Personal Data Protection Bill, 2019 and its impact on Schools in India
Personal Information” and the right of a person to their own
information are included in the concept of “Right to Privacy”, which has been
declared a Fundamental Right under Article 21 of the Constitution of
India, by the Hon’ble Supreme Court of India in 2017. Therefore, any breach of
personal information or failure to protect personal information, would be
impinging upon the “Fundamental Right” of the concerned person.
At the moment protecting data, in a limited capacity, is within
the purview of the Information Technology Act, 2000. Pursuant to the 2017
privacy judgment, the proposed legislation which seeks to comprehensively
address data protection in India is the Personal Data Protection Bill, 2019.
The proposed law is likely to be enacted very soon will also repeal the
provisions pertaining to data protection under the IT Act, 2000. The Data Law
deals substantially with what ought to be done with data of individuals which
is in the nature of personal information.
Nature of Data collected
In the context of schools and educational institutions there are
different types of data i.e. personal information which are used extensively
for various activities. Data collected by schools vary from personal details
and progress/disciplinary reports to medical/health data and even financial
information (of parents/guardians) as well. Every bit of data relating to
children or their guardians is collected and further processed by schools. With
the Data Law likely to be implemented soon in India the repercussions are
aplenty especially for schools, considering that they deal substantially with
data of minors.
How are Children/Students treated under the Data Law
A natural person to whom any personal data relates is known as
a Data Principal under the Data Law. Children will be recognized as
such and there are also certain strict provisions when it comes to data relating
to minors. Data principals have certain rights granted to them under the Data
Law which even includes the right to have their data erased, amongst others.
Under the Data Law, anybody who determines the purpose and means
of processing personal data is known as a Data Fiduciary. In this case, it
would be Schools.
Besides being data fiduciaries, it may also be entirely feasible
that the Data Protection Authority of India (DPAI appointed under the
proposed Data Law will further classify schools as guardian data
fiduciaries and significant data fiduciaries (SDF)
The various rights granted to data principals make it necessary
for schools to ensure that substantial resources and processes are put in place
so as to meet their obligations and duties under the Data Law. For instance, if
a student seeks to enforce their right to erasure of information that is
no longer necessary for the purpose for which it was created, schools would
have to make sure that they completely remove such data. It is entirely
feasible that students could ask for erasure of their disciplinary records
which the school no longer requires. While the school may refuse such a request
it would have to give an adequate justification for such refusal. Having said
that, should the student be dissatisfied with such justification, they could
take up the matter to the DPAI so to enforce their rights.
Data principals may also be in a position to point out that
progress /disciplinary reports can be classified as data that could cause
significant harm. While performance related information is a core component of
educational institutions, only time will tell how schools could get affected.
Nevertheless, preparation for the Data Law beforehand would go a long way in
ensuring compliance when the law does come into force.
Duties and Obligations of Schools
As data fiduciaries (guardian and significant, subject to being
classified as such) are required to meet certain stringent obligations with
respect to data, schools would need to keep in mind that any activity of
processing data should respect the privacy of the individual at all times.
Schools would also have to ensure that they seek consent of the parents/guardians
when they want to process any data relating to minors. Schools will have to
confirm that transparency, accountability and strict mechanisms and processes
are in place so as to adhere to various duties and obligations outlined in the
As guardian data fiduciaries, any profiling, tracking or
behavioral monitoring of children may also be restricted if such processing is
likely to cause any significant harm to a child. One of the elements of harm
under the Data Law is loss of reputation or humiliation. A concern here is on
account of such a restriction being counterproductive to the basic functioning
of a school.
Where large volumes of sensitive personal data are being processed
by schools, the DPAI may additionally seek to classify them as an SDF. Under
the Data Law an SDF would be required to register with the DPAI and
additionally appoint a Data Protection Officer (DPO).
A ‘Privacy by Design’ policy and approach would be a mandated
that will need to be adopted by all schools. Such a policy approach deals with
systems to anticipate, identify and avoid harm to the students/former students.
Ensuring technological processing is in accordance with certified standards as
also that the processing is secure at all stages would become a fundamental
requirement for schools.
Consequences of Non-compliance
It would bode well for schools that they consider the numerous
issues under the Data Law so that they understand the obligations and duties
towards information collected by them. The substantial penalties which range from Rs.
5 crores to Rs. 15 croresas also the possibility of imprisonment of up to 3
years in certain cases, besides the damage to their reputation could cost the
In light of the stringent data protection regime that India is
likely to see in the near future and the heavy penalties, it would be advisable
that schools and educational institutes start ensuring efficient systems and
processes regarding their data collection. Whether at the time of students
seeking admission or during their regular functioning schools would have adhere
to the strict requirements under the Data Law.
While an apple a day keeps the doctor away, in the context of
data protection, appoint a DPO today to keep the DPAI away.
Ravi Bhardwaj | Gaurav Sharma |
In light of the stringent data protection
regime that India is likely to see in the near future and the heavy penalties,
it would be advisable that schools and educational institutes start ensuring
efficient systems and processes regarding their data collection.