Why Schools Face the Strictest DPDP Obligations

Of every sector regulated by India's Digital Personal Data Protection Act 2023, none is treated more strictly than education. The reason is structural, not incidental: a school's core population — its students — are, by definition, children in the eyes of the law. Section 9 of the DPDP Act sets aside the ordinary consent framework that applies to adults and replaces it with a far more demanding regime the moment personal data belongs to anyone below the age of 18.

This changes the compliance calculus completely. A hospital must justify processing sensitive health data. A bank must justify processing financial data. A school does not process data that becomes sensitive in some circumstances — it processes children's data as its default, everyday, unavoidable activity, from the moment a parent fills in an admission enquiry form to the day a student collects their transfer certificate. Every consent, every vendor contract, every CCTV camera, and every school app used by a class of eight-year-olds sits inside the Act's most restrictive category.

The enforcement deadline is May 13, 2027, but schools should not read that date as breathing room. The DPDP Rules 2025, notified in November 2025, set out exactly how verifiable parental consent must work, and the penalty for getting children's data wrong is a flat sum — up to ₹200 crore — regardless of the size of the institution. A neighbourhood school with 400 students and a national school chain with 40,000 students face the same statutory ceiling. Preparation, not scale, determines exposure.

The Provision Every School Must Internalise

Section 9 of the DPDP Act requires Data Fiduciaries to obtain verifiable consent from a parent or lawful guardian before processing the personal data of any individual below 18 years of age, and it separately prohibits processing that is likely to cause detrimental effect on the well-being of a child, along with tracking, behavioural monitoring, and targeted advertising directed at children. There is no lighter compliance track for schools because their business is education rather than commerce — the Act applies with full force.

Who the DPDP Act Applies to in the Education Sector

The Act uses the term Data Fiduciary for any person or organization that determines the purpose and means of processing personal data. In education, this category is broader than just the school registered on paper. Every entity below is a Data Fiduciary in its own right and carries independent obligations under the Act:

🏫

K-12 Schools

CBSE, ICSE, IB, state board, and international schools — government-aided and private, day school and boarding — are all covered without exception.

📚

Coaching Institutes & Tuition Centres

JEE/NEET coaching chains, tuition centres, and skill-training academies that enrol students under 18 carry the same children's-data obligations as formal schools.

💻

Ed-Tech Platforms

Learning apps, online test platforms, homework portals, and AI tutoring tools that collect student data directly or through school licensing arrangements.

🎓

Colleges & Universities

Where a meaningful share of enrolled students are below 18 — undergraduate first-year intakes in particular — the same children's-data rules apply to that cohort.

🚌

School Transport Operators

Bus GPS tracking apps and transport management platforms that process live location data of children travelling to and from school.

🏠

Hostels & Boarding Facilities

Residential facilities that hold health, dietary, biometric, and emergency-contact data of minors living away from their parents carry heightened custodial obligations.

Third parties that process data purely on a school's instructions — biometric attendance vendors, school ERP software providers, CCTV integrators, and payment gateway operators — are classified as Data Processors. As with every sector under the Act, liability for compliance remains with the school as the Data Fiduciary. A school cannot outsource its DPDP obligations to the company that installed its attendance scanners; it can only outsource the technical task, while the legal responsibility stays with the institution.

Every Student Is a "Child" — Why India's Threshold Matters

Many school administrators, familiar with international privacy frameworks, assume the "children's data" threshold sits somewhere around 13 to 16 years — the age used in the EU's GDPR and several US state laws. The DPDP Act does not follow that pattern. Under Indian law, a child is any individual below the age of 18, with no lower carve-out for teenagers who might otherwise be treated as capable of giving their own consent.

The practical effect is that a Class 12 student preparing for board exams, an 17-year-old first-year college fresher, and a kindergarten child are all, without distinction, children under the DPDP Act. Every one of them requires verifiable parental consent before a school, ed-tech platform, or coaching institute processes their personal data — not just their guardian's consent as a formality, but consent that meets the verification standard the Rules prescribe.

