✓ Link copied
DPDPA 2023 Compliance

Section 4 Compliance for Schools: 6-Point Student Data Collection Checklist for 2026

Applies toSchools, coaching centers, and educational institutions collecting student and parent personal data in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

Section 4 Grounds for Collecting Student Personal Data: The Compliance Template Schools Need

Your school’s online admission form collects student name, date of birth, caste (for scholarship eligibility), parent mobile, address, medical allergies, and performance scores. You store them in Google Drive. But when a parent asks why you collected her child’s caste data and what law allows it, your admin fumbles.

Section 4 of the DPDPA mandates that personal data shall be collected only on lawful grounds established by the Act. Schools must document which ground each data collection rests upon, or face penalties up to ₹150 crore.

Undocumented collections are the #1 reason schools face Section 4 notices. You will face a compliance order if you cannot produce an audit trail showing the legal ground for each field.

This template walks you through the four Section 4 grounds, item by item, so your school never faces that question unprepared.

Understanding Section 4: The Four Grounds for Lawful Collection

Section 4 of the DPDPA 2023 establishes that personal data can be collected only if it is:

  1. Necessary for performance of a contract — e.g., student name and contact to enroll, grades to assess progress, fees to process payment
  2. Required by law — e.g., attendance data for regulatory compliance, address for government school census, age for board exam eligibility
  3. Necessary for legitimate interest — e.g., student photos for yearbook, emergency contact for crisis situations, communication preferences
  4. Provided with explicit consent — e.g., contact for optional sports updates, medical history beyond duty-of-care, data sharing with external apps

Schools routinely collect data under all four. The compliance risk is not collecting them—it is failing to document which ground each field rests on. A regulator audit of your admission form will cross-check: Does your privacy notice disclose the ground? Can you produce signed consent if Ground 4 was invoked? Can you cite the statute for Ground 2?

The Section 4 Compliance Checklist for Schools

Use this checklist to audit every data field your school collects. For each field, mark the ground(s) it relies on. If you cannot assign a ground, you likely cannot collect it lawfully.

Data FieldPurposeSection 4 GroundDocumented?Proof / Audit Trail
Student NameEnrollment, roll call, report cards1 (Contract)[ ] Yes [ ] NoDate signed: _____
Date of BirthAge verification, school placement, exam eligibility1 + 2 (Law: Board rules)[ ] Yes [ ] NoCite: _________
Student MobileFee reminders, exam schedules, hostel check-in1 + 3 (Legitimate interest)[ ] Yes [ ] NoConsent checkbox dated: _____
Parent MobileEmergency contact, fee updates, grievance escalation1 (Contract)[ ] Yes [ ] NoAdmission form signed: _____
Caste (for scholarship)State scholarship eligibility determination2 (Law: State Scholarship Act)[ ] Yes [ ] NoStatute cite: __________
ReligionAssembly participation, dietary rules in hostel4 (Explicit consent only)[ ] Yes [ ] NoHIGH RISK — Consent form date: _____
Student PhotoID card, yearbook, website achievement display1 (ID card) + 4 (Consent for yearbook/web)[ ] Yes [ ] NoMEDIUM RISK — Photo consent form: _____
Medical AllergiesStudent safety, emergency medical response1 + 2 (Duty of care)[ ] Yes [ ] NoEmergency card filed: _____
Academic ScoresProgress reporting, parent-teacher meeting, transcripts1 (Contract)[ ] Yes [ ] NoSigned enrollment form: _____
CCTV FootageCampus safety, incident investigation3 (Legitimate interest: security)[ ] Yes [ ] NoMEDIUM RISK — Privacy notice at camera entry: _____
Biometric Data (fingerprint)Attendance tracking, fraud prevention1 + 4 (Explicit consent)[ ] Yes [ ] NoCRITICAL RISK — Biometric consent form: _____
Parent Income / Tax InfoScholarship/concession determination2 (State Scholarship Act)[ ] Yes [ ] NoStatute reference on form: _____

How to Complete:

  1. For each row, verify your admission form or privacy notice explains the Section 4 ground.
  2. For Ground 4 (Consent), produce a signed, dated consent form or digital signature with timestamp.
  3. For Ground 2 (Law), cite the specific regulation and attach a copy.
  4. Fields marked CRITICAL or HIGH RISK need immediate correction before your next audit.
  5. Store completed checklists and consent forms in a folder labeled “[School Name] Section 4 Audit Trail — FY2026.”

Common Section 4 Mistakes Schools Make (and How to Fix Them)

Mistake 1: Collecting student religion without explicit consent

  • Many schools ask religion for hostel dietary rules or assembly seating.
  • Religion is not necessary for contract and not compelled by law in most cases.
  • Regulator’s view: Unlawful collection under all four grounds.
  • Fix: Add a checkbox: “I voluntarily share my child’s religion for hostel meal customization (optional).” Retain the signed form for 3 years.

Mistake 2: Uploading student photos to the school website without consent

  • Schools photograph students at events (permitted under Ground 1: contract) but then publish to Instagram and the website (not permitted without separate consent).
  • Regulator’s view: Collection and use are two separate data processing events. Publication requires new ground.
  • Fix: Provide a separate photo-consent form at admission: “Your photo may appear on our website, social media, or printed materials. I consent: [ ] Yes [ ] No.” Store signed copy.

