DATA PRIVACY FOR EDUCATION SECTOR: COMPLIANCE REQUIREMENT

What is Data Privacy?

It is a concept where a person’s ‘personal data’ is used in a lawful manner, wherein,

it requires any personal information about an individual to be processed securely
and confidentially. Privacy concerns arise wherever personally identifiable
information is collected, stored, or used.

What is Personal Data?

It generally refers to the information or data which relate to a person who can be
identified from that information or data 

Background

Data Privacy has emerged as a growing concern more so with the advent and rise of
Information Technology. The relevant laws in India dealing with data protection are
the Information Technology Act, 2000 (hereinafter the “IT Act”).

Under section 43A of the IT Act, “a body corporate who is possessing, dealing or handling
any sensitive personal data or information, and is negligent in implementing and
maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any
person, then such body corporate may be held liable to pay damages to the person so affected.”

Among its limitations are

a. That it applies only to “body corporate” means any company and includes a
firm, sole proprietorship or other association of individuals engaged in
commercial or professional activities.
 That the Rules only deals with protection of "Sensitive personal data or
information of a person", which includes such personal information which
consists of information relating to Passwords, Financial information such as bank
account or credit card or debit card or other payment instrument details, Physical,
physiological and mental health condition, Sexual orientation, Medical records and
history, Biometric information.
  That there is provision for the claim of damages, which does not have a cap
on the amount of damages.

In the landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India
and Ors., the constitution bench of the Hon'ble Supreme Court on August 24, 2017
held Right to Privacy as a fundamental right. And soon thereafter a Justice
Srikrishna Committee was constituted to draft an exhaustive data protection law in
India which has since submitted its report and its draft law to the government.
Ministry of Electronics and Information Technology, Government of India
(hereinafter the “Ministry”), then on the basis of Srikrishna Committee Report has
prepared a draft data protection law. It is pending with the Ministry to be tabled in
the parliament and could soon become the law of the land.

What will change with the draft law? Some important ones are:

 Ambit of what is personal data will enlarge.

 Applicable not just on body corporates.
 Minor’s data will have more protections.
 Consent requirement will be made rigorous and explicit.
 Rights like right to be forgotten, right to access, right to correction of
information, right to data portability etc. is provided.
 Establishment of Data Protection Authority to monitor the implementation of
the Act. And it shall have a separate adjudication wing to impose penalties
and award compensation.
 Introduction of concept of privacy by design, wherein, information
architecture of an entity is designed with maximum concern for privacy.
 Restriction on cross border transfer of personal data with an adequacy
requirement or contractual obligation terms.

Compliance Requirements for Education Sector:

 Transparency and Trust

Not only are schools expected to be compliant. They must also be able to
prove they are. Both data principal and authorities (like DPA) can demand to
see what data your schools hold, and how it is managed. You’ll have to
produce an overview of the information of a specific student, and this
information should be clear and transparent. To prove compliance to
authorities, your reports should also be transparent and easy to understand.

 [*******}