Feature Global Norm (e.g. GDPR, COPPA) DPDP Act 2023 (India)
Age threshold for "child" Typically 13–16 years 18 years — no exceptions or graduated thresholds
Consent basis Child may self-consent above the threshold age Parental or guardian consent required until 18, always
Behavioural tracking & ads Restricted, with some permitted exceptions Prohibited outright for any child, with very narrow exemptions
Applicability to secondary/senior students Often self-consenting from age 16 Class 11–12 and first-year college students still require parental consent

This single design choice is why schools cannot simply adapt a privacy policy written for a Western ed-tech product. A consent flow that treats a 17-year-old as capable of accepting terms and conditions independently is non-compliant in India, regardless of how common that approach is elsewhere.

Obtaining a signature on the admission form that says "I consent to the school processing my child's data" is not, on its own, verifiable consent under the DPDP Rules 2025. The Rules require schools to adopt a mechanism that can reasonably confirm that the person giving consent is in fact the parent or lawful guardian of the child, and that the consent is informed, itemized, and specific to a stated purpose.

What "Verifiable" Actually Requires

Beyond a Signature on the Admission Form

The DPDP Rules contemplate verification methods such as confirming parental identity through a reliable means already available to the Data Fiduciary — for example, identity and age details already provided by the parent when creating an account, or verified details available through a Digital Locker or similar government-recognized identity mechanism. A single, undated, bundled tick-box buried in a fifteen-page admission packet does not meet this standard. Schools need a distinct, itemized consent capture step — on paper or digitally — that is separately dated, separately retained, and tied to a specific parent or guardian identity.

Consent must also be purpose-specific and itemized. A school cannot obtain one blanket consent at admission that is then used to justify sharing student data with a school-app vendor, a transport company, a photography studio, and a social media page. Each distinct purpose — academic record-keeping, biometric attendance, bus tracking, health emergency contacts, photography for the school's own communications, and sharing with third-party ed-tech tools — requires its own clearly stated basis, even if captured within a single consent event at admission.

Consent Scenario Compliant Approach Non-Compliant Approach
Admission form data collection Separate, itemized consent section listing each purpose (academics, attendance, emergency contact, transport) One general clause: "I agree to the school's terms and conditions"
Biometric attendance system Specific opt-in explaining the biometric modality, storage, retention, and vendor involved Assumed consent because the system is "standard practice" at the school
Third-party ed-tech app rollout Fresh consent obtained before the app is introduced, naming the vendor and data shared Existing admission-form consent stretched to cover a newly adopted app
Photography for school social media Distinct opt-in, renewable annually, with an easy withdrawal mechanism Photos posted by default unless a parent proactively objects

Consent must also be as easy to withdraw as it was to give. A parent who wishes to withdraw consent for their child's photograph to appear on the school website, or for biometric data to be used, must be able to do so through a process no more burdensome than the one used to grant it in the first place — and the school must honour that withdrawal by ceasing the relevant processing.

What Schools Are Now Prohibited From Doing

Section 9 of the DPDP Act does not stop at requiring consent — it draws a hard line around certain categories of processing that are prohibited outright for children, irrespective of whether a parent has consented. This is a meaningfully different structure from adult data processing, where informed consent generally legitimizes most activities.

Absolute Prohibitions Under Section 9

Data Fiduciaries are barred from processing a child's personal data in any manner likely to cause a detrimental effect on the child's well-being, and from undertaking tracking or behavioural monitoring of children or serving targeted advertisements directed at children. These prohibitions cannot be waived by parental consent — a parent cannot "opt in" their child to targeted advertising or behavioural tracking, because the law does not permit that category of processing for anyone under 18.

For schools, this has direct operational consequences that are easy to overlook because they feel like routine administrative tools rather than "tracking":

📱

School Apps With Ad-Supported Features

Any free school communication or learning app that monetizes through targeted advertising to student users is very likely non-compliant, regardless of the school's own intentions.

🎯

Behavioural Profiling in Ed-Tech

Adaptive learning platforms that build detailed behavioural profiles of individual students to serve third-party content or products cross into prohibited territory, even where the profiling is framed as "personalization."

