Tl;dr

In the continuation of our weekly series #PrivacyOfThePeople, we look at the impact of the Personal Data Protection Bill, 2019 on different sections of society, from farmers to patients. In this post, we examine the growing interest in students’ data and what the Bill has to say when it comes to student data. We explore the need to secure such data as well as why current regulations inadequately protect student data.

Background

Last week, in the fourth post in our #PrivacyOfThePeople series, we looked at healthcare data under the Personal Data Protection Bill, 2019. We took a deep dive into the merits and demerits of the Bill when it comes to protecting the medical records of patients. In the past, we have also covered the impacts of the Bill on workers, farmers, and social media users.

This post continues to discuss how different groups of people are affected by the Personal Data Protection Bill, 2019. This week, we’re taking a look at why there is an increasing interest in student data and whether the Bill adequately protects such data. Specifically, student data largely entails the data of students and their guardians, which is collected and processed by schools, colleges, governmental organisations, and ed-tech companies.

The issue

According to a Comparitech report, US schools and colleges have leaked 24.5 million student records in 1,327 data breaches since the year 2005. This is now a global issue that has become much more relevant in India, even more so with the increased digitization of student records due to the COVID-19 pandemic. From admission right up to graduation, educational institutions constantly collect, store, process, and generate huge amounts of data. This data can intentionally or unintentionally end up in someone else’s hands. In a 2018 data breach, the information of 250,000 students who appeared for the National Eligibility cum Entrance Test (NEET) was being publicly sold, without the consent or knowledge of the students. The personal data had been obtained by merely requesting schools and offering free NEET mock tests. Just this year, staff and education officers in Coimbatore had been allegedly selling student data using the Education Information Management System (EMIS) portal.

At the time of admission, schools may typically ask for names, ages, addresses, photographs, sex, religion, Aadhaar numbers, birth certificates, details of siblings, parents’ names, parents’ qualifications, family income, telephone numbers, email addresses, etc. Once admitted, financial data such as bank account details, and health data such as blood group, allergies, weight, height, immunizations, regular medication (if any), dental check-ups, eye check-ups, etc. are also usually added. Additionally, most schools maintain progress reports, participation details, and disciplinary records of students. Schools thus regularly collect and process large amounts of personal data of not only students but also their guardians. The question then arises - “What happens to this student data?”

Unlike other kinds of data, student data is a lot more comprehensive - it is several fields of a student’s and guardian’s personal data. This makes it of much greater interest to data broker companies that buy and sell information about consumers from a wide variety of sources. This student data can end up anywhere. It generally ends up with companies providing services such as coaching facilities, educational loans, insurance, or regular advertising. Colleges too may be interested in obtaining data from schools. While there have been cases where schools themselves have played a role in selling student data, most of the time, this is done without the management’s knowledge. Apart from this data profiting others, it even risks the possibilities of phishing, extortion, and ending up on pornographic websites.

This issue isn’t limited to schools alone, but also extends to universities, ed-tech companies, governmental and private boards and organizations that manage curriculums and conduct various examinations. The College Board is notorious when it comes to selling student data. The American organisation popularly known for conducting exams such as the Scholastic Assessment Test (SAT), was reported to be selling test-takers’ information to elite universities for 47 cents per name. These universities use this data to boost their image of exclusivity (by inviting students they don’t intend on accepting to apply and pay a good application fee), in an attempt to help boost their national rankings.

The PDP Bill and Student Data

Schools, universities, educational organisations, and ed-tech companies, all classify as “data fiduciaries” (data collectors) for the purposes of the PDP Bill. As such, they are required to fulfill all obligations under Chapter II, that is, Sections 4 to 11, particularly those dealing with purpose limitation, the requirement of consent, etc., as well as the accountability and transparency measures specified in Chapter VI. Since these groups inevitably process large volumes of personal data of children, they will also be regulated as guardian data fiduciaries for the purpose of Chapter IV of the Bill and the regulations made under them. Yet, since the Bill only protects personal data, non-personal student data is still at risk. As we have written extensively earlier, in today’s world anonymised data means very little.

Considering the volume and sensitivity of personal data processed, the Data Protection Authority (DPA) may also seek to regulate schools as Significant Data Fiduciaries under Section 26 of the Bill. Government-run schools may also be regulated differently if they are classified as a “service provided by a government” under Section 12(a)(i) of the Bill.

Furthermore, the Bill fails to adequately safeguard data of any sort in the case of data breaches. Clause 25 which deals with the breach of personal data states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the Data Protection Authority, not the principal themself. Moreover, there are no penalties imposed on the data fiduciaries in the event of a data breach.

Solution

To remedy some of these problems, here are a few of our recommendations:

1. Schools, colleges, organisations, and ed-tech companies to process data responsibly: This is to be done in compliance with the PDP Bill. If any sort of data processors are hired, they will need to be monitored to ensure compliance. Such data processors may only be appointed vide a contract and are bound by the instructions of the Data Fiduciary and must treat data as confidential as per Section 31 of the Bill.
2. Student Rights must be upheld: As stakeholders of their data, explicit consent should be taken before processing any data. If data is being monetized, students and their guardians must be made aware of this. Under Section 9 of the Bill, students, as data principals, have the right to ask for the erasure of their data at any given time. Processing of student data must not be done in a way that profits others when it violates basic privacy rights.
3. Protect Non-Personal Data: Allow non-personal and anonymized data to be regulated by the Data Protection Authority. Doing so would shift the focus onto the protection of citizens’ digital rights and ensure robust regulatory mechanisms for non-personal data.

This is the fifth post in our #PrivacyOfThePeople series on how the Personal Data Protection Bill will impact different facets of our life; you can read part 1 on worker surveillance here, part 2 on the farmers here, part 3 on social media here, and part 4 on healthcare data here. Join us next week as we look at the Bill in the context of dating apps and matrimony websites.

Important Documents

1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
3. Previous blogpost dated January 18, 2021, titled “Unconstitutional draft report on non-personal data ignores concerns about privacy and data monopolies” (link)
4. The SaveOurPrivacy Campaign (link)

This post was largely drafted by Tanvi Roy, who is an undergraduate student majoring in Computer Science at Ashoka University and currently interning at IFF.

Important Documents

1. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
2. IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
3. Rules of Procedure and Conduct of Business in Lok Sabha (link)