“Personal Information” and the right of a person to their own information are included in the concept of “Right to Privacy”, which has been declared a Fundamental Right under Article 21 of the Constitution of India, by the Hon’ble Supreme Court of India in 2017. Therefore, any breach of personal information or failure to protect personal information, would be impinging upon the “Fundamental Right” of the concerned person.
At the moment protecting data, in a limited capacity, is within the purview of the Information Technology Act, 2000. Pursuant to the 2017 privacy judgment, the proposed legislation which seeks to comprehensively address data protection in India is the Personal Data Protection Bill, 2019 (“Data Law”). The proposed law is likely to be enacted very soon will also repeal the provisions pertaining to data protection under the IT Act, 2000. The Data Law deals substantially with what ought to be done with data of individuals which is in the nature of personal information.
Nature of Data collected by Schools
In the context of schools and educational institutions there are different types of data i.e. personal information which are used extensively for various activities. Data collected by schools vary from personal details and progress/disciplinary reports to medical/health data and even financial information (of parents/guardians) as well. Every bit of data relating to children or their guardians is collected and further processed by schools. With the Data Law likely to be implemented soon in India the repercussions are aplenty especially for schools, considering that they deal substantially with data of minors.
How are Children/Students treated under the Data Law?
A natural person to whom any personal data relates is known as a Data Principal under the Data Law. Children will be recognized as such and there are also certain strict provisions when it comes to data relating to minors. Data principals have certain rights granted to them under the Data Law which even includes the right to have their data erased, amongst others.
Under the Data Law, anybody who determines the purpose and means of processing personal data is known as a Data Fiduciary. In this case, it would be Schools.
Besides being data fiduciaries, it may also be entirely feasible that the Data Protection Authority of India (DPAI) appointed under the proposed Data Law will further classify schools as guardian data fiduciaries and significant data fiduciaries (SDF).
The various rights granted to data principals make it necessary for schools to ensure that substantial resources and processes are put in place so as to meet their obligations and duties under the Data Law. For instance, if a student seeks to enforce their right to erasure of information that is no longer necessary for the purpose for which it was created, schools would have to make sure that they completely remove such data. It is entirely feasible that students could ask for erasure of their disciplinary records which the school no longer requires. While the school may refuse such a request it would have to give an adequate justification for such refusal. Having said that, should the student be dissatisfied with such justification, they could take up the matter to the DPAI so to enforce their rights.
Data principals may also be in a position to point out that progress /disciplinary reports can be classified as data that could cause significant harm. While performance related information is a core component of educational institutions, only time will tell how schools could get affected. Nevertheless, preparation for the Data Law beforehand would go a long way in ensuring compliance when the law does come into force.
Duties and Obligations of Schools
As data fiduciaries (guardian and significant, subject to being classified as such) are required to meet certain stringent obligations with respect to data, schools would need to keep in mind that any activity of processing data should respect the privacy of the individual at all times. Schools would also have to ensure that they seek consent of the parents/guardians when they want to process any data relating to minors. Schools will have to confirm that transparency, accountability and strict mechanisms and processes are in place so as to adhere to various duties and obligations outlined in the Data Law.
As guardian data fiduciaries, any profiling, tracking or behavioral monitoring of children may also be restricted if such processing is likely to cause any significant harm to a child. One of the elements of ‘harm’ under the Data Law is loss of reputation or humiliation. A concern here is on account of such a restriction being counterproductive to the basic functioning of a school.
Where large volumes of sensitive personal data are being processed by schools, the DPAI may additionally seek to classify them as an SDF. Under the Data Law an SDF would be required to register with the DPAI and additionally appoint a Data Protection Officer (DPO).
A ‘Privacy by Design’ policy and approach would be a mandated that will need to be adopted by all schools. Such a policy approach deals with systems to anticipate, identify and avoid harm to the students/former students. Ensuring technological processing is in accordance with certified standards as also that the processing is secure at all stages would become a fundamental requirement for schools.
Consequences of Non-compliance
It would bode well for schools that they consider the numerous issues under the Data Law so that they understand the obligations and duties towards information collected by them. The substantial penalties which range from Rs. 5 crores to Rs. 15 crores as also the possibility of imprisonment of up to 3 years in certain cases, besides the damage to their reputation could cost the schools dearly.
In light of the stringent data protection regime that India is likely to see in the near future and the heavy penalties, it would be advisable that schools and educational institutes start ensuring efficient systems and processes regarding their data collection. Whether at the time of students seeking admission or during their regular functioning schools would have adhere to the strict requirements under the Data Law.
While an apple a day keeps the doctor away, in the context of data protection, appoint a DPO today to keep the DPAI away.
Ravi Bhardwaj | Gaurav Sharma | firstname.lastname@example.org