Paytm Payments Bank

Aadhaar Data Privacy Policy

Language

English
  • English
  • Hindi
  • Marathi
  • Bengali

Version Number: 1.5
Date of review: 07th March 2025

  1. Introduction

    Security of UIDAI information assets handled by the external ecosystem partners for providing services, is of paramount importance. The confidentiality, integrity, and availability of these shall be always maintained by these partners by deploying security controls in line with the Aadhaar Act 2016, Aadhaar Authentication Application Security Standards and other applicable circulars/ directions issued by the UIDAI. This Policy is applicable wherever UIDAI information is processed and/or stored by PPBL.

  2. Objectives of the Policy

    Paytm Payments Bank Limited (PPBL) has a KUA (KYC User Agency) license issued by Unique Identification Authority of India (UIDAI) and it undertakes user authentications to enable some of its services / business functions. PPBL connects to the CIDR (Central Identities Data Repository) through (NSDL) who is an Authentication Service Agency (ASA/KSA). PPBL uses the demographic as well as biometric data in addition to the Aadhaar No/VID of its customers while initiating the account based relationship with its’ customers or while providing account based services to the customers.

    The objectives of the policy include:

    1. Design and implement suitable controls to ensure the privacy and security of the customer’s Biometric information as well as Aadhaar number and any other data received from the UIDAI in due course of authentication.
    2. To provide necessary guidelines to various stakeholders and responsible personnel with PPBL for deploying relevant security controls to secure the data of the Aadhaar number holder and data privacy in compliance to the relevant provisions of the Aadhaar Act 2016 and any other applicable circulars or directions issued by the UIDAI
  3. Applicability

    The policy will apply to all departments of the bank which access, process or store Aadhaar number and any other customer data received from the UIDAI in due course of authentication.

  4. Control and Authority
    1. The Board of Directors has the responsibility for ensuring the implementation of this policy, which set out the management responsibilities and the control practices for all the areas of information processing activities.
    2. Senior Management is responsible for understanding risks to the bank to ensure that they are adequately addressed from a governance perspective.
    3. CISO shall be responsible for protecting the Aadhaar linked personal data and well as security of system, access control, audit, etc.
    4. All Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual areas are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager or higher officer.
    5. Any information that the information-owner considers sensitive or vulnerable should be password-protected in transit/storage.
    6. Internal awareness about consequences of breaches of Aadhaar data via various channels such as Newsletter articles, employee trainings, internal Memos and Circular etc. may be conducted.
    7. Necessary monitoring and audit of networks and systems on a periodic / adhoc basis may also be conducted to ensure compliance with this policy.

    4.1 Compliance

    1. E-KYC shall be carried out using only biometric and/or OTP authentication modalities.
    2. PPBL shall comply with all terms and conditions outlined in the AUA (Authentication User Agency) /KUA (KYC User Agency) agreement with UIDAI, Aadhaar Act 2016 and various circulars/ directions issued by the UIDAI.
    3. The operations shall be audited by an information systems auditor certified by STQC (Standard testing and quality control) on an annual basis so as to ensure compliance with UIDAI standards and specifications. The audit report shall be shared with UIDAI upon request.
    4. Any security incidents affecting the confidentiality, integrity and availability of information received from the UIDAI will be reported to UIDAI at the earliest.
    5. PPBL has appointed Data Privacy Officer (dpo@paytmbank.com) for necessary communication with UIDAI.
  5. Handling of Personnel Identity Data (PID)

    “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

    5.1. Consent

    1. The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.
    2. The consent of the data principal in respect of processing of any sensitive personal data shall be explicitly obtained -
      1. after informing him the purpose of, or operation in, processing which is likely to cause significant harm to the data principal;
      2. In clear terms without recourse to inference from conduct in a context; and
      3. After giving him the choice of separately consenting to the purposes of, operations in, the use of different categories of, sensitive personal data relevant to processing.

    5.2. Processing / Using the Personal Data

    1. The identity information, including Aadhaar number, biometric /demographic information collected from the Aadhaar number holder by PPBL shall only be used for the Aadhaar authentication process by submitting it to the Central Identities Data Repository (CIDR).
      1. PPBL will ensure that the Personal Identity data (PID) block comprising of the resident’s demographic / biometric data is encrypted as per the latest API standards/specifications specified by the UIDAI at the end point device used for authentication.
      2. Aadhaar authentication or Aadhaar e-KYC shall be used for the specific purposes declared to UIDAI and permitted by UIDAI. Such specific purposes shall be notified to the residents / customers / Individuals at the time of authentication through disclosure of information notice;
      3. PPBL shall not use the Identity information including Aadhaar number or e-KYC for any other purposes than allowed under Aadhaar (Authentication) Regulation, 2016 and informed to the resident / customers / individuals at the time of Authentication.
      4. For the purpose of e-KYC, the demographic details of the individual received from UIDAI as a response shall be used for identification of the individual for the specific purposes of providing the specific services for the duration of the services.

    5.3. Storing Personal Data

    1. The authentication transaction logs shall be stored for a period of two years subsequent to which the logs shall be archived for a period of five years or as per the regulations governing the entity, whichever is later and upon expiry of which period, barring the authentication transaction logs required to be maintained by a court order or pending dispute, the authentication transaction logs shall be deleted.
    2. The encrypted PID block including OTP shall not be stored unless in case of buffered authentication and in such case it shall be deleted from the local systems post authentication.
    3. The Aadhaar number and any connected data (e.g. e-KYC XML containing Aadhaar number and data) of the customers received through authentication shall be stored on a separate secure database/vault/system called “Aadhaar data vault”
    4. Any other data received during the authentication such as demographic information and photo of the customer can be stored outside Aadhaar Data Vault.

    5.4. Usage and Sharing of Personal Data

    1. Aadhaar related customer’s information collected will be explicitly utilised towards the purpose for which the consent has been obtained.
    2. Identity information shall not be shared in contravention to the Aadhaar Act 2016, its Amendment, Regulations and other circulars released by UIDAI from time to time.
    3. Biometric information collected shall not be transmitted over any network without creation of encrypted PID block as per Aadhaar Act and regulations;
    4. The identity information of the Aadhaar number holders collected during authentication and any other information generated during the authentication process shall be kept confidential, secure and protected against un-authorized access, use and disclosure
    5. PPBL shall not require an individual to transmit the Aadhaar number over the Internet unless such transmission is secure and the Aadhaar number is transmitted in encrypted form except where transmission is required for correction of errors or redressal of grievances.

    5.5. Protection of Personal Data

    1. All hosts that connect to the AADHAAR Authentication Service or handle resident’s identity information shall be secured using endpoint security solutions. At the minimum, anti-virus / malware detection software shall be installed on such hosts.
    2. Network intrusion and prevention systems should be in place – e.g., IPS, IDS, WAF, etc.
    3. There shall be strong access controls, authentication measures monitoring and logging of access and raising necessary alerts for unusual or unauthorised attempt to access.
    4. While storing the Aadhaar number in the database, the data must be encrypted and stored. Encryption keys must be protected securely using HSM
  6. Data Security / Operations Security
    1. The Aadhaar number shall be collected over a secure application, transmitted over a secure channel as per specifications of UIDAI and the identity information returned by UIDAI shall be stored securely;
    2. The biometric information shall be collected, if applicable, using the registered devices specified by UIDAI. These devices encrypt the biometric information at device level and the application sends the same over a secure channel to UIDAI for authentication.
    3. OTP information shall be collected in a secure application and encrypted on the client device before transmitting it over a secure channel as per UIDAI specifications;
    4. Aadhaar /VID number that are submitted by the resident / customer / individual to the requesting entity and PID block hence created shall not be retained under any event and entity shall retain the parameters received in response from UIDAI;
    5. e-KYC information shall be stored in an encrypted form only. Such encryption shall match UIDAI encryption standards and follow the latest Industry best practice;
    6. PPBL shall, as mandated by law, encrypt and store the Aadhaar numbers and any connected data only on the secure Aadhaar Data Vault (ADV) in compliance to the Aadhaar data vault circular issued by UIDAI;
    7. The keys used to digitally sign the authentication request and for encryption of Aadhaar numbers in Data vault shall be stored only in HSMs in compliance to the HSM and Aadhaar Data vault circulars;
    8. PPBL shall use only Standardisation Testing and Quality Certification (STQC) / UIDAI certified biometric devices for Aadhaar authentication (if biometric authentication is used);
    9. All applications used for Aadhaar authentication or e-KYC shall be tested for compliance to Aadhaar Act 2016 before being deployed in production and after every change that impacts the processing of Identity information; The applications shall be audited on an annual basis by information systems auditor(s) certified by STQC, CERT IN or any other UIDAI recognized body;
    10. In the event of an identity information breach, the organisation shall notify UIDAI of the following:
      1. A description and the consequences of the breach;
      2. A description of the number of Aadhaar number holders affected and the number of records affected;
      3. The privacy officer’s contact details; and
      4. Measures taken to mitigate the identity information breach.
    11. Appropriate security and confidentiality obligations shall be implemented in the nondisclosure agreements (NDAs) with employees/contractual agencies /consultants/advisors and other personnel handling identity information;
    12. Only authorized individuals shall be allowed to access Authentication application, audit logs, authentication servers, application, source code, information security infrastructure. An access control list shall be maintained and regularly updated by organisation;
    13. Best practices in data privacy and data protection based on international Standards shall be adopted;
    14. The response received from CIDR in the form of authentication transaction logs shall be stored with following details:
      1. The Aadhaar number against which authentication is sought;
      2. Specified parameters received as authentication response;
      3. The record of disclosure of information to the Aadhaar number holder at the time of authentication; and
      4. Record of consent of the Aadhaar number holder for authentication but shall not, in any event, retain the PID information.
    15. Aadhaar numbers shall only be stored in Aadhaar Data vault as per the specifications provided by UIDAI.
  7. Access Control

    Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

    Access rights of employees accessing/processing information received from UIDAI shall be revoked within 24 hours - the termination notice is served or as mentioned in the HR policy of the organization.

    The authentication applications used by the Business correspondents where BC needs to perform application functions, the BC should be authenticated using some authentication scheme such as password, Aadhaar authentication, smart card based authentication, etc.

    License keys shall be kept secure and access controlled.

  8. Additional measures

    Managing a data breach is more than just about stopping the leak, as it is also about the reputational risk at stake. Therefore, the management team shall devise necessary crisis communication strategy.

    The Information Security team needs to stay vigilant and anticipate attacks that may target not just systems but also individuals and bank through disinformation.

    Role of CISO becomes very sensitive therefore Information Security team should have the requisite support, including legal protection and clear communication channels. Careful handling of internal investigations is of utmost importance.

    APIs and Insecure Direct Object Reference (IDOR) flaw are a common attack vector therefore it is essential for the bank to regularly audit their APIs, patch known vulnerabilities, and enforce strict access controls. Strengthening API security can prevent unauthorized access and minimize the risk of data exposure.

    Bank needs to monitor both the technical and social landscapes so that disinformation and the Cyberattack can be avoided.

  9. Policy Review and Updates

    The Policy shall be reviewed as and when required or at least once in a year, to address the requirements of the Bank and to comply with guidelines issued by the UIDAI or any applicable regulator or judiciary from time to time. However, any of the regulatory changes, during the year, will be implemented immediately with the approval of CEO and information to the Board.

  10. Continuous Improvement: Learnings from Industry Data Breach Challenges

    In light of the evolving landscape of data security challenges, including recent data breach incidents within the banking and financial services industry, Paytm Payment Bank is committed to maintaining the highest standards of data protection. We continuously monitor industry trends, regulatory developments, and emerging security threats to ensure that our data protection practices remain robust and effective.

    Should any data breach incidents occur around Industry, we will conduct thorough investigations and assess the impact on our systems and customers. Based on the lessons learned from these incidents, Paytm Payment Bank will update its data security protocols and privacy practices to strengthen and safeguards against future breaches.

  11. Regulatory References
    1. Aadhaar Act 2016 and other notifications issued in this regard from time to time
    2. Requesting Entity Compliance Checklist_v_2.0
    3. Aadhaar regulations 2016
    4. UIDAI Information Security Policy in respect of AUA/KUA for circulation
    5. Various circulars issued by UIDAI
  12. Glossary
    KYCKnow Your Customer
    MD & CEO Managing Director and Chief Executive Officer
    RBIReserve Bank of India
    NSDLNational Securities Depository Limited
    AUAAuthentication User Agency
    ASAAuthentication Service Agency
    CIDRCentral Identities Data Repository
    KUAKnow your customer User Agencies
    NDANon-Disclosure Agreement
    OTPOne Time Password
    PIDPersonal Identity Data
    STQCStandard testing and quality control
    PPBLPaytm Payments Bank Limited
    HSMHardware Security Module
    CISOChief Information Security Officer
    KSAKYC Service Agency

Products

Customer Service

Corporate Address

B-121, Sector 5, Noida, Uttar Pradesh, 201301
© Copyright 2023, Paytm Payments Bank

Company

Information

Form Center

  • Deceased Depositors Claim Form
  • Customer Grievance Advice Form
  • ATM cum Debit Card Dispute Form
  • Unclaimed Deposit Claim Form & Activation of Inactive/Inoperative Accounts

Policies

Paytm Payment BankPaytm Payment Bank