Confidential Dispatch

Is it safe to share your Aadhaar or PAN? The real risks

At a glance

Sharing your Aadhaar or PAN is safe when it goes to a trusted party that genuinely needs it — a bank doing mandated KYC, your employer for tax — but risky when handed out casually, since a misused PAN can be used to take loans or open accounts in your name. Under India’s DPDP Act a business can only collect what its stated purpose needs, so you can refuse over-collection — and a masked Aadhaar or Virtual ID lets you share without exposing the full number.

Educational resource only. This explains your rights around sharing Aadhaar and PAN under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

The situation

A shopkeeper wants your PAN for a “membership,” a rental broker asks for an Aadhaar copy “for records,” a delivery agent photographs your ID at the door. Each request feels small, and saying no feels awkward. But your Aadhaar and PAN are the two documents that unlock the most in your name — so it’s worth knowing exactly when a request is legitimate, when you can push back, and how to share without handing over more than you should.

Are Aadhaar and PAN protected under the DPDP Act?

Yes — both are personal data, so any business holding them is a Data Fiduciary with duties to you, and it can collect them only for a purpose it has told you about. There’s a common myth to clear first: people assume Aadhaar and PAN sit in some special high-security category. The DPDP Act has no separate “sensitive data” class — they’re treated as ordinary personal data. That isn’t a downgrade; ordinary personal data still comes with real duties.

Two of those duties do most of the work here. A business must give you a clear notice of why it wants the ID (Section 5), and your consent is limited to the data the stated purpose actually needs (Section 6). Put together, collection is purpose-bound: the reason justifies the document, not the other way round. A loyalty card doesn’t need your Aadhaar; a legally mandated bank KYC does.

The real risks if they’re misused

A leaked PAN is the sharper financial danger; a loose Aadhaar copy is the identity-fraud danger — and PAN misuse often stays invisible until the damage is done. These aren’t abstract worries. PAN is among the most forged identity documents in India, and the reason is simple: it’s the key to your financial identity.

With a misused PAN, fraudsters can:

  • apply for loans or credit cards in your name, leaving you liable for the debt;
  • open bank accounts used for fraudulent transactions or money laundering;
  • carry out tax evasion or benami dealings linked to your number.

The trap is that PAN fraud is quiet — you often find out only when your credit score drops or a loan you never took appears on your record.

A loosely shared Aadhaar copy feeds a different problem: it’s a strong identity anchor, so a copy floating around can be used to impersonate you, back other fraudulent paperwork, or link records about you across services. Your Aadhaar number alone can’t unlock your biometrics — but a full photocopy in the wrong hands is still a genuine identity risk, which is exactly why masking exists (more below).

When you actually have to give them — and when you don’t

You have to provide the ID only where the purpose genuinely needs it or the law requires it — everything else is over-collection you can refuse. The DPDP Act says your consent must be free, specific, informed, unconditional and unambiguous. “Unconditional” is the load-bearing word: a business can require the data it truly needs, but it can’t bundle in an unrelated ID demand as the price of service.

So the honest test is: does this transaction actually require this document?

  • Genuinely required — a bank or regulated lender doing KYC, your employer needing PAN for tax deduction, a property registration. Here you do provide it.
  • Usually over-collection — a shop’s loyalty programme, a gym or society asking for an Aadhaar copy “for records,” a restaurant or salon logging your ID for marketing. Here you can decline, or offer a masked version.

One firm line worth knowing, separate from the DPDP Act: no private business can force you into Aadhaar-based biometric authentication. Under Aadhaar law, that’s not something a gym, society, or shop can mandate.

How to share them safely

When you do have to share, share the least exposing form — a masked Aadhaar or Virtual ID instead of the full number, and a purpose-marked, self-attested copy of your PAN. These are practical tools from the Unique Identification Authority of India (UIDAI) and standard practice, not DPDP Act rules — but they’re how you keep a legitimate request from becoming a future leak.

For Aadhaar:

  1. Use a masked Aadhaar where a copy is needed. Downloaded from the UIDAI portal, it hides the first eight digits and shows only the last four — enough to verify identity, without exposing the full number. (Note: masked Aadhaar can’t be used to claim government scheme benefits under Direct Benefit Transfer (DBT) — those need the full version.)
  2. Use a Virtual ID (VID) for KYC or authentication. It’s a temporary, revocable 16-digit number mapped to your Aadhaar that agencies can verify against — but your actual Aadhaar number can’t be worked out from it. Generate it via the UIDAI portal, the mAadhaar app, or SMS.
  3. Never post it on social media or public platforms, and share only with trusted, authorised organisations.

For PAN:

  1. Self-attest the copy — sign across it and write the purpose plainly, e.g. “For KYC with [name] only.” A purpose-marked copy is far harder to reuse elsewhere.
  2. Share only with trusted institutions — banks, registered financial companies, government agencies. Never send PAN details, OTPs, or ID copies over WhatsApp, SMS, or to unverified callers.
  3. Don’t over-share the original — carry it only when needed.

What to do if you think yours has been misused

Check your financial trail early, then escalate — over-collection is a data-protection grievance, outright fraud is also a police matter.

  • Watch your PAN trail. Check your credit score every few months and your Form 26AS for transactions you don’t recognise — the earliest signs of PAN misuse show up there.
  • Ask the business what it holds. You can ask any organisation what personal data it has about you and why (your right of access) — and ask it to delete an ID it no longer needs.
  • Escalate over-collection. If a business made an unnecessary ID a condition of service, or won’t explain or delete it, raise a grievance with its contact, then complain to the Data Protection Board of India.
  • Report fraud. If your PAN or Aadhaar has actually been used against you, that’s also a matter for the police / cyber-crime channels, alongside the data grievance.

FAQ

Is it safe to give my PAN to a shop or for a loyalty card? Usually not necessary — and if it isn’t needed for the service, it’s over-collection you can refuse. Your consent has to be unconditional, so an unrelated PAN demand can’t be made a condition of a basic sale.

Can a business force me to give my Aadhaar? Only where it’s genuinely required, such as a legally mandated KYC. For casual verification or records, demanding Aadhaar is usually over-collection — and no private business can compel Aadhaar-based biometric authentication at all.

Is a masked Aadhaar valid as ID? Yes. A masked Aadhaar is a legitimate form of Aadhaar for identity verification; it simply hides the first eight digits. The main exception is government DBT benefits, which need the full version.

What’s the safest way to share my Aadhaar for KYC? Use a Virtual ID (VID) — a revocable 16-digit number that verifies you without revealing your real Aadhaar number. It can be generated and regenerated anytime via UIDAI.

How would I even know my PAN was misused? It rarely announces itself. The usual signs are an unexplained drop in your credit score, or a loan or account you never opened appearing against your name — which is why periodic credit and Form 26AS checks matter.

Reviewed by Confidential Dispatch Editorial Team

Last updated 14 July 2026

Not legal advice.