📍

Location Data Beyond Its Stated Purpose

Bus-tracking GPS data collected for safety purposes cannot be repurposed to build movement profiles or shared with unrelated third parties without separately justifying that use.

Schools evaluating any third-party app, platform, or vendor should treat these prohibitions as a threshold screening question before signing a contract, not a compliance detail to address afterward.

The Student Data Schools Actually Collect

A school's data footprint is larger and more varied than most administrators realize, because student data accumulates across academic, administrative, health, and disciplinary functions simultaneously. Mapping this footprint is the necessary first step before any consent redesign or vendor review can be meaningful.

Data Category Examples Where It Typically Lives
Admission & identity data Name, date of birth, address, Aadhaar/birth certificate copies, parent occupation and income Admission office, school ERP, paper files
Academic records Marks, report cards, transcripts, board exam registration data School ERP, board portals, examination cell
Biometric data Fingerprint or facial recognition for attendance, library access, canteen payment Third-party biometric vendor systems
Health & medical data Allergies, medical conditions, immunization records, emergency medical consent School nurse/infirmary records, admission forms
CCTV & surveillance Continuous video recording of classrooms, corridors, playgrounds, and buses On-premise DVR/NVR systems or cloud CCTV vendors
Transport data Live GPS location, boarding/alighting timestamps, route and driver assignment Third-party transport management app
Digital learning data Login credentials, usage patterns, assignment submissions, quiz performance Ed-tech platforms, learning management systems
Photographs & media Event photography, yearbook images, social media posts, promotional material School social media accounts, website, printed publications
Disciplinary & counselling records Behavioural notes, counsellor session records, disciplinary committee findings Principal's office, counselling department files
Financial data Fee payment records, scholarship applications, sibling concession details Accounts office, payment gateway logs

Several of these categories — health data, biometric data, and disciplinary/counselling records — sit at the intersection of "children's data" and data that would independently be treated as sensitive in most privacy frameworks. Schools handling this data should apply the highest standard of consent and security available to them, not the minimum the Act technically permits.

Ed-Tech, Biometric, Transport and CCTV Vendors

A school's DPDP compliance is only as strong as its weakest vendor contract. The Act places responsibility for a Data Processor's conduct on the Data Fiduciary that engaged it — meaning the school, not the biometric vendor or the ed-tech company, bears the legal consequence when a vendor mishandles student data.

What Vendor Contracts Must Now Include

Every agreement between a school and a party that processes student data on its behalf should specify the processing activity and its exact purpose, prohibit the vendor from using student data for its own commercial purposes — including product development or advertising — require security safeguards proportionate to the sensitivity of children's data, mandate prompt breach notification to the school so it can meet its own 72-hour Board notification obligation, and provide for data deletion or return once the contract ends or a student leaves the school.

Scenario — Ed-Tech Vendor Overreach

The Learning App That Used Student Data to Train Its Own Product

A school licenses a popular ed-tech learning app for its middle-school students. The app's terms of service, which the school never carefully reviewed, permit the vendor to use anonymized usage data to "improve product features," which in practice includes building behavioural profiles used to recommend paid add-on courses directly to students through in-app notifications, without any parental visibility into the recommendation logic.

Under the DPDP Act: This is very likely both a consent violation — parents did not give itemized, informed consent for behavioural profiling — and a direct breach of the Section 9 prohibition on behavioural monitoring and targeted advertising to children. The school, as the Data Fiduciary that selected and onboarded the vendor, bears responsibility for having failed to vet the vendor's data practices before rollout. "We didn't know the app did that" is not a defence available to a Data Fiduciary.

