Why Collecting Aadhaar Photocopies Is Now a Compliance Risk

The Lobby Desk Problem

Every day, millions of Indians hand over a photocopy of their Aadhaar card, PAN card, or passport to a hotel receptionist, an office security guard, a housing society secretary, or an HR executive.

The receptionist files it in a drawer. Or scans it into a shared folder. Or uploads it to a Google Sheet accessible to five people.

None of these people have bad intentions. But the system itself is broken.

That photocopy — containing name, date of birth, full Aadhaar number, and sometimes address — now lives in a place the data subject cannot control. It can be leaked, sold, or misused. And under the DPDP Act, the liability for that breach rests squarely on the organisation that collected it.

Why the Current Practice Is a Liability

Collecting and storing copies of officially valid documents (OVDs) creates two categories of risk.

First, data breach liability. Every stored photocopy is an asset for attackers. In 2023 alone, Indian organisations reported over 700 million data breaches. Hotels, coworking spaces, and apartment societies are soft targets — they lack the security infrastructure of banks, yet hold equally sensitive data.

Under the Digital Personal Data Protection Act 2023, a data fiduciary (the organisation collecting personal data) must implement reasonable security safeguards. Storing photocopies in a cabinet or an unencrypted drive is not reasonable. The penalty for non-compliance can reach INR 250 crore.

Second, the principle of data minimisation is violated. The DPDP Act requires that personal data be collected only for the purpose it is needed, and retained only as long as necessary. A hotel needs to verify your identity at check-in. It does not need to keep your document copy for six months or six years.

Yet the default practice today is “verify and store.”

The Conceptual Shift: Proof Without Possession

The shift is simple: you can verify a document without storing it.

Think of it like a notary. A notary verifies your identity and witnesses your signature. They do not keep a copy of your passport. They record that they verified it, not the document itself.

Sovio Pramaan applies this same principle at scale.

A hotel, office, or HR team presents the document. Pramaan authenticates it in real time — checking for tampering, validating issuer details, and confirming the document is genuine. The result is a simple yes/no verification outcome. The document itself is never stored. Not even temporarily.

This is a shift from “collect and trust” to “verify and forget.”

How Sovio Pramaan Enables This

Pramaan uses an API-first architecture that integrates with existing property management systems, visitor management platforms, and HR onboarding tools. The flow works in seconds:

1. An individual presents a physical or digital document.
2. The organisation scans or captures it via Pramaan’s verification interface.
3. Pramaan authenticates the document using tamper detection and issuer validation.
4. A verification result — authenticated or not — is returned.
5. The organisation records only the verification outcome. The document is discarded.

No copies. No storage. No compliance headache.

Pramaan supports Aadhaar, PAN, Driving License, Passport, and additional OVDs. Every verification generates an audit trail for compliance purposes, so organisations can prove they performed due diligence without holding sensitive data.

Who Should Care

• Hotels and hospitality chains collecting guest ID copies at check-in. A data breach from a hotel’s guest database would be catastrophic for brand trust.
• Housing societies and coworking spaces maintaining visitor logs with ID copies. Most societies are unaware that storing visitor ID data makes them data fiduciaries under DPDP Act.
• HR and onboarding teams collecting documents from new hires. Employee ID data is highly sensitive and carries long retention risks.
• Security teams managing premises access where identity verification must happen quickly and without creating a data trail that becomes a liability.

The Bottom Line

The DPDP Act changed the rules. Collecting and storing ID photocopies is no longer business as usual — it is a compliance risk with penalties that can cripple an organisation. The technology to verify without storing exists today. The question is whether organisations will modernise before a breach forces their hand.

Sovio Pramaan helps organisations verify identity without storing documents. See how it works — book a demo.