## Sunday, August 20, 2017

### The accountability framework of UIDAI: Concerns and solutions

by Vrinda Bhandari and Renuka Sane and Bhargavi Zaveri.

The public discourse on Aadhaar has largely focused on concerns about the privacy issues associated with the collection of personal information, and the constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("the Act"). Regardless of the outcome of the case at the Supreme Court, most residents will likely have to interact with the UIDAI, which is the body empowered to roll out an enrollment and authentication program for beneficiaries of welfare programs.

The UIDAI is an Agent established by the Principal (Parliament), with three powers. The law allows the State to compel an individual seeking a state-sponsored subsidy to undergo the enrollment and authentication processes designed by the UIDAI (although Aadhaar has now been made mandatory for certain non-welfare schemes as well, which goes beyond the conception in the law). The UIDAI is empowered to license and regulate Registrars and enrolling agencies to collect the demographic and biometric information of individuals, and enroll them under the Act. Finally, the UIDAI has quasi-judicial powers, such as the power to suspend the licenses of such enrolling agencies and Registrars.

In this article, we examine the foundations required to make UIDAI work properly: the performance and accountability standards. Under the present law, UIDAI is neither performance oriented nor is there accountability for failure. The problem of accountability at UIDAI is a little explored issue, other than occasional media reporting which expresses angst about data breaches and authentication failures (see here, here, and here). There is considerable knowledge from the global and Indian literature on public administration on how to achieve performance of such an Agent. Drawing on this body of knowledge, we propose that the UIDAI should be held to appropriate accountability standards, so as to create an environment where it will perform well.

### Agencification and its associated challenges

Since the 1980s, governments have established specialised organisations which perform certain functions. These Agents have diverse mandates such as regulating a specific sector (SEBI and TRAI); administration of social welfare schemes (the erstwhile Benefits Agency in the UK); and running prisons (such as the HM Prison Service (HMPS) in the UK or the Dienst Justitiële Inrichtingen - National Agency for Correctional Institutions (DJI) in the Netherlands).

The Agent performs its mandate through the exercise of three kinds of powers, namely, quasi-legislative powers, quasi-executive powers, and quasi-judicial powers (FSLRC, 2013). While some agencies have all three kinds of powers at their disposal, others have some of them. For instance, while SEBI has all three powers, agencies which are tasked with administrative functions such as the UK Benefits Agency or the HMPS have limited quasi-legislative powers and no quasi-judicial powers. Whatever may be the scope of powers of these agencies, two features cut across all such agencies: (a) they perform functions that the sovereign would have otherwise performed; and (b) they wield the power of the State in being able to coerce certain private persons in certain ways.

Broadly speaking, agencification has worked well in improving State capacity. However, this has come from establishing an array of mechanisms to deal with a few important concerns:

1. Weaker links between the people and agencies: When a sovereign delegates functions to agencies, this reduces accountability through elections (Maggetti, 2010). The persons manning such agencies are one more step away from the people, as they are autonomous from the government and are not politically accountable to the people. Power in the hands of unelected officials also creates concerns about democratic legitimacy (Majone 1998). For instance, agencies which have been tasked with the administration of social welfare have been accused of opacity (Pollitt et al, 2004).
2. Unfettered discretion: When agencies have the power to write subordinate legislation (i.e. regulations), this power is often not accompanied by checks and balances. In liberal democracies, there are elaborate checks and balances that are placed upon Parliamentary law. These checks and balances can, and often are, diluted in the context of the "regulatory state". For example, in all these years of SEBI's establishment, only one of its quasi-legislative instruments has been challenged. Compare and contrast this to the constitutional challenge that virtually every significant parliamentary law faces in India. Similarly, in the last 30 years, no order issued by RBI has been challenged by the person penalised. This leads to the possibility of abuse of power (Cochrane, 2015).

3. Size and ever-growing footprint in administration of public affairs: Autonomous bodies, especially those entrusted with the administration of social security benefits, end up assuming significant proportions, both in terms of their size and budget allocations. For instance, in 2000, the Benefits Agency which was responsible for the administration of social welfare schemes in the UK employed a staff of 70,642 and accounted for 30% of the overall state budget (Pollitt et al, 2004). Similarly, the Social Security Administration in the United States now has a staff strength of 60,000. In the Indian context, the annual expenditure of the RBI is larger than that of the States such as Goa.

### An accountability framework for agencies of the State

The power to coerce or the power to spend, that is conferred upon the Agent, must be associated with commensurate accountability mechanisms (Stone and Thatcher, 2002). Accountability mechanisms are ex-ante and ex-post. Examples of both are enumerated below:

Ex-ante accountability mechanisms:

1. Having an adequate strength of independent directors on the board of the agency
2. Regular internal audits to review the performance of the agency and ensuring that it complies with the law in exercising the discretion vested in it
3. Setting out the objectives of the agency and the instruments to be used to achieve them, clearly in the law
4. Setting out performance oriented goals and metrics for measurement of performance, in advance
5. Defining formal processes for the exercise of the powers vested in the agency
6. Mechanisms to facilitate transparent decision making, such as public consultations before making delegated legislation, maintaining a website, publishing a clear rationale for each decision of the agency

Ex-post accountability mechanisms:

1. Laying all quasi-legislative instruments before the Parliament
2. Reports showing the goals set out at the beginning of the year, the extent to which they are achieved at the end of the year and a statement of reasons for failure
3. Resource allocation towards different goals and year-end utilisation
4. Performance and audit by external independent agencies and publishing the reports of such audits

#### How do other social security administrators account for their performance?

Since the Aadhaar number is so often compared to the social security number issued by the Social Security Administration (SSA) in the United States, we can usefully draw a comparison with the annual performance and financial report published by the US SSA. The report sets out the strategic goals of the SSA that were determined at the beginning of the year. It divides the strategic goal into multiple objectives, specifies measurable performance metrics to ascertain the extent to which the objectives have been met, and the extent to which the goal was achieved. An example of how the performance reporting for the SSA works, is given below.

1. For FY 2012, a pre-determined strategic goal of the SSA was to deliver "quality disability decisions and services".
2. This strategic goal was divided into three objectives. One of the objectives was to "Reduce the wait time for hearing decisions and eliminate the hearing backlog". The metrics used to measure the performance of the SSA on this objective was to complete "the budgeted number of hearing requests" and "reduce waiting time between hearings and decisions". SSA reported its performance on these two metrics as under:

 Objective: Reduce the wait time for hearing decisions and eliminate the hearing backlog Performance Measure FY 2012 target FY 2012 Actual Whether target achieved Complete the budgeted number of hearing requests 875,000 820,484 No Minimize average wait time from hearing request to decisions 321 days 362 days No

The SSA's performance report also shows the funds allocated to each objective and a statement of reasons where the performance metric is not met.

### The current accountability framework of the UIDAI

A reading of the objectives and functions assigned to the UIDAI under the Act would suggest that the UIDAI must, at the very least, be held accountable for:

1. The enrollment and authentication of persons [sections 11 and 23(1)]
2. The regulation of enrollment agencies and other service providers licensed by it [section 23(2)(i)]
3. The security and confidentiality of the data shared by persons who have enrolled with the UIDAI [section 23(2)(j) and (k)].

The Act and the accompanying Regulations specify a limited accountability framework, which is not oriented towards performance or service delivery to the citizen. Three accountability measures are present under the Aadhaar Act and Regulations:

1. An annual CAG audit, and requiring these certified accounts of the UIDAI to be laid before each House of Parliament [Section 26 of the Act]; and
2. Requiring an annual report in a prescribed form describing UIDAI's past activities, accounts, and future programmes of work, to be laid before each House of Parliament [Section 27 of the Act]. However, no such manner and form for the publication of the report has been laid down in the Aadhaar Regulations, nor does such a Report seem to be available in the public domain.
3. Requiring certain processes to be followed by the CEO in transacting business at the UIDAI (Transaction of Business at Meetings of the Authority) Regulations, 2016, although these only relate to the number of meetings, quorum, voting procedure etc.

Apart from an annual financial audit, the law lacks any performance accountability mechanisms for the UIDAI. For instance, there is nothing in the law requiring the UIDAI to set performance standards for itself or account for core responsibilities such as number of people enrolled and not enrolled, number of authentication failures or number of data and security breaches. The law is similarly completely silent on ex-post accountability mechanisms. It neither requires a performance audit nor demands a justification for failures on its part.

### Weak law will deliver weak performance

The conduct of an agency is largely shaped by the law governing it. For instance, Burman and Zaveri (2016) find that there is a correlation between the laws which mandate transparency of a regulator and the responsiveness of such regulators to citizens' preferences. Similarly, the detailed performance reporting by the SSA is underpinned by a law called the Government Performance and Results Act, 1993, a law that set up a performance-oriented framework of reporting for the US federal agencies to show the progress they make towards achieving their goals.

In the absence of such statutorily mandated accountability standards, measuring the performance of the UIDAI is difficult. Stories of security breaches and authentication failures for availing benefits abound. For instance, Scroll.in queried the UIDAI about the authentication requests received between September 2010 (when the first Aadhaar number was issued) till October 2016, and how many failed or succeeded. The query was aimed at assessing the efficacy of biometric authentication. The UIDAI replied that it had not maintained any records between September 2010 and September 2012 and that it did not maintain authentication data state-wise. More importantly, the UIDAI revealed that data about the success or failure of the over 331 crore authentication requests was "not readily available", nor was the breakup of the negative reply to the requesting authority on each of the five modes of authentication "readily available".

