifications, issued and communicated by theAuthority, in this regard, from time to time,(f)ensure that persons employed by it for performing authentication functions, and for maintainingnecessary systems, infrastructure and processes, possess requisite qualifications for undertaking suchworks.(g)keep the Authority informed of the ASAs with whom it has entered into agreements;(ga)obtain approval from the Authority before appointing any third party entity as Sub-AUA/Sub-KUA.(h)ensure that its operations and systems are audited by information systems auditor certified by arecognised body on an annual basis to ensure compliance with the Authority’s standards andspecifications and the audit report should be shared with the Authority upon request;(i)implement exception-handling mechanisms and back-up identity authentication mechanisms toensure seamless provision of authentication delivery of services to the residents;(j)in case of any investigation involving authentication related fraud(s) or dispute(s), it shall extend fullcooperation to the Authority, or any agency appointed or authorised by it or any other authorisedinvestigation agency, including, but not limited to, providing access to their premises, records,personnel and any other relevant resources or information as well to assist the Authority indisseminating information to the general public about any Aadhaar data related fraud to enableAadhaar number holders to evaluate whether they were victims of the fraud and take remedialaction;(k)in the event the requesting entity seeks to integrate its Aadhaar authentication system with its localauthentication system, such integration shall be carried out in compliance with standards andspecifications issued by the Authority from time to time;(l)shall inform the Authority of any misuse of any information or systems related to the Aadhaarframework or any compromise of Aadhaar related information or systems within their network. Ifthe requesting entity is a victim of fraud or identifies a fraud pattern through its fraud analyticssystem related to Aadhaar authentication, it shall share all necessary details of the fraud with theAuthority as well as to affected Aadhaar number holders without undue delay;(m)shall be responsible for the authentication operations and results, even if it sub-contracts parts of itsoperations to third parties. The requesting entity is also responsible for ensuring that theauthentication related operations of such third party entities comply with Authority standards andspecifications and that they are regularly audited by approved independent audit agencies;(ma)may agree upon the authentication charges for providing authentication services to its customer, withsuch customer, and the Authority shall have no say in this respect, for the time being; however, theAuthority’s right to prescribe a different mechanism in this respect in the future shall be deemed tohave been reserved;(mb)Aadhaar numbers collected through physical forms or photocopies of Aadhaar letters shall bemasked by the requesting entity by redacting the first 8 digits of the Aadhaar number before storingthe physical copies.(n)shall, at all times, comply with any contractual terms and all rules, regulations, policies, manuals,procedures, specifications, standards, and directions issued by the Authority, for the purposes ofusing the authentication facilities provided by the Authority.(o)shall take specific permission of the Authority and sign appropriate agreement with the Authority, ifrequiring storage of Aadhaar number for non-authentication purposes. Aadhaar number shall bestored in a secure manner as specified by the Authority from time to time(p)extend full co-operation to the Authority for any mass awareness programmes that the Authoritymay undertake to sensitize Aadhaar number holders about the nature of data being used inauthentication, the scope of misuse as well as steps to protect against such misuse or fraud
