ImpactMojo
Browse Premium
Skip to content
Back to ImpactMojo
Interactive Lab

Digital Public Infrastructure Lab

Understand India's Digital Public Infrastructure stack — from Aadhaar and UPI to ONDC and beyond. Built for development practitioners navigating digital governance across South Asia.

What is Digital Public Infrastructure?

DPI is the set of digital building blocks — identity, payments, data exchange, consent — that governments provide as public goods, enabling private innovation and public service delivery at scale.

Definition: Digital Public Infrastructure (DPI) refers to shared, interoperable digital rails — like identity, payments and consent-based data exchange — offered as public goods. Private apps and government services are built on top of these rails rather than each rebuilding them.

DPI vs. a regular digital service

FeaturePrivate platform (e.g. Amazon, Google Pay)Digital Public Infrastructure
OwnershipPrivate companyGovernment body or public trust
AccessRequires accepting terms; can exclude usersAims for universal, rights-based access
DataHeld by the platform, often used for profitIdeally citizen-controlled, consent-based
InteroperabilityWalled gardens, proprietaryOpen standards, interoperable
Business modelProfit-drivenPublic good — free or subsidised
ExampleAmazon Pay, PhonePe (private layer)UPI (public rail), Aadhaar (public ID)
Why DPI matters for development: By reusing common rails, India has extended digital identity and payments to hundreds of millions of people at low marginal cost, and routed welfare through Direct Benefit Transfer (DBT). A 2025 government-cited assessment (BlueKraft) estimated cumulative DBT savings of about ₹3.48 lakh crore between 2009 and 2024 from plugging leakages — food subsidies alone accounting for roughly ₹1.85 lakh crore.

The layered model of DPI

One common way to read a DPI stack is as layers — each layer depends on the one below it. Read from the foundation (identity) upward to the applications people actually touch.

Application layer Private apps, government portals, NGO tools — built on top of DPI
Data-exchange layer Account Aggregators, health records (ABDM), ONDC, DigiLocker
Payments layer UPI, IMPS, FASTag, BBPS — the payment rails
Identity layer Aadhaar, e-KYC, digital signatures — the foundation
A state government wants to build a scholarship disbursement system. Which DPI layers would it use?
Only the application layer — build a custom app from scratch
Identity (Aadhaar e-KYC), payments (DBT/UPI), data exchange (DigiLocker for certificates), and an application-layer portal
Only the payments layer — UPI for transfers
Only the identity layer — Aadhaar verification

India's DPI Stack in Detail

The "India Stack" is now studied and adapted worldwide, often with support from bodies like UNDP and the World Bank. Tap each block to select it and note the current scale.

How to read the figures: DPI numbers move fast and vary by source. The scale figures below are approximate, drawn from official and press reporting current to mid-2026 — always re-check against UIDAI, NPCI, MeitY, NHA and RBI dashboards before quoting.

The building blocks

Aadhaar — identity layer

A 12-digit biometric-backed identity number. Enables e-KYC and yes/no authentication across services.

~1.42B numbers issued ~99% of adults enrolled UIDAI authority
Launched 2009 · Aadhaar Act 2016

UPI — payments layer

Unified Payments Interface: real-time interbank transfers via a mobile number, UPI ID or QR code. Operated by NPCI.

~23B transactions/month ~₹29 lakh cr monthly value NPCI operator
Launched 2016 · May 2026: ~23.2B transactions worth ~₹29.9 lakh crore (NPCI)

DigiLocker — document layer

A cloud document wallet where citizens store and share government-issued documents (marksheets, licences, certificates).

~67–70 cr users ~850–950 cr documents issued 125+ issuers
Launched 2015 · Ministry of Electronics & IT (MeitY)

ABHA / ABDM — health layer

Ayushman Bharat Health Account: a 14-digit health ID under the Ayushman Bharat Digital Mission, linking health records with consent-based sharing.

~90 cr ABHA numbers ABDM framework NHA authority
ABDM launched 2021 · ~90 cr ABHAs crossed in 2026 (NHA)

ONDC — commerce layer

Open Network for Digital Commerce: an open protocol for e-commerce, letting small retailers reach buyers across competing apps.