Mistake 3: Collecting biometric data (fingerprint, face recognition) without written consent

  • Biometric data is sensitive personal data (Schedule II, DPDPA).
  • Email consents do not suffice; you need signed consent on paper or via legally-valid digital signature.
  • Regulator’s view: Biometric collection without explicit written consent is a Section 4 breach.
  • Fix: Distribute a biometric consent form: “My child’s fingerprint will be used only for attendance. Data will be deleted after [X months]. I can withdraw consent anytime.” Obtain parent signature and store for 5 years.

Mistake 4: Collecting data but never deleting it post-graduation

  • Schools collect student records but retain them indefinitely “just in case.”
  • Section 4 grounds expire once their purpose ends. Retention without ground is a breach.
  • Regulator’s view: Data minimization principle requires deletion when purpose ends.
  • Fix: Create a data retention schedule: “Student records will be deleted 3 years after graduation, except those required by law (e.g., CBSE board archives). Deletion will be completed by [date].”

Mistake 5: Treating “parental consent to enroll” as blanket consent for all uses

  • Parents sign an admission form = consent for enrollment (Ground 1: Contract).
  • It does NOT extend to selling student directories, sharing with coaching vendors, or third-party app integrations.
  • Regulator’s view: Each new data processing activity requires its own Section 4 ground.
  • Fix: Be explicit in your privacy notice: “We share student data ONLY with [specific list: Google Classroom, Payroll Ledger, school bus provider]. We never sell student directories or share data for marketing.”

Section 4 Compliance Action Plan (30-Day Sprint)

Days 1–7: Audit

  • Print or export your admission form, fee portal forms, LMS forms, and consent screens.
  • Use the checklist above to mark which Section 4 ground each field relies on.
  • Identify HIGH RISK and CRITICAL RISK fields (those without documented grounds).
  • Spot-check your current signed admission forms—do they have a privacy notice attached?

Days 8–14: Fix the Gaps

  • For HIGH RISK and CRITICAL RISK fields, draft revised forms and consent templates.
  • Create a biometric consent form if you collect fingerprints or face data.
  • Add privacy notices to admission forms, fee portals, and any third-party apps.
  • Have your school lawyer or compliance officer review the forms.

Days 15–21: Roll Out

  • Update your online admission form (Google Form, Jotform, or school management software) with revised consent checkboxes.
  • Email all current parents: “Your school is updating privacy practices to comply with DPDPA. Please sign the attached updated consent form by [date].”
  • Announce the new process to admissions staff.
  • Test the form end-to-end to ensure consent checkboxes are mandatory and timestamps are captured.

Days 22–30: Document and Audit

  • Create a Section 4 Audit File: Folder “[School Name] Section 4 Audit Trail — FY2026.”
  • File signed admission forms, consent forms, privacy notices, and the completed checklist inside.
  • Ensure your compliance officer or data protection officer has access.
  • Schedule a 6-month review to re-audit and ensure new admissions remain compliant.

Frequently Asked Questions

Q1: Our school collects student data via WhatsApp messages from parents. Is that Section 4 compliant? A: Not safely. WhatsApp messages are unstructured; you cannot easily prove when a parent consented or what they consented to. Section 4 requires documented grounds with clear audit trails. Migrate critical data collection (admissions, consents, biometrics) to a structured form (Google Form, Jotform, school management software) that automatically logs IP address, timestamp, and consent checkbox state. Store those logs for at least 3 years per audit requirements.

Q2: Can we share student performance data with parents via email without additional consent? A: Yes, if your original admission form or privacy notice stated: “Your child’s academic progress will be shared with you via email and SMS.” That establishes Ground 1 (Contract: performance reporting is part of school services) or Ground 3 (Legitimate interest: parent communication). Email and SMS sharing do not require new consent; the original disclosure covers it. However, if you plan to share with third parties (e.g., a coaching center, a tutoring app), you need separate explicit consent per Ground 4.

Q3: We use a third-party attendance app that stores student fingerprint data. What else do we need besides consent? A: Two documents: (1) Explicit written consent from parents for biometric collection (Ground 4), and (2) a Data Processing Agreement (DPA) with the app vendor. The DPA must state that the vendor processes data only on your behalf, will delete data on your request, and cannot use student data for their own marketing. Schedule I of DPDPA requires written contracts with all processors. Ensure the DPA includes liability clauses for Section 4 breaches.

Q4: The state board mandates collection of caste data for scholarship tracking. How do we make this Section 4 compliant? A: This is Ground 2 (Required by law). To document it properly: (1) Add a line to your admission form: “Caste data is collected under the [State] Scholarship Act, 20XX to determine your eligibility for reserved scholarships.” (2) Cite the specific regulation number. (3) Attach a copy of the state government notification or official circular to your audit file. This transforms a vague data field into a compliant, auditable practice that will withstand regulator scrutiny.

Q5: A parent asked us to delete her child’s data. Can we refuse if we still need it for records? A: Section 4 grounds expire once their purpose is fulfilled. If the student has graduated and exam results are declared, you likely cannot justify retention under any of the four grounds. Check your retention policy (which you should have created in the action plan above). If retention is required by law (e.g., CBSE mandates 5-year archives), cite that statute in writing to the parent. Otherwise, begin the deletion process within 30 days. Refusing to delete when grounds have expired is a Section 12 (Erasure) breach, carrying penalties up to ₹200 crore.

school DPDPA Section 4 compliance checkliststudent data collection grounds schools Indiaeducational institution personal data rights DPDPAschool student records Section 4 requirements 2026DPDPA student privacy school compliancestudent consent collection schools Section 4school data protection compliance template India
VERIFIED DPDPAReady Editorial Desk 24 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →