The Supreme Court recognized privacy as a fundamental right under Article 19, 20(3), 21, and 25 of the Indian Constitution. The 9-judge bench delivered a unanimous judgement in the much-celebrated case of Justice K.S. Puttaswamy (Retd.) v. Union of India. After this judgement, the Central Government instituted a committee under the leadership of former SC judge Justice B.N. Srikrishna. The objective of this committee was to examine the existing challenges due to a lack of data protection laws in India. Further, it was responsible for providing suggestions for these challenges and drafting a data protection bill. After public consultations, the Ministry of Electronics and Information Technology (MEITY) introduced the bill as the Personal Data Protection Bill (PDPB), 2019.
After being introduced on December 11, 2019, the bill is currently with the Joint Parliamentary Committee (JPC) as of today. It is expected that the JPC will submit its report before the Parliament in the budget session for this year. Once passed, the bill will bring a paradigm shift in the legal obligations of organizations while processing personal data across all sectors.
Classification of personal data stored with educational institutions
Educational institutions can include schools, colleges, universities, and coaching/training institutions. As of today, the cycle starting from admission to graduation is data-intensive. Such institutions collect, process, store, and generate personal data belonging to individuals.
|Types of information
|Age, sex, name, address, parents/guardian details, contact information, birth certificate, previous educational history, etc.
|Prior medical history, height, weight, blood group, etc.
|Family income, bank account details, account statement, loan repayment details, etc.
Further, educational institutions also store information about disciplinary proceedings and academic records. At times, internal processes/procedures of institutions may generate such information. As health and financial data constitute sensitive personal data under Section 3(36) of the bill, educational institutions will see increased compliance requirements once the bill is enacted.
Here, it becomes significant to understand the difference between private and government institutions under the definition of educational institutions. Government colleges, schools, or any such institution may be governed separately as they can be categorized as services provided by the government. Educational institutions are most likely to fall under the definition of data fiduciaries, and Chapter II of the bill becomes applicable. Further, they will need to show compliance with transparency and accountability measures laid down in Chapter VI. Given that academic institutions will also store and process large volume of personal data of minors, they can be guardian data fiduciaries under Chapter IV. In some instances, institutions will be considered as significant data fiduciaries under Section 26, due to the sensitivity and volume of personal data.
Compliance requirements under PDPB
Chapter VI speculates that the covered entities should prepare a privacy by design policy to fulfil Section 22 requirements. This policy will cover technical systems and business practices and aim to avoid harm to data principals. A data fiduciary will be responsible for the secure processing of sensitive personal data. If an academic institution is considered as significant data fiduciary, they will be bound to appoint data protection officers and conduct data protection impact assessments (DPIAs) whenever they bring in a new technology to process sensitive personal data.
Privacy of data principals will take centre-stage after the enactment of this bill. The act will require data fiduciaries to take explicit consent and collect data specific to the purpose. The onus will rest with educational institutions to prove that they have obtained explicit consent while dealing with sensitive personal data. It should provide the following information to a data subject:
- Category and nature of personal data
- Duration of data retention
- Rights of data principals
- Third-parties with whom personal data will be shared
- Grievance redressal mechanisms
At this juncture, it appears that there is a dire need to frame rules and guidelines to regulate the collection, usage, destruction, and retention of personal data by educational institutions.
Exceptions given under PDPB
In the case of minors, parental consent becomes a necessity. However, as per Section 16(7), a guadian fiduciary may not require parental consent. The Children’s Online Privacy Protection Act of 1998 from the US is an excellent example of how parental consent can be taken.
Miscellaneous records of students such as disciplinary actions, performance analysis, etc. may fall under the definition of personal data. Educational institutions will require prior consent from data principals to share their data with third-parties. However, exceptions under Sections 12 and 13 may allow an institution to process such information without consent. Can a data principal can ask a data fiduciary to delete data pertaining to poor disciplinary/academic records?
If an institution falls under the definition of guardian data fiduciary, the bill restricts certain activities related to personal data of minors. Once an institution fails to comply with such obligations, it stands to face penalties under Section 57. For educational institutions, one may argue that monitoring/profiling is necessary to a certain extent. Also, it will be interesting to see how data principals will exercise their right to be forgotten against educational institutions. While it is true the Parliament is yet to pass the bill, a well-thought approach is the need of the hour to regulate processing activities of educational institutions.
Interested in contributing to our blog and knowledge base? Write to us at email@example.com and elaborate on how you can help us in creating a safer cyber space.
Featured Image Credits: Tree vector created by upklyak – www.freepik.com