Section 7 DPDPA: 4 Legitimate Uses Schools Can Process Student Data Lawfully
| Applies to | Schools & Educational Institutions operating in India |
| Primary law | DPDPA 2023 · Section 7 |
| Penalty ceiling | up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
The St. Andrew’s Medical Records Dilemma: Section 7 in Action
St. Andrew’s Senior Secondary School in Bangalore manages medical files for 2,400 students, including vaccination records, allergy alerts, and emergency contact information. When a student collapsed during a sports event last year, the school nurse accessed the child’s medical records without explicit parental consent—and the school director panicked. Was this a violation of the Digital Personal Data Protection Act, 2023?
The answer lies in Section 7 of the DPDPA, a provision that explicitly carves out situations where schools can process personal data—including sensitive student information—without requiring consent. Understanding this “closed list” of legitimate uses is non-negotiable for any educational institution handling enrollment forms, health data, employment references, or admission records across India.
Section 7: The Exhaustive List of Legitimate Uses
Unlike the GDPR’s flexible “legitimate interests” doctrine (a balancing test that courts must weigh case-by-case), the DPDPA takes a fundamentally different approach. Section 7 establishes a closed, exhaustive list of situations where consent is not required. Schools cannot create new grounds or argue that processing is “in the interest of the child” outside this list—they must fit their data processing into one of the Section 7 categories or obtain consent.
Here’s what Section 7 permits:
Personal data may be processed without the consent of the data principal in the following cases: (a) where processing is necessary for compliance with any law; (b) where processing is necessary for the performance of any function of the State; (c) where the personal data has been voluntarily provided by the data principal; (d) where processing is necessary to respond to a medical emergency; (e) where processing is necessary for the exercise of rights or performance of obligations under an employment relationship; and (f) where processing is necessary for the purposes of a merger, acquisition or other corporate restructuring.
For schools, this translates into six distinct legitimate-use grounds:
1. Processing Necessary for Compliance with Law (Section 7(a)) Schools must maintain attendance records, prepare Board examination rolls, and submit student performance data to regulatory authorities like CBSE or state education boards. These are mandated by law, not optional. Schools can process enrollment details, registration numbers, and exam results without parental consent because compliance with education law is Section 7(a) territory. The same applies to RTE (Right to Education) records or scholarship verification required by the government.
St. Andrew’s example: When a state education department requests a list of students eligible for the mid-day meal scheme, the school can provide names, ages, and socio-economic data without re-seeking consent—it’s processing “necessary for compliance” with the Mid Day Meal Scheme Act.
2. Processing for State Functions (Section 7(b)) When schools act as extensions of state authority—submitting crime-related witness statements, cooperating with police on student misconduct, or providing data for census collection—they may process personal data under Section 7(b). This is narrower than Section 7(a) and applies when the school is performing an explicit State function, not merely following its own institutional policies.
St. Andrew’s example: If a student is involved in an off-campus incident and police request the school’s records via court order or formal legal notice, the school can provide this data under Section 7(b), as cooperating with law enforcement is a State function.
3. Voluntarily Provided Data (Section 7(c)) This is the most frequently misunderstood provision. When parents or students voluntarily submit medical certificates, parent contact numbers, dietary preferences, or emergency contact information during enrollment, that data is Section 7(c)-compliant. However—and this is critical—the data must be truly voluntary, not extracted under duress or false pretenses, and processing must remain limited to the stated purpose.
St. Andrew’s example: Parents voluntarily provide allergy information on the enrollment form (“My child is peanut-allergic”). The school can store and share this with the cafeteria staff, medical team, and sports coaches without re-seeking consent each time, because the data was voluntarily provided and processing is for the stated purpose (child safety).
4. Medical Emergencies (Section 7(d)) When a student’s health or life is at immediate risk, schools can access medical records, blood type data, or medication allergies without consent. This applies to on-campus emergencies (a collapse during sports) and continues for the duration of the emergency response (e.g., sharing allergy information with the paramedic team).
St. Andrew’s example: During the sports event, the nurse accessed the student’s medical file without waiting for parental permission—lawful under Section 7(d) because a medical emergency was in progress.
5. Employment Relationship (Section 7(e)) Schools can process staff data—payroll, performance reviews, disciplinary records, and background checks—without employee consent, insofar as processing is necessary for the employment relationship. This applies to teachers, administrators, and support staff. Schools can also maintain student employment records if the school operates a work-study program.
St. Andrew’s example: When conducting background verification for a new teacher, the school can process the candidate’s prior employment data from a referee without the referee’s consent, because processing is “necessary for the exercise of rights or performance of obligations under an employment relationship.”
6. Merger, Acquisition, or Corporate Restructuring (Section 7(f)) When one school is acquired by an education trust, or two school networks merge, they can transfer student and staff records between entities under Section 7(f) without re-seeking consent. Processing must be limited to the merger/acquisition and must not extend beyond what the original consent authorized.
St. Andrew’s example: If the school merges with a neighboring CBSE school, the combined entity can consolidate student databases without parental consent because processing is “necessary for the purposes of a merger.”
How Schools Protect Themselves: Actionable Compliance Checklist
To remain compliant with Section 7 and avoid penalties up to ₹150 crore, schools must:
-
Map every data collection to a Section 7 ground — Audit all forms, databases, and data workflows. Document which Section 7 provision justifies each dataset (compliance with law, medical emergency, etc.). If no Section 7 ground exists, obtain explicit parental consent.
-
Distinguish “voluntary” from “coerced” — Enrollment forms that say “provide this or your child won’t be admitted” are coerced, not voluntary. True voluntary data is submitted without threat of refusal of service. Maintain a data dictionary noting which fields are truly voluntary (Section 7(c)).
-
Limit processing scope to the stated purpose — Allergy data collected for medical safety cannot be shared with the marketing team for profiling. Exam scores collected for compliance with the Board cannot be sold to coaching centers. Each Section 7 ground permits processing only for that ground’s purpose.
-
Establish role-based access controls — The cafeteria team needs allergy data; the admissions team does not. Restrict medical records to the school nurse and authorized medical personnel. Document access logs for sensitive data.
-
Maintain a Section 7 register — For each dataset, record the Section 7 ground, the purpose, the duration of storage, and the recipients. This becomes your evidence of lawful processing in case of audit or complaint.
-
Separate Section 7 and consent-based processing — Do not conflate “we have Section 7 grounds for data X” with “we can do anything with data X.” Section 7 is narrow and exhaustive; reuse outside the permissible ground requires fresh consent.
-
Obtain Board/Principal sign-off on Section 7 decisions — Do not leave Section 7 interpretations to individual staff. Have the school’s data officer or legal advisor document the Section 7 reasoning for each major data category.
Frequently Asked Questions
Q: Can our school ask parents to sign a blanket consent form that covers “all future processing” to save time?
A: No. Section 7 is exhaustive; it does not permit schools to ask parents to “waive” it. If processing falls under Section 7, consent is unnecessary and should not be sought (unnecessary consent adds regulatory clutter). If processing does not fall under Section 7, a blanket consent is invalid under DPDPA principles—consent must be specific, informed, and informed about the exact purpose and recipient. Schools should collect only consent for processing outside Section 7 grounds and document Section 7 grounds separately.
Q: If a student’s parent is a police officer and asks the school to “share my child’s records for an investigation,” can we do it without the school’s formal processes?
A: No. Personal relationships with parents do not create Section 7 grounds. The school can only share records under Section 7(a) (compliance with law) if there is a legal notice or court order, or under Section 7(b) if law enforcement makes a formal request. Personal appeals from parents (or staff) do not suffice. Always require formal legal process.
Q: Our school app sends push notifications about attendance and grades to parents’ phones. Is this covered by Section 7(c) because parents voluntarily downloaded the app?
A: Partly. Downloading an app does not constitute consent to all processing; it indicates consent to the app’s core functionality. Sending grades data to parents is a stated purpose of the app (covered by voluntary provision or consent). But if the school analyzes grade trends to predict student failure rates and shares predictions with external tutoring companies, that is secondary processing not covered by the original voluntary provision. Secondary uses outside the stated purpose require fresh consent, not Section 7.
Q: Section 7(a) says “compliance with law.” Does our mandatory annual performance review of teachers count as “compliance with law”?
A: Only if a law explicitly mandates it. If it’s a school policy or institutional practice (even if universal in your school), it is not “compliance with law.” You would need to either (a) show that state education regulations or a labor statute mandate annual reviews, or (b) obtain employee consent separately. Do not stretch Section 7(a) to cover institutional policies; it applies only to actual legal requirements.
Q: A parent asked us to delete their child’s medical records after the child graduated. Can we refuse under Section 7?
A: Section 7 permits processing; it does not override erasure rights under Section 10. Once processing is no longer necessary for the Section 7 ground (e.g., the child has graduated and no longer needs on-campus medical care), the school must delete or anonymize the records unless another legal ground justifies retention. Section 7 is not a shield against erasure requests; it is only a shield against consent requirements during active processing.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →