Ensuring Student Privacy in Education: Compliance with the Digital Personal Data Protection Act, 2023

March 27, 2025
Compliance with the DPDP

By Vikrant Rana, Anuradha Gandhi and Rachita Thakur

Introduction

According to a recent report Indian educational institutions experience an average of 8,195 weekly attacks, significantly higher than the global average of 3,355. These institutions are prime targets for cybercriminals due to sensitive personal, academic and financial data they hold.[1]

In a recent instance, after a student led a protest at a well-known university, notices displayed across campus containing their personal details to name and shame them. These notices contained pictures, names, address, phone numbers and e-mail address. The same were used to target some of the female students and created an unsafe environment for all involved students. The posters were finally removed following strong opposition from student groups[2].

Educational institutions collect personal information during key phases such as admission, registration and enrollment using online forms, paper applications, administrative systems like student information systems (SIS) etc. The purpose behind collecting such information is to streamline academic processes, ensure campus safety and tailor services.

Trends and Methodology Adopted by Educational Institutions to Market and Promote

  1. Social Media Marketing
    Educational Institutions are increasingly leveraging social media for marketing, often sharing images and videos of students to showcase achievements, events, and campus life… A study analysed, 18 million schools posted photos and found that nearly 726,000 contained student’s full name and locations highlighting significant risks of exposure and data misuse[3]. Such unauthorized sharing may lead to identity theft, or could be manipulated by using artificial intelligence to create deepfakes thereby raising significant privacy concerns and contributing to misleading narratives among perspective aspirants[4].Recently, the Australian government has banned the use of social media platforms for people and children under the age of 16 years. This move has placed additional obligations on educational institutions, requiring them to implement robust safeguarding measures. The Australian government has recommended age verification technologies such as biometric checks, Digital ID systems and facial analysis, urging institutions to ensure compliance[5].
  2. Behavioural Tracking
    Recently, Microsoft has been subject to complaints filed to the Austrian Data Protection Authority (DPA) for allegedly tracking school children through Microsoft 365 without consent. A student using Microsoft 365 Education discovered five tracking cookies on her device, even though she had had not given her consent and had disabled all optional data processing. Some cookies were used for marketing, violating GDPR rules on consent, especially for minors[6].The above case directly ties into behavioral tracking wherein data can be used for highly-invasive profiling of minors with personalized ads, underscoring the risks of monitoring student’s online behavior without consent and proper safeguards.

Considering the above concerns, the Central Consumer Protection Authority (hereinafter referred to as “CCPA”) has issued Guidelines for Prevention of Misleading Advertisement in Coaching Sector, 2024, restricting coaching institutes from using student’s names, photos, testimonials or videos in advertisements without written consent, obtained only after their success[7].

Under section 21 of the Consumer Protection Act, 2019, the CCPA can order the discontinuation or modification of misleading ads and impose penalties up to INR 10 lakh for first violation and INR 50 lakh for repeat offenses.

Balancing Institutional needs with Student’s Privacy

Educational institutions face significant risks from data breaches and unauthorized access due to weak cybersecurity measures (such as weak passwords, human errors and vulnerable systems) and third-party exposures. For instance, the May 28, 2023 breach, where malware compromised file transfers, exemplifies these risks. Reports also reveal that 41% of primary schools, 70% of secondary schools and 92% of higher education institutions in the UK reported breaches in 2022. In U.S., 18 cyberattacks on schools were recorded in the first of the 2022. Additionally, while educational data mining improves learning outcomes, it often requires collecting sensitive personal information, raising concerns about privacy and algorithmic bias.[8]

Another major concern is Artificial Intelligence (hereinafter referred to as “AI”) in education sector. As of 2022, the global AI in education market was valued at $2.5 Billion, and with the rise of AI-driven solutions, this figure is expected to reach $6 Billion by 2025[9].

While these measures aim to protect student privacy and ensure responsible data handling, the Draft Digital Personal Data Protection Rules, 2025, provides for an exception. Part A of the fourth schedule, allows a Data Fiduciary being an educational institution to process personal data for tracking and behavioral monitoring of students, provided the processing is for educational activities of such institution and in the interests of safety of students enrolled with such institution.

Relevant Provisions

Digital Personal Data Protection Act, 2023

The above act operates on the principles of Purpose limitation and Lawful Processing.

Section 9 of the act mandates that Data Fiduciaries must obtain verifiable consent from a parent or a lawful guardian before processing personal data of a child (under 18 years of age as defined under the act and rules) or a person with disabilities. It prohibits processing of personal data which may have a detrimental effect on the well-being of a child. The Draft Rules, 2025 under Rule 10 in consonance with the act provides, the procedure on how such verifiable consent can be obtained by the data fiduciary through:

  1. Verifying the identity and age of parents or lawful guardian through reliable details available with him i.e. information already available with the Data Fiduciaries; or
  2. Utilizing a virtual token i.e. a digital identifier linked to the parent’s identity and age, issued by a government entity; or
  3. Verification through trusted platforms like Digi Locker
  4. In cases of persons with disabilities, the Daft Rules mandates additional due diligence in verifying the identity of the guardian been appointed by the court of law, a designated authority or a local level committee.

Non-compliance of the above provisions may lead to a monetary penalty upto INR 50, 00,00,000 as specified in the schedule of the act.

Other Jurisdictions

  1. UK

    The Information Commissioner’s Office has advised educational institutions to give an opt-out option to parents or students (if they are adult) before using a student’s photo for promotional purposes. A record must be kept of the students who have opted-out from such use[10].

  2. United States

    Children’s Online Privacy Protection Act, applies to photos, videos, and audio files that contain children’s images or voices. Therefore, the same is treated to be personal information. Educational institutions are required to obtain verifiable parental consent before using their photos or images for any purpose whatsoever[11].

    The Act also provides that, if a school contracts with an operator to collect student’s personal information solely for the school’s use and benefit, without commercial purposes, the operator does not need to obtain direct parental consent. Instead, it can rely on the school’s authorization, assuming the school has obtained parental consent. However, the operator must provide the school with full notice of its data collection, use and disclosure practices, just as it would for parents.

    If the operator plans to use or share children’s personal information for its own commercial purposes, it must obtain explicit parental consent[12].

Rishabh Gupta , Junior Associate Advocate at S.S. Rana & Co. has assisted in the research of this article.

[1]https://www.crn.in/news/indian-education-sector-faces-unprecedented-surge-in-cyberattacks-over-8000-weekly-attacks-double-the-global-average-check-point-software-threat-intelligence-report/

[2] https://clarionindia.net/jamia-millia-islamia-removes-posters-of-protesting-students-after-backlash/

[3]https://www.govtech.com/education/k-12/opinion-schools-need-privacy-polices-tools-to-post-student-photos

[4]https://theprint.in/ground-reports/upsc-toppers-are-a-catch-for-all-and-coaching-centres-want-their-photos-consent-be-damned/1642104/

[5]https://www.fastvue.co/fastvue/blog/how-will-a-social-media-ban-impact-australian-schools/

[6]https://www.medianama.com/2024/06/223-microsoft-processed-austrian-school-childrens-data-complaint/

[7]https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2073013

[8]https://ssrana.in/articles/data-privacy-in-educational-institutions/

[9]https://www.aiprm.com/ai-in-education-statistics/

[10]https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/taking-photographs-data-protection-advice-for-schools/

[11] 16 C.F.R. § 312.5(c)

[12] https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently-asked-questions#N.%20COPPA%20AND%20SCHOOLS

More Articles

  1. Wringing Consent from Consumers: A Violation of Privacy and Consumer Rights
  2. Digital Data Access and Privacy in the Income Tax Bill, 2025
  3. Web Scraping and Personal Data: Legal and Ethical Boundaries in AI
  4. US Tariffs on Indian Goods: 2025 Impact Explained
  5. CERT-In issues advisory against use of AI Models
  6. Bangladesh Centralizes Patent Authority Under 2023 Act, Expand Patent Holder Rights
For more information please contact us at : info@ssrana.com