Q5 - How does DPDPA apply to educational institutions handling minors’ data?
The Digital Personal Data Protection Act, 2023 (DPDPA) applies fully to schools, colleges, and educational platforms that collect, store, or process students’ personal data, especially when those students are under 18 years of age.
Since the Act defines a “child” as anyone below 18, educational institutions must treat all such data as sensitive personal data and follow stricter obligations to ensure safety, consent, and lawful processing.
1. Key Legal Provisions
Section 9(1) —
A Data Fiduciary shall, before processing any personal data of a child or a person with disability having a lawful guardian, obtain verifiable consent of the parent or lawful guardian.
Section 9(2) —
A Data Fiduciary shall not undertake processing that is detrimental to the well-being of a child.
Section 9(3) —
A Data Fiduciary shall not engage in tracking, behavioural monitoring, or targeted advertising directed at children
2. What This Means for Educational Institutions
Educational institutions — whether public, private, or digital — are Data Fiduciaries when handling student information.
They must:
- Obtain verifiable parental or guardian consent before collecting any data (e.g., during admission, registration, or e-learning access).
- Avoid any form of profiling or advertising aimed at children.
- Ensure all student data is used only for educational or welfare purposes.
- Protect data with strong security measures to prevent misuse, breaches, or leaks.
Failure to comply can attract penalties up to ₹200–₹250 crore, depending on severity.
3. Examples of Covered Data
| Type of Data | Examples | Compliance Requirement |
|---|---|---|
| Identity Information | Name, age, address, Aadhaar, ID card, guardian details | Must be collected with parental consent |
| Educational Records | Marks, attendance, report cards | Use only for academic or administrative purposes |
| Digital Learning Data | Online classroom logs, LMS usage, device info | Must ensure privacy and prevent profiling |
| CCTV or Biometric Data | Entry footage, facial scans, fingerprint attendance | Requires explicit parental consent and strict access controls |
A school using an app to record attendance through face recognition must first obtain verifiable parental consent and ensure the app does not share data with third parties for analytics or advertising.
4. Prohibition on Behavioural Tracking and Ads
DPDPA strictly bans:
- Tracking or behavioural profiling of children (e.g., monitoring browsing history or classroom device activity for marketing insights).
- Targeted ads directed at minors.
Any learning platform or ed-tech provider engaging in such activities would be in violation of Section 9(3).
5. Government Oversight and Safe-Processing Exemptions
Section 9(5) allows the Central Government to notify classes of Data Fiduciaries as “verifiably safe processors.”
If the Government is satisfied that an institution ensures child-safe processing, it may exempt that organization from certain obligations (like repeated parental consent).
This provision is expected to benefit reputed schools or ed-tech platforms with certified child-safety frameworks.
6. Key Takeaway
- Schools, colleges, and ed-tech platforms processing student data are fully covered under DPDPA.
- They must:
- Obtain verifiable parental consent.
- Ensure no harmful or commercial use of children’s data.
- Avoid tracking and advertising directed at minors.
- Maintain robust security and transparency.
- The Government may grant exemptions only to institutions proven to follow verifiably safe child-data practices.
Referenced Provisions:
- Section 2(f) – Definition of “child” (under 18 years).
- Section 9(1–5) – Processing of personal data of children.
- Section 8(5) – Security safeguards.
- Section 33(1) – Penalties for non-compliance.