Aadhaar (Authentication and Offline Verification) Regulations, 2021 · III — Appointment Of Requesting Entities And
Regulation 20 Maintenance of logs by Authentication Service Agencies
(1) An Authentication Service Agency shall maintain logs of the authentication transactions processed by it, containing the following transaction details, namely:-
(a) identity of the requesting entity;
(b) parameters of authentication request submitted; and
(c) parameters received as authentication response:
Provided that Aadhaar number, Virtual Id, UID Token, ANCS Token, PID information, device identity related data and e-KYC response data, where applicable shall not be retained.
(2) Authentication logs shall be maintained by the ASA for a period of 2
(two) years, during which period the Authority and/or the requesting entity may require access to such records for grievance redressal, dispute redressal and audit in accordance with the procedure specified in these regulations. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.
(3) Upon expiry of the period specified in sub-regulation (2), the authentication logs shall be archived for a period of five years, and upon expiry of the said period of five years or the number of years as required by the laws or regulations governing the entity whichever is later, the authentication logs shall be deleted except those logs required to be retained by a court not inferior to that of a Judge of a High Court or which are required to be retained for any pending disputes.
(4) The ASA shall comply with all applicable laws in respect of storage and maintenance of these logs, including the Information Technology Act, 2000.
(5) The obligations relating to authentication logs as specified in this regulation shall continue to remain in force despite termination of appointment in accordance with these regulations.
Source: Wayback Machine snapshot of UIDAI's original publication.
(1) An Authentication Service Agency shall maintain logs of the authentication transactions processed by it, containing the following transaction details, namely:—
(a) identity of the requesting entity;
(b) parameters of authentication request submitted; and
(c) parameters received as authentication response:
Provided that Aadhaar number, Virtual Id, UID Token, ANCS Token, PID information, device identity related data and e-KYC response data, where applicable shall not be retained.
(2) Authentication logs shall be maintained by the ASA for a period of 2
(two) years, during which period the Authority and/or the requesting entity may require access to such records for grievance redressal, dispute redressal and audit in accordance with the procedure specified in these regulations. The authentication logs shall not be used for any purpose other than stated in this sub-regulation.
(3) Upon expiry of the period specified in sub-regulation (2), the authentication logs shall be archived for a period of five years, and upon expiry of the said period of five years or the number of years as required by the laws or regulations governing the entity whichever is later, the authentication logs shall be deleted except those logs required to be retained by a court not inferior to that of a Judge of a High Court or which are required to be retained for any pending disputes.
(4) The ASA shall comply with all applicable laws in respect of storage and maintenance of these logs, including the Information Technology Act, 2000.
(5) The obligations relating to authentication logs as specified in this regulation shall continue to remain in force despite termination of appointment in accordance with these regulations. 20A. Optional Maintenance of Logs by Offline Verification Seeking Entity
(1) An Offline Verification Seeking Entity may maintain logs of the verification transactions processed by it, if deemed necessary by the OVSE and with consent of the resident, containing any of the following transaction details, namely:—
(a) the offline Aadhaar data document shared by the resident in a suitably secure manner ;
(b) any other data shared by the resident during the course of verification including mobile number, email id, photo etc;
(c) local verification transaction logs between OVSE and the resident;
(d) details of the notification related to the Offline Verification sent to the Aadhaar number holder. but shall not, in any event, store the Aadhaar number or Virtual ID of the Aadhaar number holder.
(2) The OVSE shall not share the logs with any person other than the concerned Aadhaar number holder or for grievance redressal and resolution of disputes in accordance with the provisions of the Act. The verification logs shall not be used for any purposes other than those stated in this sub-regulation.