The Indian school education system is one of the most expansive ecosystems in the world. Composed of approximately 15 lakh schools, 97 lakh teachers, and nearly 26.5 crore students enrolled from the pre-primary to higher secondary levels, it boasts of stakeholders from varied socioeconomic backgrounds.
Collecting information
To realise its objective of managing the wide-ranging education system in India in a sound manner, the Ministry of Education conceived of the UDISE+ platform in 2018. The UDISE+ plays a crucial role in collecting and exchanging real-time information on school infrastructure, teachers, student enrolment, and academic performance. This allows the Ministry to curate outcome-based policies to enhance the quality of education in India. By improving the process of resource allocation and the monitoring of educational programmes, UDISE+ is also notably utilised to map educational trends. The objective of strengthening administration and optimising service delivery is charted out as the ultimate goal of this exercise.
Related Stories
In terms of the National Education Policy 2020, the Ministry also introduced the Automated Permanent Academic Account Registry identification (APAAR). This serves as a unique identifier of a given student. This facilitates the collation of academic credentials of students at one place. The demographic information per user so collected includes Aadhaar information, obtained vide a voluntary consent-based mechanism.
Measures are being introduced to enhance ease of schooling, which necessitate linking of APAAR and UDISE+. Steps to automate student admissions, in turn, to reduce dropout rates during the transitional phases and enhance opportunities for continuing education, fall within the umbrella of such ease of schooling measures.
Entities such as DigiLocker and ed-tech companies frequently collaborate with State governments. They consequently form integral constituents of the modern education system. Interlinking of UDISE+ and APAAR, in the manner explained above, exposes student data amassed to such actors in the educational ecosystem. The Education Ministry commendably formulated a data-sharing policy for school education and literacy in 2020. However, this is yet to be updated to reflect the regulatory overhauls post the enactment of the Digital Personal Data Protection (DPDP) Act, 2023. In the absence of clear regulations or minimum standards (importantly, for ed-tech players), their compliance with the Act comes under question.
There are numerous potential pressure points wherein non-compliance of the involved actors may materialise. For instance, there is limited guidance on what constitutes verifiable parental consent. Consent from parents for minors’ data, sought under the UDISE+/APAAR regime, may violate this requirement. Moreover, the DPDP Act emphasises the importance of collecting personal data for specified legitimate purposes only. Sharing children’s data under UDISE+ for a purpose incremental to the authorised one could violate this statutory requirement. The Ministry acknowledged the benefits of sharing student data at a national scale — for instance, to track intra- and/or inter-State student migration. Streamlining the system to manage educational records efficiently is therefore critical. Notably, the DPDP Act sanctions a specific and voluntary consent-based mechanism. The specific and voluntary nature of consent required (for purposes like the above) is clinching.
The three-part test
The Supreme Court recognised the right to privacy as a fundamental right in Justice K.S. Puttaswamy (Retd.) v. Union of India (2018) and laid down the three-part test against which state action must be adjudged. This test is deployed to assess the impact of state action on the right to privacy of citizens. The three conditions stipulated under this test are: (i) there exists a legitimate state interest in restricting the right; (ii) such restriction is necessary and proportionate to achieve the interest; and (iii) the restriction is imposed/effected by law. Aadhaar integration in APAAR/UDISE+ must comply with these three prongs. Due caution is also a prerequisite to counter potential cases of data thefts and cyber breaches. Adherence to the principles of data privacy and data minimisation is particularly pertinent given the sensitive nature of children’s personal data.
The need for specific protocols
Regarding exchange of personal data of children for an unspecified purpose, integration of third parties (such as entities like DigiLocker, etc.) could also raise doubts on the role thereof. Identification of actors who qualify as data fiduciary, data processor, and data principal, would be required from a liability affixation standpoint. This is a complex task and is presently not being undertaken. Although the privacy policy for APAAR dictates certain data security, aggregation, third party integration, retention requirements, sharing of personal data of children for an unmentioned purpose may require specific protocols, which are absent.
Related Stories
Additionally, both the data policy and the annual report emphasise on the absence of any legal liability of the Ministry in respect of disclosure/accuracy of the data shared onto UDISE+. Further, the privacy policy directs grievances received to a grievance officer. However, there is no clarity on the manner in which the legal liability is affixed or practically incurred. This exhibits a blatant lack of a grievance redressal forum and mechanism for the data principals whose personal data is collected and exchanged under APAAR.
Queries regarding interoperability, consent, and grievance redressal abound. Standard operating procedures, both technical and legal, under an overarching governance framework are a pressing priority. Such protocols will facilitate preservation of data authenticity and prescription of legal obligations for stakeholders concerned. Hopefully, this will also help further a conscientious spirit in the actors for sharing, using, and retaining personal data of children, lawfully and securely.
Jyotsana Singh is a Research Fellow at the Vidhi Centre for Legal Policy
