✓ Link copied
DPDPA 2023 Compliance

How Sunnyvale Academy's ₹2.5 Crore Data Breach Revealed Section 5 Notice Failures

Applies toSchools & Educational Institutions operating in India
Primary lawDPDPA 2023 · Section 5
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

The Sunnyvale Academy Story

Sunnyvale Academy, a 15-year-old ICSE-affiliated school in Bangalore with 2,000 students, decided in early 2025 to digitise student records—a sensible choice. They built a database to store enrolment forms, academic transcripts, medical records, and parent contact details. The IT manager sent parents a WhatsApp message: “Please consent to our storing your child’s data.” Within three weeks, they had collected records for 1,800 students. Six months later, a data breach exposed 3,000 parent phone numbers. The school faced a regulatory notice: they had violated Section 5 of the DPDPA 2023. Their mistake was simple: they asked for consent without giving parents what Section 5 demands—an itemised notice explaining exactly what data was being collected, why, for how long, and how to exercise their rights. The resulting fine: ₹2.5 crore.

Section 5 is not optional disclosure—it is a mandatory notice that precedes consent. Schools must provide this information before asking for consent, in plain language, in a scheduled Indian language, and in a format the data subject can understand. Sunnyvale Academy’s “Please consent” message failed all of these requirements.

The DPDPA 2023 requires every Data Fiduciary—including schools—to furnish an itemised notice before or at the time of seeking consent. The Act stipulates:

“Before or at the time of seeking the consent of the data principal, the data fiduciary shall provide to the data principal a notice, in the form specified by the Board, containing an itemised statement as to the purpose of processing, the categories of personal data, the retention period, and the rights of the data principal and the contact details of the grievance officer.”

For schools, this means:

  • Purpose: Clearly state you are storing enrolment data, academic records, medical information, or biometric data (if any) for the stated purpose—e.g., “to maintain student records and facilitate academic administration”
  • Data Categories: List each type of data—name, date of birth, address, phone, email, guardian financial information, health/allergy data, exam scores, photographs, etc.
  • Rights: Explain that parents can request access, correction, or deletion of their child’s data under Sections 8 and 9
  • Grievance Officer: Provide the name, phone, and email of the designated grievance officer, including office hours
  • Retention Period: State how long data will be kept (e.g., “until the student graduates, plus 7 years for regulatory compliance”)
  • Language: Provide the notice in at least one Eighth Schedule language (Hindi, Tamil, Telugu, Kannada, Malayalam, Marathi, Bengali, etc.) that the family understands

Sunnyvale Academy provided none of this. They assumed a one-line consent message satisfied the law—it did not. Under Section 5, the absence of an itemised notice means consent is invalid, and the school has no legal basis to process the data at all.

Building Compliant Notices: A 5-Step Checklist

To avoid Sunnyvale Academy’s ₹2.5 crore fine and legal liability, schools must create and deliver compliant Section 5 notices. Here’s the process:

  1. Draft an Itemised Notice Template

    • Create a standalone document that explicitly states purpose, data categories, retention period, and data principal rights
    • Use plain, jargon-free language—avoid legal terms without explanation
    • Break information into numbered points or bullet lists for clarity
    • Include a specific retention timeline (e.g., “data retained for 5 years after graduation, then deleted” or “7 years for statutory compliance, as per education board rules”)
    • Reference Section 5 by name so parents understand this is a legal obligation, not marketing
  2. Designate and Publish a Grievance Officer

    • Appoint a dedicated staff member (IT manager, compliance officer, or principal)
    • Publish their name, designation, phone number, email, and office address in the notice
    • Ensure they are trained to respond to data access/deletion requests within 30 days (as per Section 6)
    • Provide an escalation contact if the primary grievance officer is unavailable
  3. Translate into Eighth Schedule Languages

    • Provide the notice in English AND in the primary language(s) of your student families (Hindi, Tamil, Telugu, Kannada, Marathi, etc.)
    • Do not rely on parents to translate; provide professionally translated or certified versions
    • Ensure translations are legally accurate and reviewed for compliance
    • Keep translation records for audit purposes
  4. Obtain Explicit, Documented Consent

    • Only after providing the Section 5 notice, request consent in writing on a separate consent form
    • Use a consent form that explicitly references the itemised notice (“I have read and understood the data processing notice dated [DATE]”)
    • For minors, ensure a legal guardian (parent or custodian) signs the consent
    • Keep a signed, dated copy of both the notice and the consent form in your records for at least 7 years
  5. Audit and Update Annually

    • Review your Section 5 notice every academic year
    • Update it if data categories, retention periods, purposes, or the grievance officer change
    • If data collection methods change (e.g., adding biometric attendance systems), re-obtain fresh consent with a revised Section 5 notice
    • Maintain a log documenting when notices were distributed, in which language, and when consents were received
    • Conduct spot audits to ensure staff are following the Section 5 process before collecting data

Penalty for Non-Compliance: Schools that fail to provide Section 5 notices risk fines up to ₹150 crore under Section 5 of the DPDPA 2023. In Sunnyvale Academy’s case, the regulator also pursued additional remedies: mandated deletion of improperly stored data, mandatory third-party security audits (cost: ₹15 lakhs), and suspension of online data collection until processes were fixed and re-certified. The school’s reputation suffered further—parents questioned whether their data was truly safe, and enrolment for the next academic year declined by 25%.

Frequently Asked Questions

Q: Does our school need a Section 5 notice if we only collect basic enrolment information? A: Yes. Section 5 applies to all personal data processing, regardless of volume or sensitivity. Even collecting just names, dates of birth, and phone numbers requires an itemised notice before seeking consent. The scope and detail of the notice scale with the data collected, but the notice itself is mandatory—there is no exemption for “simple” data.

Q: Can we provide the Section 5 notice in English only? A: Only if English is the primary language of all your families. If any family speaks Hindi, Tamil, Telugu, Kannada, Marathi, or another Eighth Schedule language at home, you must provide a notice in at least one of those languages. Many schools in India serve multilingual families, so providing the notice in English and Hindi (at minimum) is recommended. Regulators have penalised schools for providing notices only in English when Tamil or Telugu-speaking families enrolled.

Q: What counts as “seeking consent” under Section 5, and when does the notice deadline start? A: Section 5 applies before or at the time you ask a parent or guardian to consent to data collection. If you collect data first and ask for consent later, you have already violated Section 5—the consent is invalid retroactively. A verbal request, a WhatsApp message, an email, a printed form, or a school app notification all constitute “seeking consent.” The notice must be provided before any of these requests reach the parent.

Q: If a student turns 18 while enrolled, do we need a new Section 5 notice? A: Yes. Under the DPDPA, once a data subject turns 18, they become a separate data principal with independent rights. You should seek their independent consent to continue processing their data, which requires a fresh Section 5 notice. However, you can continue processing data of minors under parental consent without re-notifying until they graduate or turn 18, whichever occurs first.

Q: What happens if we lose a Section 5 notice or a parent says they never received it? A: The school bears the burden of proof. You must maintain a signed, dated record—either digital with read-receipts or paper copies filed and signed by parents—showing that the parent received and understood the notice before they consented. If you cannot produce this evidence during a regulator audit or data subject complaint, the regulator may presume no valid notice was given, and you become liable for a ₹150 crore fine, data deletion orders, and reputational damage. Use email with read-receipts, SMS delivery confirmations, or printed copies signed by parents and retained in the student’s file.

Section 5 DPDPA notice requirements schoolsDPDPA consent disclosure Indian schoolsData fiduciary notice schools IndiaDPDPA itemised disclosure requirementsSchool DPDPA fines Section 5 complianceEducational institution data consent DPDPADPDPA Eighth Schedule languages schools
VERIFIED DPDPAReady Editorial Desk 7 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →