RTI and Aadhaar: What UIDAI Must Disclose and What It Cannot

The Aadhaar system touches almost every Indian citizen's life. It is linked to bank accounts, ration cards, PF accounts, school admissions, gas subsidies, and scores of other government services. When something goes wrong — a biometric mismatch that cuts off a widow's pension, a demographic correction that UIDAI refuses to process, an authentication failure that locks a person out of a welfare scheme — the question that naturally follows is: can you use the Right to Information Act, 2005 to get answers from UIDAI?

The short answer is yes, but with a significant caveat. The Unique Identification Authority of India (UIDAI) is a public authority covered by the RTI Act, and there is a meaningful range of information you can legitimately seek from it. But the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 — the statute under which UIDAI was created — contains its own confidentiality provisions that are separate from and in addition to the RTI Act's exemptions. Individual biometric data, and in most contexts demographic data as well, is protected by these provisions in a manner that is categorical rather than merely discretionary.

Understanding both layers — what UIDAI must disclose and what the Aadhaar Act specifically shields — is essential before you file.

UIDAI Is a Public Authority Under the RTI Act

The Unique Identification Authority of India was established as a statutory body under Section 11 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016. It functions under the administrative control of the Ministry of Electronics and Information Technology (MeitY), a Central Government ministry.

This matters for RTI purposes. Section 2(h) of the RTI Act, 2005 defines a "public authority" as, among other things, any authority or body established or constituted by or under a Constitution, Act, ordinance or other law made or issued by Parliament or the appropriate State Legislature. UIDAI was established by a law made by Parliament — the Aadhaar Act, 2016 — and it functions with public funding and exercises public powers. It is therefore squarely within the RTI Act's definition of a public authority.

The practical consequence is that UIDAI has all the obligations that every Central Government public authority carries under the RTI Act. It must designate Central Public Information Officers (CPIOs). It must respond to RTI applications within 30 days under Section 7(1) of the RTI Act (or within 48 hours where the request concerns the life or liberty of a person, under the proviso to Section 7(1)). It must maintain suo motu disclosures under Section 4(1) of the Act. And if it refuses to share information or fails to respond, you have the right to appeal: a First Appeal to UIDAI's First Appellate Authority under Section 19(1) of the RTI Act within 30 days of the date of decision or expiry of the response period, and a Second Appeal to the Central Information Commission (CIC) under Section 19(3) if the First Appeal fails. A deliberately evasive or vexatious refusal can attract penalty under Section 20 of the RTI Act.

RTI applications to UIDAI are filed online at rtionline.gov.in (UIDAI's ministry, MeitY, is a Central Government body). The ₹10 RTI fee applies under the RTI (Regulation of Fee and Cost) Rules, 2005, and is waived entirely for BPL cardholders.

What You Can Seek from UIDAI via RTI

Within the bounds of the Aadhaar Act and the RTI Act's general exemptions, there is a legitimate and substantial range of information that UIDAI must provide in response to RTI applications.

Policy and procedural documents. UIDAI formulates internal policies on every aspect of the Aadhaar ecosystem: how enrollment is conducted, how demographic corrections are processed, how biometric updates are handled, what the procedure is for locking and unlocking an Aadhaar number, what the policy is on cancellation or deactivation of an Aadhaar, and how grievances are escalated. These policy documents relate to UIDAI's exercise of its public functions. They are not personal data about any individual and they have no special statutory protection under the Aadhaar Act. UIDAI must share them.

If you received a rejection on your demographic correction request and want to know the policy UIDAI applied to reject it, an RTI asking for "the policy/guidelines/circular governing rejection of demographic correction requests" is a legitimate and productive question.

Aggregate and statistical data. UIDAI publishes considerable data on its own website — state-wise and district-wise Aadhaar enrollment figures, monthly authentication statistics, and similar metrics. But RTI can reach data that has not been voluntarily published: granular district-level authentication volumes, the number of Aadhaar numbers deactivated or cancelled in a given year, the count of failed authentication transactions over a period, the aggregate number of demographic correction requests received versus resolved. This information involves no individual's personal data; it is aggregate management information about a large public system, and it falls squarely within what a public authority must disclose.

Enrollment agency records. UIDAI empanels and regulates private enrollment agencies across the country that physically conduct Aadhaar enrollment and biometric update operations. Records of which agencies are currently empanelled, quality audit reports of enrolled agencies, instances where agencies have been blacklisted or issued show-cause notices, and the criteria applied in empanelling and deregistering agencies — this is public accountability information about UIDAI's regulatory function. Citizens in a district who want to know which agencies are authorised to operate nearby, or who want to investigate whether a blacklisted agency was operating illegally, can legitimately seek this information.

