- Why schools face the strictest DPDP obligations
- Who the DPDP Act applies to in the education sector
- Every student is a "child" — why India's threshold matters
- Verifiable parental consent — the core obligation
- What schools are now prohibited from doing
- The student data schools actually collect
- Ed-tech, biometric, transport and CCTV vendors
- Data breach notification — the 72-hour clock
- Data retention — admission files, alumni, and exam records
- Real-world scenarios from school practice
- Penalty schedule and what stacks
- How LexWin helps schools comply
- Who needs this — education sector readiness table
- DPDP school readiness checklist
Why Schools Face the Strictest DPDP Obligations
Of every sector regulated by India's Digital Personal Data Protection Act 2023, none is treated more strictly than education. The reason is structural, not incidental: a school's core population — its students — are, by definition, children in the eyes of the law. Section 9 of the DPDP Act sets aside the ordinary consent framework that applies to adults and replaces it with a far more demanding regime the moment personal data belongs to anyone below the age of 18.
This changes the compliance calculus completely. A hospital must justify processing sensitive health data. A bank must justify processing financial data. A school does not process data that becomes sensitive in some circumstances — it processes children's data as its default, everyday, unavoidable activity, from the moment a parent fills in an admission enquiry form to the day a student collects their transfer certificate. Every consent, every vendor contract, every CCTV camera, and every school app used by a class of eight-year-olds sits inside the Act's most restrictive category.
The enforcement deadline is May 13, 2027, but schools should not read that date as breathing room. The DPDP Rules 2025, notified in November 2025, set out exactly how verifiable parental consent must work, and the penalty for getting children's data wrong is a flat sum — up to ₹200 crore — regardless of the size of the institution. A neighbourhood school with 400 students and a national school chain with 40,000 students face the same statutory ceiling. Preparation, not scale, determines exposure.
Section 9 of the DPDP Act requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing the personal data of any individual below 18 years of age, and it separately prohibits processing that is likely to cause detrimental effect on the well-being of a child, along with tracking, behavioural monitoring, and targeted advertising directed at children. There is no lighter compliance track for schools because their business is education rather than commerce — the Act applies with full force.
Who the DPDP Act Applies to in the Education Sector
The Act uses the term Data Fiduciary for any person or organization that determines the purpose and means of processing personal data. In education, this category is broader than just the school registered on paper. Every entity below is a Data Fiduciary in its own right and carries independent obligations under the Act:
K-12 Schools
CBSE, ICSE, IB, state board, and international schools — government-aided and private, day school and boarding — are all covered without exception.
Coaching Institutes & Tuition Centres
JEE/NEET coaching chains, tuition centres, and skill-training academies that enrol students under 18 carry the same children's-data obligations as formal schools.
Ed-Tech Platforms
Learning apps, online test platforms, homework portals, and AI tutoring tools that collect student data directly or through school licensing arrangements.
Colleges & Universities
Where a meaningful share of enrolled students are below 18 — undergraduate first-year intakes in particular — the same children's-data rules apply to that cohort.
School Transport Operators
Bus GPS tracking apps and transport management platforms that process live location data of children travelling to and from school.
Hostels & Boarding Facilities
Residential facilities that hold health, dietary, biometric, and emergency-contact data of minors living away from their parents carry heightened custodial obligations.
Third parties that process data purely on a school's instructions — biometric attendance vendors, school ERP software providers, CCTV integrators, and payment gateway operators — are classified as Data Processors. As with every sector under the Act, liability for compliance remains with the school as the Data Fiduciary. A school cannot outsource its DPDP obligations to the company that installed its attendance scanners; it can only outsource the technical task, while the legal responsibility stays with the institution.
Every Student Is a "Child" — Why India's Threshold Matters
Many school administrators, familiar with international privacy frameworks, assume the "children's data" threshold sits somewhere around 13 to 16 years — the age used in the EU's GDPR and several US state laws. The DPDP Act does not follow that pattern. Under Indian law, a child is any individual below the age of 18, with no lower carve-out for teenagers who might otherwise be treated as capable of giving their own consent.
The practical effect is that a Class 12 student preparing for board exams, an 17-year-old first-year college fresher, and a kindergarten child are all, without distinction, children under the DPDP Act. Every one of them requires verifiable parental consent before a school, ed-tech platform, or coaching institute processes their personal data — not just their guardian's consent as a formality, but consent that meets the verification standard the Rules prescribe.
| Feature | Global Norm (e.g. GDPR, COPPA) | DPDP Act 2023 (India) |
|---|---|---|
| Age threshold for "child" | Typically 13–16 years | 18 years — no exceptions or graduated thresholds |
| Consent basis | Child may self-consent above the threshold age | Parental or guardian consent required until 18, always |
| Behavioural tracking & ads | Restricted, with some permitted exceptions | Prohibited outright for any child, with very narrow exemptions |
| Applicability to secondary/senior students | Often self-consenting from age 16 | Class 11–12 and first-year college students still require parental consent |
This single design choice is why schools cannot simply adapt a privacy policy written for a Western ed-tech product. A consent flow that treats a 17-year-old as capable of accepting terms and conditions independently is non-compliant in India, regardless of how common that approach is elsewhere.
Verifiable Parental Consent — the Core Obligation
Obtaining a signature on the admission form that says "I consent to the school processing my child's data" is not, on its own, verifiable consent under the DPDP Rules 2025. The Rules require schools to adopt a mechanism that can reasonably confirm that the person giving consent is in fact the parent or lawful guardian of the child, and that the consent is informed, itemized, and specific to a stated purpose.
Beyond a Signature on the Admission Form
The DPDP Rules contemplate verification methods such as confirming parental identity through a reliable means already available to the Data Fiduciary — for example, identity and age details already provided by the parent when creating an account, or verified details available through a Digital Locker or similar government-recognized identity mechanism. A single, undated, bundled tick-box buried in a fifteen-page admission packet does not meet this standard. Schools need a distinct, itemized consent capture step — on paper or digitally — that is separately dated, separately retained, and tied to a specific parent or guardian identity.
Consent must also be purpose-specific and itemized. A school cannot obtain one blanket consent at admission that is then used to justify sharing student data with a school-app vendor, a transport company, a photography studio, and a social media page. Each distinct purpose — academic record-keeping, biometric attendance, bus tracking, health emergency contacts, photography for the school's own communications, and sharing with third-party ed-tech tools — requires its own clearly stated basis, even if captured within a single consent event at admission.
| Consent Scenario | Compliant Approach | Non-Compliant Approach |
|---|---|---|
| Admission form data collection | Separate, itemized consent section listing each purpose (academics, attendance, emergency contact, transport) | One general clause: "I agree to the school's terms and conditions" |
| Biometric attendance system | Specific opt-in explaining the biometric modality, storage, retention, and vendor involved | Assumed consent because the system is "standard practice" at the school |
| Third-party ed-tech app rollout | Fresh consent obtained before the app is introduced, naming the vendor and data shared | Existing admission-form consent stretched to cover a newly adopted app |
| Photography for school social media | Distinct opt-in, renewable annually, with an easy withdrawal mechanism | Photos posted by default unless a parent proactively objects |
Consent must also be as easy to withdraw as it was to give. A parent who wishes to withdraw consent for their child's photograph to appear on the school website, or for biometric data to be used, must be able to do so through a process no more burdensome than the one used to grant it in the first place — and the school must honour that withdrawal by ceasing the relevant processing.
What Schools Are Now Prohibited From Doing
Section 9 of the DPDP Act does not stop at requiring consent — it draws a hard line around certain categories of processing that are prohibited outright for children, irrespective of whether a parent has consented. This is a meaningfully different structure from adult data processing, where informed consent generally legitimizes most activities.
Data Fiduciaries are barred from processing a child's personal data in any manner likely to cause a detrimental effect on the child's well-being, and from undertaking tracking or behavioural monitoring of children or serving targeted advertisements directed at children. These prohibitions cannot be waived by parental consent — a parent cannot "opt in" their child to targeted advertising or behavioural tracking, because the law does not permit that category of processing for anyone under 18.
For schools, this has direct operational consequences that are easy to overlook because they feel like routine administrative tools rather than "tracking":
School Apps With Ad-Supported Features
Any free school communication or learning app that monetizes through targeted advertising to student users is very likely non-compliant, regardless of the school's own intentions.
Behavioural Profiling in Ed-Tech
Adaptive learning platforms that build detailed behavioural profiles of individual students to serve third-party content or products cross into prohibited territory, even where the profiling is framed as "personalization."
Location Data Beyond Its Stated Purpose
Bus-tracking GPS data collected for safety purposes cannot be repurposed to build movement profiles or shared with unrelated third parties without separately justifying that use.
Schools evaluating any third-party app, platform, or vendor should treat these prohibitions as a threshold screening question before signing a contract, not a compliance detail to address afterward.
The Student Data Schools Actually Collect
A school's data footprint is larger and more varied than most administrators realize, because student data accumulates across academic, administrative, health, and disciplinary functions simultaneously. Mapping this footprint is the necessary first step before any consent redesign or vendor review can be meaningful.
| Data Category | Examples | Where It Typically Lives |
|---|---|---|
| Admission & identity data | Name, date of birth, address, Aadhaar/birth certificate copies, parent occupation and income | Admission office, school ERP, paper files |
| Academic records | Marks, report cards, transcripts, board exam registration data | School ERP, board portals, examination cell |
| Biometric data | Fingerprint or facial recognition for attendance, library access, canteen payment | Third-party biometric vendor systems |
| Health & medical data | Allergies, medical conditions, immunization records, emergency medical consent | School nurse/infirmary records, admission forms |
| CCTV & surveillance | Continuous video recording of classrooms, corridors, playgrounds, and buses | On-premise DVR/NVR systems or cloud CCTV vendors |
| Transport data | Live GPS location, boarding/alighting timestamps, route and driver assignment | Third-party transport management app |
| Digital learning data | Login credentials, usage patterns, assignment submissions, quiz performance | Ed-tech platforms, learning management systems |
| Photographs & media | Event photography, yearbook images, social media posts, promotional material | School social media accounts, website, printed publications |
| Disciplinary & counselling records | Behavioural notes, counsellor session records, disciplinary committee findings | Principal's office, counselling department files |
| Financial data | Fee payment records, scholarship applications, sibling concession details | Accounts office, payment gateway logs |
Several of these categories — health data, biometric data, and disciplinary/counselling records — sit at the intersection of "children's data" and data that would independently be treated as sensitive in most privacy frameworks. Schools handling this data should apply the highest standard of consent and security available to them, not the minimum the Act technically permits.
Ed-Tech, Biometric, Transport and CCTV Vendors
A school's DPDP compliance is only as strong as its weakest vendor contract. The Act places responsibility for a Data Processor's conduct on the Data Fiduciary that engaged it — meaning the school, not the biometric vendor or the ed-tech company, bears the legal consequence when a vendor mishandles student data.
What Vendor Contracts Must Now Include
Every agreement between a school and a party that processes student data on its behalf should specify the processing activity and its exact purpose, prohibit the vendor from using student data for its own commercial purposes — including product development or advertising — require security safeguards proportionate to the sensitivity of children's data, mandate prompt breach notification to the school so it can meet its own 72-hour Board notification obligation, and provide for data deletion or return once the contract ends or a student leaves the school.
The Learning App That Used Student Data to Train Its Own Product
A school licenses a popular ed-tech learning app for its middle-school students. The app's terms of service, which the school never carefully reviewed, permit the vendor to use anonymized usage data to "improve product features," which in practice includes building behavioural profiles used to recommend paid add-on courses directly to students through in-app notifications, without any parental visibility into the recommendation logic.
Under the DPDP Act: This is very likely both a consent violation — parents did not give itemized, informed consent for behavioural profiling — and a direct breach of the Section 9 prohibition on behavioural monitoring and targeted advertising to children. The school, as the Data Fiduciary that selected and onboarded the vendor, bears responsibility for having failed to vet the vendor's data practices before rollout. "We didn't know the app did that" is not a defence available to a Data Fiduciary.
Key Vendor Categories and What to Check
| Vendor Type | Student Data They Process | Key Contract Requirement |
|---|---|---|
| School ERP / Management Software | Complete student records, marks, attendance, fee data, parent contact details | Security standards, breach notification within 24 hours, data localization, no secondary use |
| Biometric Attendance Vendors | Fingerprint or facial biometric templates, attendance logs | Encrypted storage, no biometric data sharing with third parties, deletion protocol on student exit |
| Ed-Tech / Learning Platforms | Login activity, assignment data, quiz scores, behavioural usage patterns | Explicit prohibition on behavioural profiling and targeted content promotion; parental consent alignment |
| Transport Management Apps | Live GPS location of the child, boarding/alighting timestamps | Purpose limitation to safety tracking only; parent-only access; auto-deletion of historical location logs |
| CCTV / Surveillance Providers | Continuous video of students across school premises | Defined retention period, restricted access logging, no facial-recognition analytics without separate consent |
| Payment Gateway / Fee Portals | Parent financial data, fee payment history, sibling and concession records | PCI-DSS compliance, data minimization, no cross-use for marketing by the payment provider |
| Photography & Yearbook Studios | Student photographs and video footage of school events | Consent alignment with school's own photography policy; restriction on studio's independent use or publication |
Data Breach Notification — the 72-Hour Clock
Under the DPDP Rules 2025, a school that experiences a personal data breach must notify the Data Protection Board of India without delay, and in any event the Board expects notification within a tight window benchmarked at 72 hours from the point the breach becomes known. Because the data involved is children's data, the reputational and regulatory stakes of a delayed or absent notification are especially high — a school cannot treat a leaked student database the way a retailer might treat a leaked customer email list.
Affected parents must also be informed without undue delay, in clear and plain language describing the nature of the breach, the likely consequences, and the measures being taken. For a school, this means having a communication protocol ready in advance — not improvised in the middle of a crisis involving anxious parents of minor children.
The most likely breach scenario for most schools is not a sophisticated cyberattack but a misconfigured cloud folder, a stolen staff laptop containing an unencrypted student database, a WhatsApp group where a staff member accidentally shares a spreadsheet of student medical conditions, or a third-party vendor's own security failure. Schools should assess breach readiness against these mundane, high-probability scenarios, not only against dramatic hacking events.
Data Retention — Admission Files, Alumni, and Exam Records
The DPDP Act's default principle is that personal data should be deleted or anonymized once the purpose for which it was collected has been fulfilled. Schools operate under multiple, sometimes competing, retention obligations: board and university regulations often require academic records to be preserved for extended periods, RTE Act compliance imposes its own documentation requirements, and alumni relations functions want to retain contact data indefinitely for outreach.
Where a specific statutory or regulatory retention period applies — for example, board examination records or records required for RTE reporting — that period constitutes a legitimate basis for continued retention even after a student has left the school. Once that period lapses, however, the data should be securely destroyed or anonymized unless the school has obtained fresh, purpose-specific consent to retain it for something like alumni engagement.
Many schools maintain informal alumni databases built from admission records of students who graduated years or decades ago, often including outdated contact details, family information, and even old disciplinary notes never purged from the original file. Because this data was originally collected for admission and academic purposes — not alumni engagement — continuing to hold and use it for reunion invitations or fundraising outreach without a fresh consent basis sits on uncertain legal footing. Schools building alumni programmes should treat alumni consent as a distinct data collection exercise, not an extension of the original student file.
Real-World Scenarios From School Practice
The following scenarios illustrate how DPDP obligations translate into situations that will be familiar to school administrators, principals, and trustees.
The Fingerprint System Nobody Formally Consented To
A school introduces a fingerprint-based attendance system for students in Grades 6 and above, citing efficiency and accuracy over the manual register. The system was rolled out through a circular sent home in the student diary, with no separate consent form and no opt-out mechanism offered to parents uncomfortable with biometric collection for a minor.
DPDP analysis: Biometric data is inherently high-risk data, and its collection from children requires itemized, verifiable parental consent — not a general circular assumed to constitute agreement. The absence of an opt-out mechanism compounds the exposure: parents who object have no compliant pathway available to them. The school should pause the rollout, issue a proper itemized consent form describing exactly what biometric data is captured, how it is stored, who the vendor is, and how long it is retained, and provide parents a genuine choice.
The Sports Day Album That Went Straight to Instagram
A school's marketing team posts an album of Annual Sports Day photographs to the school's public Instagram account the same evening, tagging student names in several captions for a "student of the day" feature. The admission form contained a general clause permitting "use of student images for school publicity," but several parents had separately, in writing, requested that their child's photographs not be used on public platforms due to family safety concerns.
DPDP analysis: Even where general photography consent exists, a parent's specific withdrawal request must be honoured — consent that has been withdrawn cannot continue to justify processing. Publishing identifiable images of minors, including their names, on a public social media account also raises the question of whether this use falls within the original stated purpose of the consent obtained. Schools should maintain an easily searchable, mandatory "do not publish" list that marketing and communications staff check before every public posting involving student images.
The Medical Information Spreadsheet Shared Over WhatsApp
Ahead of an annual excursion, a class teacher compiles a spreadsheet listing every student's allergies, medications, and emergency contact numbers, and shares it with the accompanying staff over a WhatsApp group that also includes two parent volunteers, for convenience. The spreadsheet remains in the group chat indefinitely, accessible to anyone added to the group later, including a substitute teacher who joins the following term.
DPDP analysis: Health data of children is highly sensitive, and sharing it through an unmanaged, persistent channel like a personal WhatsApp group — with data remaining accessible to future group members never contemplated in the original purpose — falls short of reasonable security safeguards. Schools need a formal protocol for excursion and emergency medical data: time-bound access, deletion after the event, and no distribution through personal messaging channels used interchangeably for social and administrative purposes.
The "Free" App That Wasn't Free of Data Monetization
A school adopts a free online quiz and gamified learning app for primary students, chosen because it required no procurement budget. The app's privacy policy, written for a global audience and never reviewed by the school's administration, discloses that it shares "de-identified usage data" with advertising partners and displays banner advertisements within the free tier that students use during class.