Similarly, cases of fake Aadhaar cards have also been reported. Pertinently, in response to an RTI filed by PTI, seeking details related to all cases of duplicate and fake Aadhaar cards and the action taken on them, the UIDAI refused the request on the grounds that the disclosure might affect national security, or lead to incitement of an offence. The UIDAI also informed PTI that its CIDR facilities, information assets, logistics and infrastructure and dependencies, are all classified as "protected system" under the IT Act, and are thus, exempt from RTI. It further stated that the format in which it held the information contained identity details, which may be prone to identity theft, if divulged. The practical reality thus is that cases of unauthorised leaks/disclosures of identity information are being dealt with on a case to case basis, with zero clarity in the law on who is to be held accountable for such lapses in the future.

### Conclusion

In previous decades, when we first set up state agencies in India, we were driven by concerns of efficiency and expertise that such agencies would bring to public administration. We now have sufficient experience about the endemic failure of State capacity in that approach. If one more new agency is built, on the lines of existing agencies, there is a high chance that it will reproduce the failures of existing agencies.

The climate of thinking on these questions in India is shifting. The FSLRC report, which proposes a new financial regulatory architecture, made extensive recommendations on the accountability framework for financial sector regulators. These recommendations were codified in the Indian Financial Code (IFC), a draft law that accompanied the FSLRC report. For example, the IFC contains provisions that mandate (a) regulators to build a system of periodical internal audits and publish the reports of such audits, (b) performance audits by an external auditor, (c) building systems for measuring the performance and efficiency of regulators, and (d) public consultation and a cost benefit analysis before exercising quasi-legislative powers. Some of these provisions that do not require legislative amendments are being implemented by the Ministry of Finance through a Handbook on Governance enhancing recommendations of the FSLRC, adopted by the four financial sector regulators in October 2013.

The report of the Bankruptcy Law Reforms Committee (2015), drew on the regulatory governance framework recommended by the FSLRC and recommended four elements for achieving accountability of the Insolvency and Bankruptcy Board of India, India's new insolvency regulator. While some of these elements were codified in the Insolvency and Bankruptcy Code, others are sought to be implemented in the course of setting up the Insolvency and Bankruptcy Board of India. Recent events at TRAI are pushing the organisation towards sound processes.

While the subject of regulatory governance seemed remote and a second order issue in setting up institutions in India, policy thinking today has increasingly started recognising that enhancing governance standards is as important as technical soundness, when designing new frameworks. Every government agency is an Agent, and the journey to building high performance agencies lies in setting up a sound principal-agent relationship, in the law. UIDAI is an important new organisation, and it should emerge as a high performance agency. We must harness our experience and our knowledge, to build appropriate accountability standards for the UIDAI in the law.

### References

Cochrane, J. (2015), The rule of law in the Regulatory State.

Heidenheimer, A.J., Heclo, H. and Teich Adams, C. (1990), Comparative Public Policy: The Politics of Social Choice in America, Europe, and Japan, (3rd edition) New York: St. Martins.

Maggetti, Martino (2010). Legitimacy and Accountability of Independent Regulatory Agencies: A Critical Review, Living Reviews in Democracy Vol 2.

OECD (2014), The Governance of Regulators, OECD Best Practice Principles for Regulatory Policy, OECD Publishing.

Pollitt, Christopher, Colin Tablot, Janice Caufield, and Amanda Smullen (2004), Agencies: how governments do things through semi-autonomous organizations, New York: Palgrave Macmillan.

Young Han Chun, Hal G. Rainey (2005), Goal Ambiguity in U.S. Federal Agencies, J. Public Adm. Res. Theory 2005, 15 (1): 1-30.

Majone, Giandomenico (1998), The Regulatory State and its Legitimacy Problems, Political Science Series No. 56, Department of Political Science of the Institute for Advanced Studies (IHS)

Sweet, Alec Stone and Thatcher, Mark (2002), "Theory and Practice of Delegation to Non-Majoritarian Institutions", Faculty Scholarship Series, Paper 74

Report of the Financial Sector Legislative Reforms Commission, Volume 1 (2013)

Burman, Anirudh and Zaveri, Bhargavi (2016), Regulatory responsiveness in India: A normative and empirical framework for assessment, IGIDR Working Paper WP-2016-025, October 2016.

Vrinda Bhandari is a practicing advocate in Delhi. Renuka Sane is a researcher at the National Institute of Public Finance and Policy, Delhi. Bhargavi Zaveri is a researcher at the IGIDR Finance Research Group, Mumbai.

#### 1 comment:

1. Accountability for data economy could be through.

1) Indian Data Code - A comprehensive policy framework encompassing data (protection / empowerment) laws, cyber security standards, enforcement / audit agencies, regulatory governance, consumer protection.

2) Sectoral regulators for identity / personal data, transparency regulator - open data in government / enterprise, AI / ML aside from special committees in sectoral regulators like TRAI, SEBI, RBI, Payments(?), Education, Health on scope of data regulated by sector.

3) Identity / personal data regulator need to oversee UIDAI, possibly at some point in time "open up" identity agencies for private players so competition will drive UIDAI towards performance / check monopoly abuse.

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.