Budget and expenditure. UIDAI is funded from public money. Its budget allocations, actual expenditure on IT infrastructure and systems, contracts awarded for Aadhaar technology development and maintenance, and procurement records are all subject to RTI in the ordinary way. The Aadhaar Act contains no special exemption for UIDAI's financial transactions. If you want to know how much was contracted for a specific Aadhaar system upgrade, or what UIDAI spent on a particular IT vendor, that is legitimate RTI territory.

Grievance data and resolution statistics. UIDAI receives a large volume of grievances — from residents who cannot complete authentication, from those whose biometric data was not captured correctly at enrollment, from people who have been wrongly linked to another person's Aadhaar. Aggregate information about the types of grievances received, the volumes handled, and resolution rates is not personal data about any individual and can be sought through RTI. If you want to understand how well UIDAI's grievance machinery is functioning in a systematic sense, this is the data to ask for.

Circulars and orders on Aadhaar linkage. UIDAI and MeitY have issued numerous instructions to government departments and service providers about how Aadhaar is to be used for service delivery. Any circular, order, or notification about Aadhaar linkage requirements — whether Aadhaar is mandatory for a particular service, what alternative identification is accepted when Aadhaar fails — is a policy document that UIDAI must share.

What the Aadhaar Act, 2016 Specifically Protects

Here is where the analysis becomes more complicated, and where the Aadhaar Act operates independently of and in addition to the RTI Act's own exemptions.

Section 28 of the Aadhaar Act contains categorical confidentiality provisions. Section 28(1) provides that identity information — which the Aadhaar Act defines to include both biometric information and demographic information — shall not be used for any purpose other than the generation of Aadhaar numbers and authentication under the Act. This is not a discretionary balancing provision of the kind found in Section 8(1)(j) of the RTI Act. It is a categorical restriction on the use of identity information.

Biometric information — fingerprints, iris scans, and any other biological attribute — is the most absolutely protected category. Section 28(5) of the Aadhaar Act provides that no Aadhaar number holder shall be required to give their biometric information for any reason other than enrollment or update. UIDAI does not share biometric data with anyone, under any circumstances, except as specifically authorised under the Aadhaar Act itself. This protection does not arise from the RTI Act at all — it arises from the Aadhaar Act, and the RTI Act cannot override a specific statutory protection enacted by Parliament for a specific purpose.

The practical consequence is unambiguous: you cannot obtain any person's biometric data from UIDAI through an RTI application. Not your own biometric data, not someone else's. The Aadhaar Act prohibits UIDAI from sharing biometric information for any purpose other than the enrollment and authentication functions it is specifically authorised to perform. An RTI application is not an Aadhaar authentication. A CPIO at UIDAI who declines to share biometric data in response to an RTI is correctly applying the law — not hiding behind an exemption.

Section 33 of the Aadhaar Act provides the only exceptions to this general confidentiality framework. Identity information may be disclosed in the interest of national security, upon a direction made by an officer not below the rank of Joint Secretary to the Government of India (or the equivalent for State purposes). Identity information may also be disclosed pursuant to an order of a High Court or the Supreme Court. Neither of these channels is available to an ordinary RTI applicant. These are extraordinary exceptions for exceptional circumstances, not a pathway for individual information requests.

The RTI Act's Own Personal Information Exemption

Leaving aside the Aadhaar Act's specific protections, UIDAI can also invoke Section 8(1)(j) of the RTI Act to decline sharing certain information.

Section 8(1)(j) exempts from mandatory disclosure "information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual" — unless the larger public interest justifies disclosure.

Demographic information about an individual held by UIDAI — a resident's name, date of birth, address, gender, and mobile number as recorded in the Aadhaar database — is personal information within the meaning of this provision. Seeking another person's demographic details from UIDAI through RTI would face both this RTI exemption and the Aadhaar Act's confidentiality provisions. The two layers of protection reinforce each other.

What about your own demographic information? In the ordinary RTI framework, the position is that you are entitled to access your own personal records held by public authorities — privacy is a protection against disclosure to others, not a barrier to your own access. UIDAI recognises this in practice, but it addresses requests for your own Aadhaar details through a purpose-built channel rather than through the RTI process. The resident portal at myaadhaar.uidai.gov.in allows you to view and download your own demographic information linked to your Aadhaar, check your enrollment status, see your virtual ID, and lock or unlock your biometric data. UIDAI's standard response to RTI applications asking for "my Aadhaar details" is to direct the applicant to this portal.

