Digital Public Infrastructure Lab
Understand India's Digital Public Infrastructure stack — from Aadhaar and UPI to ONDC and beyond. Built for development practitioners navigating digital governance across South Asia.
What is Digital Public Infrastructure?
DPI is the set of digital building blocks — identity, payments, data exchange, consent — that governments provide as public goods, enabling private innovation and public service delivery at scale.
DPI vs. a regular digital service
| Feature | Private platform (e.g. Amazon, Google Pay) | Digital Public Infrastructure |
|---|---|---|
| Ownership | Private company | Government body or public trust |
| Access | Requires accepting terms; can exclude users | Aims for universal, rights-based access |
| Data | Held by the platform, often used for profit | Ideally citizen-controlled, consent-based |
| Interoperability | Walled gardens, proprietary | Open standards, interoperable |
| Business model | Profit-driven | Public good — free or subsidised |
| Example | Amazon Pay, PhonePe (private layer) | UPI (public rail), Aadhaar (public ID) |
The layered model of DPI
One common way to read a DPI stack is as layers — each layer depends on the one below it. Read from the foundation (identity) upward to the applications people actually touch.
India's DPI Stack in Detail
The "India Stack" is now studied and adapted worldwide, often with support from bodies like UNDP and the World Bank. Tap each block to select it and note the current scale.
The building blocks
Aadhaar — identity layer
A 12-digit biometric-backed identity number. Enables e-KYC and yes/no authentication across services.
UPI — payments layer
Unified Payments Interface: real-time interbank transfers via a mobile number, UPI ID or QR code. Operated by NPCI.
DigiLocker — document layer
A cloud document wallet where citizens store and share government-issued documents (marksheets, licences, certificates).
ABHA / ABDM — health layer
Ayushman Bharat Health Account: a 14-digit health ID under the Ayushman Bharat Digital Mission, linking health records with consent-based sharing.
ONDC — commerce layer
Open Network for Digital Commerce: an open protocol for e-commerce, letting small retailers reach buyers across competing apps.
Account Aggregator — consent layer
Consent-based financial data sharing. Citizens control who can access which financial data, and for how long ("data empowerment").
International comparisons Indicative
| Country | Identity | Payments | Data exchange | Character |
|---|---|---|---|---|
| India | Aadhaar | UPI | AA, ONDC, DigiLocker, ABDM | Broad, population-scale |
| Estonia | e-ID / e-Residency | SEPA | X-Road | Advanced, small population |
| Singapore | Singpass | PayNow | MyInfo, HealthHub | High quality, city-state |
| Kenya | Maisha Namba / Huduma | M-Pesa | Emerging | Mobile-money first |
| Brazil | CPF / Gov.br | Pix | Open Finance | Fast follower |
Aadhaar — Promise, Peril, and Practice
Aadhaar is the world's largest biometric ID system and the foundation of India's DPI. For practitioners it is impossible to ignore — and it carries real ethical and operational trade-offs.
How Aadhaar works
The development case for Aadhaar
What Aadhaar has enabled Tap items to check
- De-duplication helped weed out fake and duplicate beneficiaries across schemes; government-cited estimates put cumulative DBT savings at ~₹3.48 lakh crore (2009–2024), food subsidies contributing ~₹1.85 lakh crore
- Direct Benefit Transfer (DBT) routes payments to bank accounts, reducing layers of intermediaries
- Aadhaar-linked accounts sped up MGNREGA wage payments and improved on-time transfer rates
- "One Nation One Ration Card" lets migrants draw PDS rations away from home
- Provided a verifiable identity to many people who previously lacked any government ID
The concerns
What practitioners must watch Tap items to check
- Exclusion errors: fingerprint authentication can fail for manual labourers and the elderly (worn prints), risking denial of benefits
- Privacy & surveillance risk: a single ID linked across databases raises profiling and data-security concerns
- Coercion in practice: services sometimes demand Aadhaar even where it is not legally required
- Digital divide: elderly, disabled and remote populations struggle with biometric authentication
- Seeding errors: a wrong Aadhaar-to-account link can misdirect a benefit to the wrong person
Exercise: Aadhaar in your programme
UPI and the Payments Revolution
UPI is the payments rail that most visibly changed everyday transactions in India — and the backbone of many DBT-based schemes.
How UPI works (simplified)
UPI & DBT for development
| Use case | Before | After UPI / DBT | Effect |
|---|---|---|---|
| PM-KISAN (farmer support) | Cheques / cash via intermediaries, delays | Direct bank transfer, often same-day | ~₹6,000/yr to ~9.7 cr farmers; fewer intermediaries |
| MGNREGA wages | Transfers via block office, long delays | Aadhaar-linked DBT with time-bound release | Higher on-time payment rates |
| Scholarships | Manual disbursement, institutional capture | Direct to student's account, Aadhaar-seeded | Faster, more traceable |
| PM-SVANidhi (vendor loans) | Branch visits, paperwork, collateral | Digital application, digital disbursement | Reaches many first-time borrowers |
| NGO field expenses | Cash handling, reimbursement lag | UPI to field staff, instant reconciliation | Lower cash risk, better audit trail |
Interactive: DBT leakage-savings model Illustrative model
Move the sliders to build intuition about how much leakage DBT + Aadhaar + UPI could prevent. These are teaching assumptions, not a claim about any specific scheme — real leakage varies enormously by programme and context.
Modelled result
Original leakage: ₹350 cr
After DBT + Aadhaar: ₹140 cr
Estimated recovery: ₹210 cr
That is 21% of the total budget recovered (in this illustrative model)
Governance, Privacy, and the DPDP Act
India's Digital Personal Data Protection (DPDP) Act, 2023 is its first comprehensive data-protection law. It governs how organisations — public and private — collect and process personal data. Tap each provision to select it.
Key provisions of the DPDP Act 2023
1. Consent is required
Personal data must generally be processed on free, specific, informed, unconditional and unambiguous consent given by clear affirmative action, with a plain-language notice. Consent can be withdrawn.
2. Data fiduciaries
Any entity that decides the purpose and means of processing personal data is a "Data Fiduciary" with legal obligations for security, purpose limitation and deletion once the purpose is served.
3. Children's data
Processing a child's data (under 18) requires verifiable parental/guardian consent. Behavioural monitoring and targeted advertising directed at children are prohibited. Certain bodies (e.g. schools, healthcare) may get calibrated relief under the Rules.
4. Government exemptions
The central government may exempt its agencies from provisions on grounds such as security of the state and public order. Civil-society groups have flagged this as a significant carve-out.
5. Rights of data principals
Individuals ("Data Principals") have rights to access information about processing, seek correction and erasure, grievance redressal, and nominate someone to exercise rights on their behalf.
DPI risk-assessment framework
Before implementing any DPI-dependent programme, work through these questions.
| Risk | Questions to ask | Mitigation |
|---|---|---|
| Exclusion | Who lacks Aadhaar / a smartphone / connectivity? What share of your target group? | Alternative authentication, offline fallback, assisted enrolment |
| Privacy | What data are you collecting? Is it necessary? Who can access it? | Data minimisation, encryption, access controls, DPDP compliance |
| Surveillance | Could this data be used to track, profile or discriminate? | Purpose limitation, aggregation, anonymisation where possible |
| Vendor lock-in | Are you dependent on a single platform or provider? | Open standards, interoperability, data portability |
| Digital literacy | Can beneficiaries understand and control their digital footprint? | Literacy support, simple interfaces, helplines |
| System failure | What happens when servers are down or biometrics fail? | Offline modes, manual override, contingency budget |
Designing DPI-Enabled Development Programmes
This module brings everything together: how to design a programme that harnesses DPI's benefits while managing its risks — always with a fallback for the excluded.
Step 1 — Identity & eligibility
DPI layers: Aadhaar + DigiLocker
- Student's Aadhaar → e-KYC verifies identity
- Caste and income certificates pulled from DigiLocker auto-verify eligibility
- Fallback: assisted manual verification for students without Aadhaar/DigiLocker
Step 2 — Application & processing
DPI layers: DigiLocker + state portal
- Single-window portal — no repeated document submission
- DigiLocker integration pulls documents automatically
- Real-time application tracking for students
- Fallback: Common Service Centres (CSCs) for students without internet
Step 3 — Disbursement
DPI layers: DBT + UPI + Aadhaar-linked account
- Scholarship credited to the student's Aadhaar-seeded bank account
- Instant notification to the student's mobile
- Reconciliation via the Public Financial Management System (PFMS)
- Fallback: alternative payout for students without a bank account
Step 4 — Monitoring & grievance
DPI layers: dashboard + grievance portal
- Live dashboard: applied / processed / disbursed / pending
- Auto-alerts when a case breaches its service-level deadline
- Grievance portal with ticket tracking
- Fallback: toll-free helpline and district help desks
Your design exercise Illustrative
Design a digital maternal-health programme for pregnant women in rural Bihar offering: a ₹5,000 conditional cash transfer for antenatal care (in instalments), transport to hospital for delivery, and post-natal home visits by an ASHA worker. Map it to the DPI stack, then reveal a model answer.
Reveal a model answer tap to reveal
Identity: Aadhaar + ABHA for linking health records with consent
Eligibility: integrate with a maternity-benefit scheme (e.g. PMMVY) and pregnancy registration by the ANM
Payments: DBT to an Aadhaar-linked account via PFMS, with a mobile notification
Transport: integrate the 102/108 ambulance service
Monitoring: ABHA-linked records + an ASHA app to log visits
Fallbacks: CSC-assisted enrolment; alternative payout for women without accounts; community verification where Aadhaar auth fails
Privacy: encrypt health data, limit access to ANM/ASHA/medical officer, and take consent for each data share
Lab complete
You now understand India's Digital Public Infrastructure stack and can design programmes that use it responsibly, with fallbacks for those it might exclude.
- Explain DPI layers and how they build on one another
- Map India's DPI stack (Aadhaar, UPI, DigiLocker, ABHA, ONDC, Account Aggregator)
- Weigh Aadhaar's benefits and risks — and cite the 2018 events and Puttaswamy judgment accurately
- Use UPI and DBT for faster, more traceable transfers
- Apply the DPDP Act 2023 to your organisation's data practices
- Design DPI-enabled programmes with ethical, non-digital fallbacks