Key Vendor Categories and What to Check

Vendor Type Student Data They Process Key Contract Requirement
School ERP / Management Software Complete student records, marks, attendance, fee data, parent contact details Security standards, breach notification within 24 hours, data localization, no secondary use
Biometric Attendance Vendors Fingerprint or facial biometric templates, attendance logs Encrypted storage, no biometric data sharing with third parties, deletion protocol on student exit
Ed-Tech / Learning Platforms Login activity, assignment data, quiz scores, behavioural usage patterns Explicit prohibition on behavioural profiling and targeted content promotion; parental consent alignment
Transport Management Apps Live GPS location of the child, boarding/alighting timestamps Purpose limitation to safety tracking only; parent-only access; auto-deletion of historical location logs
CCTV / Surveillance Providers Continuous video of students across school premises Defined retention period, restricted access logging, no facial-recognition analytics without separate consent
Payment Gateway / Fee Portals Parent financial data, fee payment history, sibling and concession records PCI-DSS compliance, data minimization, no cross-use for marketing by the payment provider
Photography & Yearbook Studios Student photographs and video footage of school events Consent alignment with school's own photography policy; restriction on studio's independent use or publication

Data Breach Notification — the 72-Hour Clock

Under the DPDP Rules 2025, a school that experiences a personal data breach must notify the Data Protection Board of India without delay, and in any event the Board expects notification within a tight window benchmarked at 72 hours from the point the breach becomes known. Because the data involved is children's data, the reputational and regulatory stakes of a delayed or absent notification are especially high — a school cannot treat a leaked student database the way a retailer might treat a leaked customer email list.

Affected parents must also be informed without undue delay, in clear and plain language describing the nature of the breach, the likely consequences, and the measures being taken. For a school, this means having a communication protocol ready in advance — not improvised in the middle of a crisis involving anxious parents of minor children.

Breach Sources Schools Underestimate

The most likely breach scenario for most schools is not a sophisticated cyberattack but a misconfigured cloud folder, a stolen staff laptop containing an unencrypted student database, a WhatsApp group where a staff member accidentally shares a spreadsheet of student medical conditions, or a third-party vendor's own security failure. Schools should assess breach readiness against these mundane, high-probability scenarios, not only against dramatic hacking events.

Data Retention — Admission Files, Alumni, and Exam Records

The DPDP Act's default principle is that personal data should be deleted or anonymized once the purpose for which it was collected has been fulfilled. Schools operate under multiple, sometimes competing, retention obligations: board and university regulations often require academic records to be preserved for extended periods, RTE Act compliance imposes its own documentation requirements, and alumni relations functions want to retain contact data indefinitely for outreach.

Where a specific statutory or regulatory retention period applies — for example, board examination records or records required for RTE reporting — that period constitutes a legitimate basis for continued retention even after a student has left the school. Once that period lapses, however, the data should be securely destroyed or anonymized unless the school has obtained fresh, purpose-specific consent to retain it for something like alumni engagement.

The Alumni Data Trap

Many schools maintain informal alumni databases built from admission records of students who graduated years or decades ago, often including outdated contact details, family information, and even old disciplinary notes never purged from the original file. Because this data was originally collected for admission and academic purposes — not alumni engagement — continuing to hold and use it for reunion invitations or fundraising outreach without a fresh consent basis sits on uncertain legal footing. Schools building alumni programmes should treat alumni consent as a distinct data collection exercise, not an extension of the original student file.

Real-World Scenarios From School Practice

The following scenarios illustrate how DPDP obligations translate into situations that will be familiar to school administrators, principals, and trustees.

Scenario 1 — Biometric Attendance

The Fingerprint System Nobody Formally Consented To

A school introduces a fingerprint-based attendance system for students in Grades 6 and above, citing efficiency and accuracy over the manual register. The system was rolled out through a circular sent home in the student diary, with no separate consent form and no opt-out mechanism offered to parents uncomfortable with biometric collection for a minor.

DPDP analysis: Biometric data is inherently high-risk data, and its collection from children requires itemized, verifiable parental consent — not a general circular assumed to constitute agreement. The absence of an opt-out mechanism compounds the exposure: parents who object have no compliant pathway available to them. The school should pause the rollout, issue a proper itemized consent form describing exactly what biometric data is captured, how it is stored, who the vendor is, and how long it is retained, and provide parents a genuine choice.

Scenario 2 — Social Media & Photography

The Sports Day Album That Went Straight to Instagram

A school's marketing team posts an album of Annual Sports Day photographs to the school's public Instagram account the same evening, tagging student names in several captions for a "student of the day" feature. The admission form contained a general clause permitting "use of student images for school publicity," but several parents had separately, in writing, requested that their child's photographs not be used on public platforms due to family safety concerns.