~7 lakh+ sellers 1,200+ cities/towns Open protocol
Launched 2022 · ONDC (Section 8 non-profit)

Account Aggregator — consent layer

Consent-based financial data sharing. Citizens control who can access which financial data, and for how long ("data empowerment").

~28 cr accounts linked by users ~2.9B accounts enabled RBI regulated
Framework since 2016 · ecosystem live from 2021 · Regulator: RBI

International comparisons Indicative

CountryIdentityPaymentsData exchangeCharacter
IndiaAadhaarUPIAA, ONDC, DigiLocker, ABDMBroad, population-scale
Estoniae-ID / e-ResidencySEPAX-RoadAdvanced, small population
SingaporeSingpassPayNowMyInfo, HealthHubHigh quality, city-state
KenyaMaisha Namba / HudumaM-PesaEmergingMobile-money first
BrazilCPF / Gov.brPixOpen FinanceFast follower

Aadhaar — Promise, Peril, and Practice

Aadhaar is the world's largest biometric ID system and the foundation of India's DPI. For practitioners it is impossible to ignore — and it carries real ethical and operational trade-offs.

Context: Around 1.42 billion Aadhaar numbers have been issued, covering roughly 99% of adults. Authentication returns a yes/no match — "is this person who they claim to be?" — rather than retrieving a full profile.

How Aadhaar works

1. Enrolment Biometrics (fingerprints, iris, photo) + demographics (name, address, DOB, gender)
2. De-duplication The system checks biometrics against existing records to keep each number unique
3. Authentication A yes/no match at the point of service — not a full identity lookup
4. Usage DBT, e-KYC, ration portability, bank accounts, SIM, and more

The development case for Aadhaar

What Aadhaar has enabled Tap items to check

  • De-duplication helped weed out fake and duplicate beneficiaries across schemes; government-cited estimates put cumulative DBT savings at ~₹3.48 lakh crore (2009–2024), food subsidies contributing ~₹1.85 lakh crore
  • Direct Benefit Transfer (DBT) routes payments to bank accounts, reducing layers of intermediaries
  • Aadhaar-linked accounts sped up MGNREGA wage payments and improved on-time transfer rates
  • "One Nation One Ration Card" lets migrants draw PDS rations away from home
  • Provided a verifiable identity to many people who previously lacked any government ID

The concerns

What practitioners must watch Tap items to check

  • Exclusion errors: fingerprint authentication can fail for manual labourers and the elderly (worn prints), risking denial of benefits
  • Privacy & surveillance risk: a single ID linked across databases raises profiling and data-security concerns
  • Coercion in practice: services sometimes demand Aadhaar even where it is not legally required
  • Digital divide: elderly, disabled and remote populations struggle with biometric authentication
  • Seeding errors: a wrong Aadhaar-to-account link can misdirect a benefit to the wrong person
On the "2018 breach" claim — get this right. In January 2018, The Tribune reported that, for ₹500 paid to anonymous sellers on WhatsApp, a reporter obtained login credentials to a portal that could return demographic details tied to Aadhaar numbers. This was unauthorised access to a search facility (credential misuse via rogue operators), not a verified dump of "1.1 billion records" from the central biometric database. UIDAI publicly denied any breach of its core biometric data and controversially filed an FIR against the journalist. The accurate framing: a serious access-control and credential-misuse lapse was exposed; a mass exfiltration of biometrics was not established.
Supreme Court — Puttaswamy / Aadhaar judgment (26 Sept 2018): A five-judge bench upheld the Aadhaar Act by 4:1. It upheld Section 7 (Aadhaar may be required for subsidies, benefits and services funded from the Consolidated Fund), but struck down mandatory Aadhaar–bank and Aadhaar–SIM linking, and read down Section 57 so private companies cannot demand Aadhaar without a law. This built on the 2017 nine-judge ruling that privacy is a fundamental right. Practical takeaway: don't force Aadhaar where the law doesn't require it, and always offer an alternative.

Exercise: Aadhaar in your programme

You are designing a cash-transfer programme for elderly widows in rural Rajasthan. A meaningful share of beneficiaries fail fingerprint authentication due to worn prints. What should you do? Illustrative
Disqualify them — Aadhaar is mandatory and they can re-enrol later
Use alternative authentication (OTP, face auth, manual override), and record exclusion errors in your M&E
Abandon digital transfer and switch everyone back to physical cash
Wait for UIDAI to fix biometrics before launching

UPI and the Payments Revolution

UPI is the payments rail that most visibly changed everyday transactions in India — and the backbone of many DBT-based schemes.

