Your institution does not just educate students. It collects, monitors and shares student data every day.
From admission forms and parent records to school apps, WhatsApp groups, CCTV, attendance, transport GPS, fee portals, student photos, health records and old student files — schools and colleges handle personal data at every step. This 3-minute scan shows where DPDPA exposure may arise in your student and parent data workflows. It collects no student data — only your answers about your processes.
Most schools don't have a teaching problem — they have a student-data control problem.
Your student-data risk map
The free scan scores your school or college across these five areas. Here is what each one looks at.
Student & parent data risk
Admission forms, ID proof and birth certificates, marks and attendance, fee and scholarship data, health and emergency contacts, transport and hostel records.
First move: Map student and parent data across admission, fee, academic, health, transport and app workflows.
Children & consent risk
Students below 18, parent/guardian consent and notice at admission, and the WhatsApp/social channels used to reach parents and students.
First move: Build a parent/guardian notice and consent workflow covering data, apps, photos, CCTV, transport and vendors.
Monitoring & safety-system risk
CCTV in common and sensitive areas, biometric and RFID attendance, transport GPS/bus tracking, hostel entry/exit and visitor management.
First move: Define purpose, access rights, retention and signage for every monitoring and location system.
Learning, vendor & platform risk
School ERP/SIS, LMS, parent app, fee portal, online exam tools, attendance/CCTV vendors, EdTech, placement and alumni platforms.
First move: Keep a vendor register of every platform that touches student data, with role-based access and data terms.
Retention, sharing & rights readiness risk
Student photos and results posted publicly; sharing with boards, vendors, transport and placement partners; old records and CCTV footage kept for years.
First move: Set retention + deletion rules and control external sharing, photo consent and removal requests.
How the 3-minute scan works
Answer 10 quick questions
About your students and parent data, minors, consent, school apps, communication, monitoring systems, sharing and retention. ~3 minutes.
See your readiness score + risk map
A 0–100 DPDPA readiness score, your risk band, and five school/college-specific risk areas.
Get your priority fixes + checklist
The five controls to start with, plus the School & College DPDPA Starter Checklist.
What the scan checks
Ten plain-English questions across your real student-data workflows. The scan collects no student data.
School & college DPDPA questions
Does the DPDPA apply to schools and colleges?
Yes. Schools and colleges process large volumes of student and parent personal data — admission forms, ID proof, marks, fee records, health details, photos and contact information — which makes them Data Fiduciaries under the Digital Personal Data Protection Act, 2023. Because most schools handle children's data, additional safeguards apply regardless of the institution's size.
How does the DPDPA treat children's data in schools?
Data of students below 18 is treated as children's data. Processing it generally needs verifiable parental/guardian consent, and the law restricts tracking, behavioural monitoring and targeted advertising directed at children. In practice the key control is a clear admission-time notice and documented parent consent covering school apps, photos, CCTV, transport, LMS and vendor platforms — not just a website privacy policy.
Can we post student photos, toppers and event videos on social media?
You can, but for minors this is a high-sensitivity workflow. Take separate, documented consent for publishing photos, videos and results, tell parents where images will appear, and offer a simple removal process on request. Publishing student images and results publicly without separate consent is a common DPDPA gap for schools.
Are CCTV, biometric attendance and transport GPS allowed in schools?
These safety systems are legitimate, but they create continuous monitoring and location data — especially for children. You need a defined purpose, access controls over who can view footage or location, a retention limit, and visible notice/signage. Biometric data is sensitive and hard to revoke, so it needs particular care.
How long can we keep old student records, photos and CCTV footage?
The DPDPA expects data to be kept only as long as the purpose requires. The risk for schools is keeping old admission files, parent contacts, app data, photos and CCTV footage indefinitely with no documented schedule, access control or review. Define a retention period by record type and archive or delete past it.
Take the free scan
10 questions · 3 minutes · free · no login. Get your school or college's DPDPA readiness score.
Start School / College Risk Scan →Related Briefings
Need advice?
Request Consultation →Legal baseline: DPDP Rules, 2025 notified on 14 November 2025, with phased commencement.
This page is for educational purposes and does not constitute legal advice.