Educational institutions both Graduate education institutions and undergraduate institutions where the students are minors have a challenge of DPDPA before them. These institutions collect parent’s information, financial information of students and parents for educational loan and fees collection, health information etc. Some personal information related to the education is also generated by the institution itself including the mark sheets etc . All these are retained almost indefinitely.
In India there are many integrated institutions where students join as minors and graduate out as adults or their information stays in the system for years beyond they become adults and turn alumni.
Existing institutions also have “Legacy Data” of huge volume. The data can be considered as “Sensitive” as we have often found that students who turn celebrities later in their life are questioned about their qualifications, age etc from the educational records and could lose their positions and even land up in jail if the data is wrong.
Hence Educational Institutions are eminently qualified to be considered as “Significant Data Fiduciaries” under DPDPA 2023.
Currently we are not aware of DPDPA 2023 and its rules provide any sectoral concessions for Educational Institutions.
We must appreciate that even the names of individuals are getting standardized only in the current generation. For people of our generation all our records had no “Second” name. We simply had “Initials” which was the first name of the father and some times of the place of birth. If therefore one looks at our SSLC marks card there will be discrepancy in the name itself. The date of birth also was accepted as per the SSLC records and prior to that in the schools, whatever date was mentioned by the parent at the time of admission, it was accepted. Also the contacts were mostly through addresses which may not even be existent today.
If therefore we are talking of “Consent” for legacy data, there is no way an educational institution which is 50 years or older issue notices and obtain consents.
At the same time, it is not appropriate for the institutions to remove the data for lack of consent after releasing a public notice and not getting response for say 1 year.
The DPDPA rules did remember educational institutions while creating Schedule IV which states conditions where the tracking and behavioural monitoring of children are exempted and it includes the educational sector. Strangely, it covers transport operators ferrying children or creches. As for as Educational institutions themselves are concerned, the exemption is restricted to supporting implementation of any healthcare treatment and referral plan recommended by a healthcare professional for a child, to the extent necessary for the protection of her health.
It is urgently required that Educational Institutions must be exempted from “Sending Notice and Obtaining Consent” for legacy information. Alternatively they can be asked to publish a note on their websites calling for all students and parents who have earlier provided their personal information to inform of any changes and inaccuracy. If anybody suggests change of name in their marks cards, it cannot however be implemented automatically. In such cases the old data and suggested corrected data must both be retained.
Even with such a simple procedure, if every student starts exercising their “Right to Access” that itself will require an unreasonably large resource for a school or a college.
A debate is required by MeitY with the educational sector to provide some reasonable exemptions to protect unintended violations of the law.
In this context we may recall that recently, in Singapore, one medical institution namely Academy of Medicine Singapore providing professional education was fined for a ransomware attack resulting in the exfiltration of personal data of 6574 persons. The leaked data included Passport number, NRC number and Data of birth besides other information such as name, photo etc. The fine was nominal about $9000. However the fact to be noted was that it was an educational institution and the loss of data was due to an external attack and involved only a small number of data sets.
In this context if one lakh data sets are compromised in an Indian educational institution with biometric and Aadhaar data, it would be interesting to see how much of fine would be reasonable. Such risks are possible and needs to be factored in.
Most of the educational Institutions run under a single Trust and whether they need one DPO for each Institution or one DPO for the entire group is another area of doubt. There are many more such issues that may come up in the administration of the educational institutions not all of whom may have the resources to manage compliance like a commercial entity.
FDPPI has after their last industry interaction suggested that a special interest group (SIG) will be formed by FDPPI to study the impact of the DPDPA on educational institutions on a continuing basis and is in the process of identifying the right members for this SIG-Education
Interested persons should contact FDPPI and volunteer.
Naavi