Scale: By 2026, UPI was processing roughly 23 billion transactions a month (about ₹29 lakh crore in value), from a standing start in 2016 — among the world's largest real-time payment systems by volume.

How UPI works (simplified)

1. You scan a QR / enter a UPI ID Any UPI app — PhonePe, Google Pay, Paytm, or a bank app
2. NPCI's UPI switch routes the request It reaches your bank and the recipient's bank in real time
3. Banks settle Actual money movement is settled between banks in the background
4. Both parties notified The transaction typically completes within seconds

UPI & DBT for development

Use caseBeforeAfter UPI / DBTEffect
PM-KISAN (farmer support)Cheques / cash via intermediaries, delaysDirect bank transfer, often same-day~₹6,000/yr to ~9.7 cr farmers; fewer intermediaries
MGNREGA wagesTransfers via block office, long delaysAadhaar-linked DBT with time-bound releaseHigher on-time payment rates
ScholarshipsManual disbursement, institutional captureDirect to student's account, Aadhaar-seededFaster, more traceable
PM-SVANidhi (vendor loans)Branch visits, paperwork, collateralDigital application, digital disbursementReaches many first-time borrowers
NGO field expensesCash handling, reimbursement lagUPI to field staff, instant reconciliationLower cash risk, better audit trail
The digital divide is real: UPI generally needs a smartphone and connectivity. Feature-phone options (USSD *99#) exist but are clunky, and connectivity is patchy in many areas. Always design a non-digital fallback for the least-connected part of your target population.

Interactive: DBT leakage-savings model Illustrative model

Move the sliders to build intuition about how much leakage DBT + Aadhaar + UPI could prevent. These are teaching assumptions, not a claim about any specific scheme — real leakage varies enormously by programme and context.

₹1,000 cr
35%
60%

Modelled result

Original leakage: ₹350 cr

After DBT + Aadhaar: ₹140 cr

Estimated recovery: ₹210 cr

That is 21% of the total budget recovered (in this illustrative model)

Governance, Privacy, and the DPDP Act

India's Digital Personal Data Protection (DPDP) Act, 2023 is its first comprehensive data-protection law. It governs how organisations — public and private — collect and process personal data. Tap each provision to select it.

Legal framework: The DPDP Act 2023 was passed in 2023; the accompanying DPDP Rules were finalised in 2025, with most substantive compliance obligations phasing in over roughly 18 months (into 2027). Penalties for serious breaches can run up to ₹250 crore.

Key provisions of the DPDP Act 2023

1. Consent is required

Personal data must generally be processed on free, specific, informed, unconditional and unambiguous consent given by clear affirmative action, with a plain-language notice. Consent can be withdrawn.

For practitioners: Build a clear consent step and privacy notice into your data-collection forms, and let people withdraw consent.

2. Data fiduciaries

Any entity that decides the purpose and means of processing personal data is a "Data Fiduciary" with legal obligations for security, purpose limitation and deletion once the purpose is served.

For practitioners: If your NGO collects beneficiary data, you are likely a Data Fiduciary — you need security measures, a grievance route, and a breach response.

3. Children's data

Processing a child's data (under 18) requires verifiable parental/guardian consent. Behavioural monitoring and targeted advertising directed at children are prohibited. Certain bodies (e.g. schools, healthcare) may get calibrated relief under the Rules.

For practitioners: Working with minors means obtaining verifiable parental consent for photos, surveys and any data collection.

4. Government exemptions

The central government may exempt its agencies from provisions on grounds such as security of the state and public order. Civil-society groups have flagged this as a significant carve-out.

For practitioners: Government programmes may collect more data than a private body could — advocate for data minimisation even where an exemption technically applies.

5. Rights of data principals

Individuals ("Data Principals") have rights to access information about processing, seek correction and erasure, grievance redressal, and nominate someone to exercise rights on their behalf.

For practitioners: Beneficiaries can ask what data you hold and request corrections — have a simple process ready.

DPI risk-assessment framework

Before implementing any DPI-dependent programme, work through these questions.