DPDP analysis: An app that serves advertisements to child users during school-directed use very likely breaches the Section 9 prohibition on targeted advertising to children — and the fact that the app is "free" and adopted with good intentions does not change the school's exposure as the Data Fiduciary that selected it. Before adopting any third-party digital tool, schools should require a written data practices summary from the vendor and confirm, in writing, that the product does not serve advertising to or build behavioural profiles of student users.
Penalty Schedule and What Stacks
The DPDP Act's penalties are assessed per violation, not per incident, and a single lapse can trigger more than one violation simultaneously. For schools, the children's-data violation category is the one that carries the most direct and severe exposure.
DPDP Act — Penalty Schedule (Education-Relevant Violations)
A school that rolls out a biometric attendance system without verifiable consent, and later suffers a breach of that same biometric database due to inadequate security, faces exposure under both the children's-data provision and the security safeguards provision simultaneously — a combined theoretical maximum running into hundreds of crores. In practice, the Data Protection Board will weigh the scale of the institution, the number of children affected, and remediation efforts in setting the actual penalty, but the statutory ceiling applies regardless of whether the school is a large chain or a single neighbourhood institution.
How LexWin Helps Schools Comply
DPDP compliance for a school is not primarily an IT project — it is a governance exercise that touches admissions, academics, transport, health, marketing, and every vendor relationship the institution maintains. LexWin combines legal expertise in the DPDP Act with practical familiarity with how schools actually operate, to build compliance that survives an actual regulatory inquiry, not just a policy document that sits unread in a file.
Student Data Mapping
We audit every touchpoint where student data is collected — admissions, academics, biometrics, health, transport, CCTV, and digital learning tools — and map each category to its legal basis, current consent status, and retention obligation.
Verifiable Consent Redesign
We design and draft an itemized, purpose-specific parental consent framework aligned with the DPDP Rules' verification requirements — covering admission, biometrics, photography, transport, and third-party app usage — with a clear, usable withdrawal mechanism.
Vendor & Ed-Tech Contract Review
We review and redraft agreements with ERP providers, biometric vendors, transport apps, CCTV integrators, and ed-tech platforms — screening specifically for prohibited behavioural profiling and targeted advertising risk before a vendor is onboarded.
Breach Response Protocol
We build a school-specific incident response protocol calibrated to the Board's notification window, including a parent communication template suited to a school community and a documentation framework for regulatory follow-up.
Staff Training & Governance
We train teaching, administrative, and support staff on day-to-day DPDP obligations — from WhatsApp data-sharing habits to photography practices — and assist in appointing a Grievance Officer and setting up a parent-facing rights request process.
Is Your School Ready for DPDP Enforcement?
Most schools have not yet reviewed their consent forms, vendor contracts, or app choices against the DPDP Act's children's-data provisions. With May 2027 eleven months away, the time to act is before the Board is constituted and enforcement begins.
Book a Free DPDP Compliance Review →Who Needs This — Education Sector Readiness Table
| Institution Type | Primary DPDP Exposure | Most Urgent Action |
|---|---|---|
| K-12 School (Day) | High — biometric attendance, CCTV, photography, admission data, multiple vendors | Itemized consent redesign; vendor contract review; do-not-publish list for photography |
| Boarding / Residential School | Very High — health data, extended custodial responsibility, staff access to sensitive records | Health data access controls; hostel staff training; emergency data protocol |
| Coaching Institute / Tuition Chain | High — large student volumes, digital test platforms, minimal formal consent processes historically | Formal consent capture; digital platform vendor review; retention policy for test data |
| Ed-Tech Platform | Very High — direct Section 9 exposure on tracking, profiling, and advertising prohibitions | Product audit for behavioural profiling and ad-serving; consent mechanism redesign; school-client DPAs |
| College / University (UG intake) | Medium-High — under-18 first-year cohort requires the same protections as school students | Age-segmented consent process; admission data mapping for under-18 enrollees |
| School Transport Operator | Medium — live location data of minors, third-party app dependency | Purpose limitation clause with school; parent-only access controls; location data retention limits |
| School Chain / Trust (multiple campuses) | High — centralized data systems, group-wide vendor contracts, reputational stakes across campuses | Group-wide policy standardization; centralized breach protocol; Grievance Officer appointment |
DPDP School Readiness Checklist
Use this checklist to assess where your institution stands. If any item is incomplete, it represents a compliance gap that should be addressed before enforcement begins in May 2027.