This is a pragmatically defensible response. The resident portal is designed for exactly this purpose and provides authentication-secured access. However, for information about your own case that is not available through the portal — such as the specific reason a demographic correction request was rejected, or detailed correspondence in your file — RTI remains a legitimate tool.

Seeking another person's Aadhaar demographic data is categorically impermissible. Both Section 8(1)(j) of the RTI Act and Section 28 of the Aadhaar Act protect this information, and no "larger public interest" formulation will overcome the Aadhaar Act's categorical restriction on use.

The Puttaswamy Judgment and Aadhaar

The Aadhaar RTI question cannot be discussed without reference to the Supreme Court's 2018 judgment in Justice K.S. Puttaswamy (Retd.) v. Union of India. This was a different case from the 2017 nine-judge bench privacy ruling (also involving Justice Puttaswamy as petitioner); the 2018 judgment was a five-judge Constitution Bench ruling that specifically assessed the constitutional validity of the Aadhaar Act, 2016.

The 2018 bench upheld the Aadhaar Act as broadly constitutional, finding that the collection and use of biometric and demographic data for welfare delivery purposes was a proportionate measure that served legitimate state aims. However, the bench also read down or struck down certain provisions. Most significantly, it struck down Section 57 of the Aadhaar Act, which had permitted private entities to use Aadhaar authentication for their own purposes. The court held that compelling citizens to share biometric data with private companies went beyond what the constitutional proportionality test permitted.

The judgment is important for the RTI-Aadhaar intersection for a reason that goes beyond its specific holdings. The court affirmed — in the context of Aadhaar specifically — that biometric data is in a distinct category of sensitive personal information that attracts a higher degree of constitutional protection. Biometrics are immutable: you can change a password, you can cancel a credit card, but you cannot change your fingerprints. The irreversible nature of biometric data, and the risks that flow from its misuse or exposure, are reasons the Aadhaar Act's confidentiality provisions are as strong as they are.

Any argument that RTI should be able to override these protections misunderstands both the constitutional framework that Puttaswamy articulated and the specific statutory framework the Aadhaar Act created. The two are mutually reinforcing.

Authentication Logs: A Nuanced Position

One category of Aadhaar-related information deserves specific attention: your own authentication logs.

When your Aadhaar number is used to authenticate you for a service — a bank transaction, a PDS ration withdrawal, a government scheme verification — UIDAI records that authentication event. These logs show which entity requested authentication, when, and the result (success or failure). They are data about you and about how your identity has been used.

UIDAI provides some access to authentication history through myaadhaar.uidai.gov.in. The portal shows a recent history of authentication events linked to your Aadhaar number. For data beyond what the portal shows — either because the retention period has passed or because the portal does not surface all the detail you need — RTI is a plausible avenue.

There is no provision of the Aadhaar Act that prohibits UIDAI from sharing a resident's own authentication log with that resident. Section 28's restrictions are on use of identity information, not on a resident's access to records of their own authentication history. However, UIDAI may respond that logs beyond a certain retention period are not maintained, or that the records sought are not in the format requested. This is a factual position about data availability; if you dispute it or believe UIDAI is being evasive, that is a matter for First Appeal and, if necessary, the CIC.

Practical Situations Where RTI Against UIDAI Makes Sense

Having drawn the boundaries carefully, it is worth being concrete about the circumstances in which filing RTI against UIDAI is a genuinely useful step.

Your Aadhaar demographic correction was rejected and you received no explanation. An RTI asking for the specific reason(s) for rejection and the policy or guidelines applied in evaluating your request is entirely appropriate. UIDAI must explain why an administrative decision was made.

Your Aadhaar-linked subsidy or welfare benefit was stopped due to an authentication failure and the department says the problem is with UIDAI. RTI asking for the authentication failure record for a specific date and the policy on deactivation of Aadhaar numbers can help you identify whether your Aadhaar was deactivated, why, and under what policy.

You want to know which enrollment agencies are currently authorised in your district. This is straightforward operational information UIDAI must share.

A UIDAI enrollment agency in your area was operating irregularly and you want to know whether it was blacklisted or under inquiry. RTI for the agency's empanelment status, quality audit results, and any orders issued against it is squarely within what RTI is designed to surface.

You want to understand UIDAI's policy on Aadhaar-mobile number linking, deduplication procedures, or the standards applied for biometric quality during enrollment. These are policy and procedural documents with no individual data component — UIDAI must share them.

You want aggregate data on how many Aadhaar numbers have been deactivated in a given year, or how many authentication failures were recorded for PDS transactions in a state. This is aggregate statistical information that RTI can legitimately reach.

The DPDP Act and Its Evolving Relationship with RTI

The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted to create a comprehensive statutory framework for the protection of digital personal data in India. This Act co-exists with the RTI Act, and its relationship with RTI is still being worked out. Section 44(3) of the DPDP Act amends Section 8(1)(j) of the RTI Act, affecting the scope of the personal information exemption in ways that courts and the CIC are still applying to specific situations.

For Aadhaar-related RTI specifically, the DPDP Act adds another layer to an already layered legal framework. Aadhaar biometric and demographic data is already protected by the Aadhaar Act's own provisions. The RTI Act's Section 8(1)(j) — as amended — provides additional protection for personal information in the digital sphere. Citizens filing RTI applications touching on Aadhaar data should be aware that the legal protection for individual Aadhaar data is now reinforced from multiple directions: the Aadhaar Act, the RTI Act's personal information exemption (as amended by the DPDP Act), and the constitutional right to privacy recognised in Puttaswamy (2017).

The operationally important point is that the DPDP Act does not weaken the RTI Act's overall architecture of transparency for government actions. It reinforces protection for individual personal data. For the kinds of RTI applications against UIDAI described in this post — questions about policy, procedure, aggregate data, enrollment agency conduct, and budget — the DPDP Act changes nothing material.

A Note on Other MeitY Bodies and Digital Identity

UIDAI is the most prominent body in the digital identity ecosystem, but it is not the only one relevant to RTI applicants navigating questions about digital services and identity infrastructure.

The National Informatics Centre (NIC), which builds and maintains core government IT infrastructure, is also a Central Government public authority subject to RTI — with the CIC as the second appeal body. If you want to understand the technical standards applied to a government portal, the architecture of an IT system used to deliver a scheme, or the procurement process for government software, NIC may be the relevant respondent rather than UIDAI.

Common Service Centres (CSCs) operated through CSC e-Governance Services India Ltd are the delivery points for many Aadhaar-linked services at the last mile. The RTI position on CSC e-Governance Services India Ltd — a Special Purpose Vehicle in which the Central Government is a key stakeholder — is worth verifying before you file, since the "substantially financed" test under Section 2(h) of the RTI Act applies to government companies in ways that can require case-by-case analysis.

Filing RTI Against UIDAI: A Practical Summary

UIDAI is a Central Government public authority under the Aadhaar Act, 2016, and is fully subject to the RTI Act, 2005. You file at rtionline.gov.in. The ₹10 fee applies (free for BPL). Response due within 30 days under Section 7(1). First Appeal to UIDAI's First Appellate Authority under Section 19(1) within 30 days. Second Appeal to the CIC under Section 19(3) if needed.

What you can legitimately seek: UIDAI's policies and procedures on enrollment, correction, deactivation, and locking; aggregate statistics on enrollment, authentication, and deactivation; records of enrollment agency empanelment, audit, and blacklisting; UIDAI's budget and procurement; grievance statistics; circulars and orders on Aadhaar linkage requirements; and records relating to your own specific case (rejection of your correction, reason for deactivation of your number, authentication history not available on the resident portal).

What you cannot obtain: any individual's biometric data (protected categorically by Section 28 of the Aadhaar Act, irrespective of who is asking); any other person's demographic Aadhaar data (protected by both Section 28 of the Aadhaar Act and Section 8(1)(j) of the RTI Act); and data that UIDAI does not retain or that falls within the national security disclosure provisions of Section 33 of the Aadhaar Act (which are available only to designated government officers or by court order — not to RTI applicants).

The Aadhaar Act's protections exist for good reasons, grounded in the constitutional right to privacy and in the specific risks of biometric data exposure. RTI applicants who understand those reasons — and frame requests accordingly — will find that RTI against UIDAI is a genuinely useful tool for accountability, even if it is not a master key to the Aadhaar database.

UIDAI is a Central Government body. RTI applications to UIDAI are filed at rtionline.gov.in, and the Central Information Commission (CIC) is the second appeal authority. If you are preparing an RTI application to UIDAI — whether to understand why your correction was rejected, to obtain policy documents, or to get records about enrollment agencies in your area — RTISathi.com has guides for Central Government RTI applications and sample formats that can help you frame an effective request.