RiskQuestions to askMitigation
ExclusionWho lacks Aadhaar / a smartphone / connectivity? What share of your target group?Alternative authentication, offline fallback, assisted enrolment
PrivacyWhat data are you collecting? Is it necessary? Who can access it?Data minimisation, encryption, access controls, DPDP compliance
SurveillanceCould this data be used to track, profile or discriminate?Purpose limitation, aggregation, anonymisation where possible
Vendor lock-inAre you dependent on a single platform or provider?Open standards, interoperability, data portability
Digital literacyCan beneficiaries understand and control their digital footprint?Literacy support, simple interfaces, helplines
System failureWhat happens when servers are down or biometrics fail?Offline modes, manual override, contingency budget
Your NGO wants to use Aadhaar e-KYC to verify beneficiaries for a nutrition programme. A village elder refuses, saying "the government already knows too much." What is the right response? Illustrative
Insist — Aadhaar is mandatory for government schemes, so refusal means exclusion
Offer alternative verification (ration card, voter ID, community verification) and document the consent/refusal
Exclude them — if they don't trust the system, they don't get benefits
Report them to the district administration for non-cooperation

Designing DPI-Enabled Development Programmes

This module brings everything together: how to design a programme that harnesses DPI's benefits while managing its risks — always with a fallback for the excluded.

Case study: A state wants to digitise its post-matric scholarship for SC/ST students. Here is how a DPI-aware practitioner would design it, layer by layer, with a fallback at every step. Illustrative scenario

Step 1 — Identity & eligibility

DPI layers: Aadhaar + DigiLocker

  • Student's Aadhaar → e-KYC verifies identity
  • Caste and income certificates pulled from DigiLocker auto-verify eligibility
  • Fallback: assisted manual verification for students without Aadhaar/DigiLocker

Step 2 — Application & processing

DPI layers: DigiLocker + state portal

  • Single-window portal — no repeated document submission
  • DigiLocker integration pulls documents automatically
  • Real-time application tracking for students
  • Fallback: Common Service Centres (CSCs) for students without internet

Step 3 — Disbursement

DPI layers: DBT + UPI + Aadhaar-linked account

  • Scholarship credited to the student's Aadhaar-seeded bank account
  • Instant notification to the student's mobile
  • Reconciliation via the Public Financial Management System (PFMS)
  • Fallback: alternative payout for students without a bank account

Step 4 — Monitoring & grievance

DPI layers: dashboard + grievance portal

  • Live dashboard: applied / processed / disbursed / pending
  • Auto-alerts when a case breaches its service-level deadline
  • Grievance portal with ticket tracking
  • Fallback: toll-free helpline and district help desks

Your design exercise Illustrative

Design a digital maternal-health programme for pregnant women in rural Bihar offering: a ₹5,000 conditional cash transfer for antenatal care (in instalments), transport to hospital for delivery, and post-natal home visits by an ASHA worker. Map it to the DPI stack, then reveal a model answer.

Reveal a model answer tap to reveal

Identity: Aadhaar + ABHA for linking health records with consent

Eligibility: integrate with a maternity-benefit scheme (e.g. PMMVY) and pregnancy registration by the ANM

Payments: DBT to an Aadhaar-linked account via PFMS, with a mobile notification

Transport: integrate the 102/108 ambulance service

Monitoring: ABHA-linked records + an ASHA app to log visits

Fallbacks: CSC-assisted enrolment; alternative payout for women without accounts; community verification where Aadhaar auth fails

Privacy: encrypt health data, limit access to ANM/ASHA/medical officer, and take consent for each data share

Lab complete

You now understand India's Digital Public Infrastructure stack and can design programmes that use it responsibly, with fallbacks for those it might exclude.

  • Explain DPI layers and how they build on one another
  • Map India's DPI stack (Aadhaar, UPI, DigiLocker, ABHA, ONDC, Account Aggregator)
  • Weigh Aadhaar's benefits and risks — and cite the 2018 events and Puttaswamy judgment accurately
  • Use UPI and DBT for faster, more traceable transfers
  • Apply the DPDP Act 2023 to your organisation's data practices
  • Design DPI-enabled programmes with ethical, non-digital fallbacks
Digital Public Infrastructure Aadhaar UPI Data Privacy DPDP Act South Asia

Recommended next steps