Educational Institutions & Data Privacy: Children’s Data Processing



Coming of Digital Private Data Protection opens new possibilities for safeguarding Data Principals’ or citizens’ data from breaching. DPDP 2023 along with stringent policies related to data privacy introduced some new aspects of data handling and data processing.

It is pertinent to mention that DPDP 2023 brings that a child acting as a data principal is a sensitive subject if their data process is in a way that proves to be detrimental for them in the future. Consent for processing children’s data is a dire need and it needs to be taken from children’s lawful guardians only.

Educational Institutes are prime organizations dealing with children. Usually, data from such type of principal is very sensitive. Taking proper and prior consent for processing and regulating data while preventing data breaches is necessary.

Why children’s data is a concern?

As the new Digital Personal Data Protection Act, 2023 came in August 2023 it became a mandatory act of taking permission from the guardians/parental consent in cases of data principal being a child under the aforesaid act. It is also stated under the act that it shall be the duty of data fiduciaries who are handling the data of children not to process their data in a way which likely to cause any detrimental effect on the well-being of children.

Section 9 of the Digital Personal Data Protection Act, 2023 deals with the ‘Processing of Personal Data of Children’- states that

  • A verifiable consent of the parent/lawful guardian will be deemed necessary in case any institution is processing the child’s data.
  • It will be the duty of data fiduciaries handling children’s data not to process the data in a way that is likely to cause any detrimental effect on the well-being of children.
  • It will be duty the duty of the data fiduciary not to undertake any tracking or behavioral monitoring of children.
  • No targeted advertisement is directed towards children.
  • Processing without consent and tracking or behavioral monitoring will be allowed to those data fiduciaries who are processing the data with a purpose that is prescribed.
  • The Central Government can exempt a Data Fiduciary from certain obligations regarding the processing of children’s personal data if they ensure it is safely done for a specified age group, as determined in a notification.

Educational Institutes hold an important place in acquiring children’s data and processing it. On top of this Ministry of Education have to regulate these institute on a uniform basis for compliance of digital data protection norms and for the safety of children.

Diksha data exposed

Apart from education institutes, EdTech companies are more prone to get their gathered data breached. In the Report of Human Rights Watch 2022 Diksha was one of the 22 apps whose data was breached during a pandemic. The Diksha app was developed by EkStep, a foundation co-founded by Nandan Nilekani. Though it was developed by a non-profit foundation. Ministry of Education implemented and regulated security and policy about managing data under Diksha.

The full server which stores full names, phone numbers, and email addresses of more than 1 million teachers was unchecked and unsecured. Apart from that nearly 6 lac students’ email address, phone number, and full information was exposed.

According to Wired who reported this serious exposure for the very first time said that the information about the data breach came from the UK security researcher who tried to contact the support system of Diksha and alert them about the breach. But there was no acceptance and reply from the part of Diksha.

“AAID (Android Advertisement ID) is a unique device ID that is used to float advertisements on a device. In a report by Human Rights Watch Diksha was one of the 33 apps which collected AAID from their users and transferred it to third-party processors Google. The report depicts that the app was using GPS, using the timestamp of the current location, aware of the last known location of users. On the top, its Developers never disclosed collection of location in their privacy policy.”

 CAT Applicant’s Data on Marketplace-

“In 2020 CloudSEK a cyber breach vigilant organization noticed that there was a breach of CAT exam Applicant. In 2020 CloudSEK Cyber Threat Intelligence team discovered a post that was advertising the personally identifiable information of 200K students who appeared for the Common Aptitude Test Exam of 2019. It was a severe breach in the system that the data of 2 lac Students was leaked and up for sale on a marketplace.”


As already seen from the abovementioned two breach cases it became crystal clear that education institutes and Edtech companies need to make stringent privacy policies in order to make users’ data more secure or it will lead to infringement of users’ and children’s personal data and it might be a possibility that it may be used in a detrimental way against those users (children or applicant.)

Leave a Reply

Your email address will not be published. Required fields are marked *