DPDP analysis: Even where general photography consent exists, a parent's specific withdrawal request must be honoured — consent that has been withdrawn cannot continue to justify processing. Publishing identifiable images of minors, including their names, on a public social media account also raises the question of whether this use falls within the original stated purpose of the consent obtained. Schools should maintain an easily searchable, mandatory "do not publish" list that marketing and communications staff check before every public posting involving student images.

Scenario 3 — Staff Handling of Sensitive Data

The Medical Information Spreadsheet Shared Over WhatsApp

Ahead of an annual excursion, a class teacher compiles a spreadsheet listing every student's allergies, medications, and emergency contact numbers, and shares it with the accompanying staff over a WhatsApp group that also includes two parent volunteers, for convenience. The spreadsheet remains in the group chat indefinitely, accessible to anyone added to the group later, including a substitute teacher who joins the following term.

DPDP analysis: Health data of children is highly sensitive, and sharing it through an unmanaged, persistent channel like a personal WhatsApp group — with data remaining accessible to future group members never contemplated in the original purpose — falls short of reasonable security safeguards. Schools need a formal protocol for excursion and emergency medical data: time-bound access, deletion after the event, and no distribution through personal messaging channels used interchangeably for social and administrative purposes.

Scenario 4 — Third-Party Ed-Tech

The "Free" App That Wasn't Free of Data Monetization

A school adopts a free online quiz and gamified learning app for primary students, chosen because it required no procurement budget. The app's privacy policy, written for a global audience and never reviewed by the school's administration, discloses that it shares "de-identified usage data" with advertising partners and displays banner advertisements within the free tier that students use during class.

DPDP analysis: An app that serves advertisements to child users during school-directed use very likely breaches the Section 9 prohibition on targeted advertising to children — and the fact that the app is "free" and adopted with good intentions does not change the school's exposure as the Data Fiduciary that selected it. Before adopting any third-party digital tool, schools should require a written data practices summary from the vendor and confirm, in writing, that the product does not serve advertising to or build behavioural profiles of student users.

Penalty Schedule and What Stacks

The DPDP Act's penalties are assessed per violation, not per incident, and a single lapse can trigger more than one violation simultaneously. For schools, the children's-data violation category is the one that carries the most direct and severe exposure.

DPDP Act — Penalty Schedule (Education-Relevant Violations)

Up to ₹200 Cr
Non-compliance with the special provisions for children — processing a student's data without verifiable parental consent, or engaging in prohibited tracking, profiling, or targeted advertising toward a child
Up to ₹250 Cr
Failure to implement reasonable security safeguards — the likely finding in a breach involving biometric, health, or academic student data
Up to ₹200 Cr
Failure to notify the Data Protection Board of a breach within the expected window
Up to ₹50 Cr
Failure to fulfil other obligations — including inadequate notice, purpose limitation breaches, and failure to honour a parent's withdrawal of consent

A school that rolls out a biometric attendance system without verifiable consent, and later suffers a breach of that same biometric database due to inadequate security, faces exposure under both the children's-data provision and the security safeguards provision simultaneously — a combined theoretical maximum running into hundreds of crores. In practice, the Data Protection Board will weigh the scale of the institution, the number of children affected, and remediation efforts in setting the actual penalty, but the statutory ceiling applies regardless of whether the school is a large chain or a single neighbourhood institution.

How LexWin Helps Schools Comply

DPDP compliance for a school is not primarily an IT project — it is a governance exercise that touches admissions, academics, transport, health, marketing, and every vendor relationship the institution maintains. LexWin combines legal expertise in the DPDP Act with practical familiarity with how schools actually operate, to build compliance that survives an actual regulatory inquiry, not just a policy document that sits unread in a file.

1

Student Data Mapping

We audit every touchpoint where student data is collected — admissions, academics, biometrics, health, transport, CCTV, and digital learning tools — and map each category to its legal basis, current consent status, and retention obligation.

2

Verifiable Consent Redesign

We design and draft an itemized, purpose-specific parental consent framework aligned with the DPDP Rules' verification requirements — covering admission, biometrics, photography, transport, and third-party app usage — with a clear, usable withdrawal mechanism.

3

Vendor & Ed-Tech Contract Review

We review and redraft agreements with ERP providers, biometric vendors, transport apps, CCTV integrators, and ed-tech platforms — screening specifically for prohibited behavioural profiling and targeted advertising risk before a vendor is onboarded.

4

Breach Response Protocol

We build a school-specific incident response protocol calibrated to the Board's notification window, including a parent communication template suited to a school community and a documentation framework for regulatory follow-up.

5

Staff Training & Governance

We train teaching, administrative, and support staff on day-to-day DPDP obligations — from WhatsApp data-sharing habits to photography practices — and assist in appointing a Grievance Officer and setting up a parent-facing rights request process.

Is Your School Ready for DPDP Enforcement?

Most schools have not yet reviewed their consent forms, vendor contracts, or app choices against the DPDP Act's children's-data provisions. With May 2027 eleven months away, the time to act is before the Board is constituted and enforcement begins.

Book a Free DPDP Compliance Review →

Who Needs This — Education Sector Readiness Table

Institution Type Primary DPDP Exposure Most Urgent Action
K-12 School (Day) High — biometric attendance, CCTV, photography, admission data, multiple vendors Itemized consent redesign; vendor contract review; do-not-publish list for photography
Boarding / Residential School Very High — health data, extended custodial responsibility, staff access to sensitive records Health data access controls; hostel staff training; emergency data protocol
Coaching Institute / Tuition Chain High — large student volumes, digital test platforms, minimal formal consent processes historically Formal consent capture; digital platform vendor review; retention policy for test data
Ed-Tech Platform Very High — direct Section 9 exposure on tracking, profiling, and advertising prohibitions Product audit for behavioural profiling and ad-serving; consent mechanism redesign; school-client DPAs
College / University (UG intake) Medium-High — under-18 first-year cohort requires the same protections as school students Age-segmented consent process; admission data mapping for under-18 enrollees
School Transport Operator Medium — live location data of minors, third-party app dependency Purpose limitation clause with school; parent-only access controls; location data retention limits
School Chain / Trust (multiple campuses) High — centralized data systems, group-wide vendor contracts, reputational stakes across campuses Group-wide policy standardization; centralized breach protocol; Grievance Officer appointment

DPDP School Readiness Checklist

Use this checklist to assess where your institution stands. If any item is incomplete, it represents a compliance gap that should be addressed before enforcement begins in May 2027.

DPDP School Compliance — Self-Assessment Checklist

Student data mapping completed — admissions, academics, biometrics, health, transport, and digital tools identified
Admission form consent redesigned into an itemized, purpose-specific format meeting verifiable consent standards
Separate, dated consent captured for biometric attendance systems, with an available opt-out
Photography and social media consent captured separately and renewable, with a maintained do-not-publish list
All third-party apps and ed-tech platforms screened for behavioural profiling and targeted advertising before adoption
Vendor contracts with ERP, biometric, transport, CCTV, and ed-tech providers updated with data protection clauses
Consent withdrawal mechanism available and tested — a parent can withdraw without difficulty
Grievance Officer appointed and contact details communicated to parents
Data breach detection and Board notification protocol documented, with a parent communication template ready
Retention schedule mapped for admission files, academic records, and alumni data, aligned with board/RTE requirements
Staff trained on informal data-sharing risks — WhatsApp groups, personal devices, unmanaged spreadsheets
Health and medical data access restricted to designated staff and logged
CCTV retention period defined and access to footage restricted and logged
Transport tracking app reviewed for purpose limitation and parent-only access
Alumni data programme built on fresh, separate consent rather than repurposed admission records
Tags
DPDP Act Schools Student Data Protection Children's Data India Verifiable Parental Consent DPDP Rules 2025 Biometric Attendance Compliance Ed-Tech Data Protection School CCTV Privacy Education Sector Compliance LexWin Data Protection