Schools shape our future. Schools are also where we learn the difference between good and bad; right and wrong.
With India’s new data law on the horizon, schools will soon need to lead the way in educating children about their ‘right to privacy’ and ‘data protection’.
But before they teach, it’s important for schools to apprise themselves of this new law and implement it themselves.
Schools, by default, collect a lot of personal data, not only of students but also of parents and guardians.
The data protection law defines personal data as any identifiable data which relates to an individual. This includes phone number, photograph, biometric, signature, et al. There is no prohibition on asking for, collecting, or processing personal data. However, the new law ushers in a stringent notice and consent-based regime, which will need to be followed.
The law says that data fiduciaries (ones who determine the purpose of data processing; e.g., schools), should only process personal data as is needed, and for the specific purpose for which it is collected.
Before seeking consent, notice needs to be given before or at the time of collection of user data. The draft rules provide that notice must be clear, and understandable, and should set out itemized description of personal data being collected and the specific purposes for which it will be used for. Notice also needs to provide other details as prescribed under law and the draft rules. Ensuing consent must be free, specific, informed, unconditional, and unambiguous consent for processing such personal data, clearly and affirmatively. Currently, advance notices are rarely given. The homework for schools will be to set out a or notice framework and re-look at their consent forms and practices to understand the nature of data they process, of whom, the relevance of the data, and to match consents with the purpose of data processing.
The act has specific provisions for safeguarding children’s (below 18 years of age) data. Processing of children’s data can be done only with verifiable consent of parents or guardians. The Draft Rules, however, bring some leeway for educational institutions which can make compliance easier.
Importantly, under the act, children’s data cannot be processed in a manner that could have detrimental effect on them, or for targeted advertisements. Draft Rules permit educational institutions to process children’s data for tracking and behavioral monitoring only for the purpose of educational activities of such institution, or in the interest of child safety. This means that schools need to do their diligence before onboarding tech-based apps or service providers, lest they fall into a non-compliance trap.
Schools share a lot of data. There are consents required for data sharing as well.
Schools may also need to bifurcate data on the basis of voluntarily provided for school purposes, such as admissions (legitimate use), and data not directly relevant for school purposes, but required for sharing with school vendors (bus, canteen, etc.), third party apps (LMS), reservation for school trips, etc. Further, while schools may collect and share personal data with third parties, the onus to prove that data sharing was necessary (with due consent) will be on the school. This will build compliance pressure on schools. They also need to work through their agreements with third parties (data processors) to mitigate their risks and liabilities stemming from data-related issues. An alternative option for schools is to stay away from third party data sharing and work on models where the third parties process data directly with due consent.
Schools will have an obligation to keep personal data safe. For this, they will need to have strong security safeguards to prevent personal data breach. They will also need to have processes for grievance redressal (in relation to personal data), amongst other compliances under the law.
This is just a glimpse. If schools qualify as significant data fiduciaries under the law, they may face additional compliance burdens.
While the effective date of the law may be a little bit down the road, there is a lot of work that needs to be done in the interim. It has been observed (globally) that it takes time to truly understand and implement the data protection regime in the true spirit of the law.
Data is, in essence, personal property with rights attached to it. It is, therefore, fair that it should be used with consents, and within the contours prescribed under law.
Schools can start leading by example. They should not only ensure compliance (which is a mandate under law), but also start educating students about data protection and privacy rights to bring up a privacy-conscious next generation.
