DPDP Act Compliance for Indian Schools: Your 2026 Action Checklist

Why DPDP Applies Forcefully to Schools

India's Digital Personal Data Protection Act was passed in 2023 and its implementing rules were notified in early 2025. Compliance obligations have been coming into active enforcement through 2025 and into 2026. The Data Protection Board of India — the regulatory body established by the Act — is now operational.

Schools occupy a particularly sensitive position under this law. On any given school day, your institution processes personal data across dozens of touchpoints: admission forms collect addresses and financial information, attendance systems capture daily presence or biometric data, CCTV records movement within premises, fee systems hold bank details and payment history, health records capture medical conditions, and academic records document a child's cognitive and behavioural development over years.

Under the DPDP Act, any organisation that determines the purpose and means of processing personal data is a Data Fiduciary. Schools fit this definition straightforwardly — and because your students are predominantly under 18, your school is further classified as processing children's personal data, which carries the highest tier of protection obligations under the Act.

The consequences of non-compliance are not hypothetical. Penalties under the DPDP Act can reach Rs 250 crore per category of violation. Beyond financial penalties, a data breach or consent violation involving student data is a reputational event that affects parent trust, admissions, and the school's standing with the board of education.

This is not a matter of box-ticking for regulators. Schools hold some of the most sensitive personal data in Indian society — data about children. Getting this right matters.

What Counts as "Personal Data" in a School

The DPDP Act defines personal data broadly: any data by which an individual can be identified. In a school context, this covers far more than most administrators initially assume.

Student-level personal data your school holds:

Name, date of birth, gender, nationality, religion
Admission number, roll number, class, section
Home address, parent contact numbers, email addresses
Academic marks, grades, exam results, progress reports, report cards
Attendance records (daily, class-wise)
Behavioural records, disciplinary incidents, counsellor notes
Medical records, health conditions, special needs documentation
Photographs (individual and group)
Biometric data — fingerprints, facial recognition data (if you run biometric attendance)
CCTV footage in which the student is identifiable
Fee payment history, bank account details (if parents pay via bank transfer)
Transport route, pick-up and drop points
APAAR (Academic Bank of Credits) ID or Aadhaar linkages (where applicable)

Staff personal data (also covered): salary slips, tax documents, performance reviews, bank account details, Aadhaar (if collected), health insurance records.

Every piece of data in the above lists is personal data under DPDP. Every system that stores it — your school management software, your accounting software, your WhatsApp group chats, your CCTV DVR, your physical admission files — is part of your data processing footprint.

The 7 Core Obligations Every School Must Meet

1. Lawful Purpose & Consent

Collect and use personal data only for the specific purpose you communicated. Get free, informed, specific consent before processing — and record that consent.

2. Notice to Data Principals

Inform parents and students (as applicable) what data you collect, why, how long you keep it, and their rights — in clear, plain language, before or at the time of collection.

3. Data Minimisation

Collect only the personal data that is necessary for the stated purpose. Do not collect information "just in case" — each data field must have a justified reason.

4. Data Accuracy

Keep personal data accurate and up to date. Provide a mechanism for parents and students to correct inaccurate information.

5. Storage Limitation

Do not keep personal data longer than necessary for the stated purpose. After a student leaves school, data should be retained only as long as legally required — then deleted.

6. Security Safeguards

Implement appropriate technical and organisational measures to protect personal data from unauthorised access, breach, or loss. This applies to digital systems and physical files.

7. Accountability & Breach Notification

Be accountable for compliance. Designate responsibility. If a data breach occurs, notify the Data Protection Board of India promptly. Maintain records of your processing activities and consent documentation.

Special Rules for Children's Data

The DPDP Act treats children — defined as individuals under 18 years of age — as a special category requiring enhanced protection. For schools, whose student populations are entirely composed of children, these provisions are central, not peripheral.

Verifiable parental consent is mandatory. Before processing any personal data of a child, the school must obtain verifiable consent from a parent or legal guardian. "Verifiable" means you need to confirm that the person giving consent is actually the parent or guardian — not just anyone claiming to be. Admission forms that include a consent section are a starting point, but the mechanism for verifying identity matters too.

No targeted advertising to children. Schools must not share children's data with any platform or vendor for the purpose of delivering targeted advertising based on their personal data. If your school uses any third-party tools (educational apps, communication platforms) that might be serving targeted advertisements, you need to review those vendor agreements.

No behavioural profiling of children for advertising or other non-educational purposes. Academic profiling for educational improvement is expected to be permitted under the rules, but commercial profiling is not.

Biometric data requires extra care. Biometric data — fingerprints, facial recognition templates — is inherently sensitive. Collecting and processing biometric data from children requires explicit, informed consent and strong technical safeguards. If your school runs biometric attendance for students, your consent process for biometric specifically needs review.

"When we switched to biometric attendance for students, we thought it was simply an operational upgrade. When our legal advisor walked us through DPDP, we realized we needed separate parental consent forms specifically for biometric, a separate data retention policy, and new clauses in our vendor agreement with the biometric device provider. It was more than we expected." — Nandita Iyer, Principal, a 900-student CBSE school in Pune

Vendor Due Diligence: Your School Software Provider Is Now a Data Processor

One of the most important and least-discussed aspects of DPDP for schools is the Data Processor obligation. Under the Act, when your school engages a third party to process personal data on your behalf — your school management software provider, your WhatsApp messaging service, your CCTV cloud storage provider, your online exam platform — that third party becomes a Data Processor.

You, as the school, remain the Data Fiduciary. You are responsible for ensuring your Data Processors handle student data appropriately. This means:

Written contracts are required. You should have a Data Processing Agreement (DPA) or equivalent contractual clauses with every vendor that handles student data. The contract should specify what data is processed, for what purpose, for how long, and the security standards that apply.
You cannot outsource your DPDP obligations. If your software vendor suffers a breach, you as the school may face regulatory scrutiny. Choosing vendors with strong security practices, clear breach notification processes, and explicit DPDP commitments is now part of your due diligence.
Audit your vendor list. Make a list of every third-party tool or service that touches student data. This includes obvious ones (your ERP, your SMS gateway) and less obvious ones (Google Workspace, parent communication apps, online assessment platforms, library management software, CCTV cloud services).

Vendor Due Diligence: 3-Step Process

The Practical Compliance Checklist (15 Items)

Use this checklist as a starting point for your school's DPDP readiness review. This is not exhaustive, and your specific situation may require additional steps — engage a legal or compliance professional for a complete assessment.

DPDP Readiness Checklist for Schools

Conduct a data audit

Map every type of personal data your school holds, where it is stored, and who can access it.

Update admission consent forms

Ensure consent is free, specific, informed, and obtained before data processing begins. Include a DPDP-compliant notice about data use.

Obtain separate biometric consent

If your school uses fingerprint or face recognition for attendance, obtain explicit parental consent specifically for biometric data — separate from general admission consent.

List all third-party vendors touching student data

ERP, SMS/WhatsApp gateway, exam platforms, library software, CCTV cloud, payment processors — list them all.

Sign Data Processing Agreements with key vendors

Ensure your school management software and other data-touching vendors have a formal DPA or DPDP-compliant contractual clause.

Publish a Privacy Notice on your school's website

Explain what data you collect, why, how long you keep it, and how parents can exercise their rights. Update it when your data practices change.

Create a data retention and deletion schedule

Define how long each category of data is retained and what the deletion process is when retention periods expire.

Create a process for parental access and correction requests

Parents have the right to access their child's data and correct inaccuracies. Designate a staff contact and define the response process and timeline.

Define a breach notification procedure

Know who in your school is responsible if a breach is suspected, how you will investigate it, and how you will notify the Data Protection Board of India if required.

Review photo and video usage policies

Annual day videos, sports day photos shared on social media, prospectus images featuring students — all require parental consent if the child is identifiable.

Secure physical files and records

DPDP covers both digital and physical data. Student files, medical records, and exam papers held in physical form must be secured with appropriate access controls.

Review CCTV policies and notices

CCTV footage that captures students is personal data. Define retention periods (typically 30–90 days), access controls, and post notices informing people that CCTV is in operation.

Train staff on data protection basics

Teaching staff, admin staff, and IT personnel all handle personal data. Basic training on what not to share, how to respond to parent requests, and how to report suspected breaches is essential.

Review WhatsApp group practices

Class WhatsApp groups that include student names, photos, academic results, or behavioural information are processing personal data. Set school policies for what can be shared in parent and teacher groups.

Schedule an annual compliance review

DPDP rules are evolving. Set a calendar reminder to review your data practices, vendor agreements, and consent forms at the start of each academic year.

P1 = Priority: High (act this academic year) · P2 = Priority: Medium · P3 = Priority: Ongoing

How EdunodeX Helps Schools Meet DPDP Requirements

DPDP compliance ultimately rests with your school — no software vendor can do it for you. But the right school management platform makes the compliance posture substantially easier to maintain. Here is how EdunodeX is designed with these obligations in mind.

Consent management is built into the admission flow. EdunodeX captures and stores consent at the point of admission, with a clear record of what was consented to and when. This creates the audit trail that DPDP accountability requires.

Biometric access is consent-gated. The platform enforces a consent check before any biometric data — face recognition or fingerprint — is used for attendance processing. A student whose biometric consent has not been recorded cannot have biometric attendance taken, preventing accidental violation.

Role-based access controls limit data exposure. Not every staff member needs access to every piece of student data. EdunodeX's role system ensures that teachers see class data, accountants see fee data, and sensitive fields are restricted to authorised roles — reducing the blast radius of any accidental data exposure.

Data is encrypted at rest and in transit. All student personal data stored in EdunodeX is encrypted. Communication between your school and EdunodeX servers uses encrypted connections. Payment credentials and gateway secrets are encrypted with an additional layer of key-based encryption.

We operate as your Data Processor. When your school uses EdunodeX, we are your Data Processor and you are the Data Fiduciary. EdunodeX's data processing practices are governed by our Data Processing Agreement, available to all school customers on request. We are committed to notifying school customers of any breach promptly, consistent with DPDP obligations.

We would encourage every school evaluating school management software in 2026 to ask every vendor — including us — two questions: "What is your breach notification process?" and "Can I see your Data Processing Agreement?" The answers will tell you a great deal about how seriously a vendor takes your school's compliance obligations.