The Hindu Editorial Analysis- 27th July 2024 | Current Affairs & Hindu Analysis: Daily, Weekly & Monthly - UPSC PDF Download

Using Children’s Personal Data Legally and Securely

Why in News?

Adherence to the principles of data privacy and data minimisation is particularly pertinent given the sensitive nature of children’s personal data.

The Indian Education system

• The Indian school education system is vast, with around 1.5 million schools, 9.7 million teachers, and about 265 million students from preschool to high school levels, representing diverse socioeconomic backgrounds. 
•  To effectively manage the broad education system in India, the Ministry of Education introduced the UDISE platform in 2018. 
•  The UDISE platform is crucial for gathering and sharing real-time data on school infrastructure, teachers, student enrollment, and academic performance. 
•  This data helps in creating result-oriented policies to enhance the quality of education in India. 
•  By enhancing resource allocation procedures and monitoring educational initiatives, UDISE also tracks educational patterns. 
•  The main goal of this initiative is to improve administration and optimize service delivery. 

 APAAR

• In the National Education Policy of 2020, the Ministry introduced APAAR, which is a special identification for students. This helps gather all student academic records in one place.
• The collected demographic data includes Aadhaar details obtained with the student's permission.
• Efforts are being made to make schooling easier by connecting APAAR and UDISE.
• Automating student admissions aims to reduce dropouts during transitions and improve opportunities for further education.
• Entities like DigiLocker and educational technology companies often work with State governments.
• Linking UDISE and APAAR exposes student information to these educational entities.
• In 2020, the Education Ministry created a data-sharing policy for schools, which needs updating after the Digital Personal Data Protection Act of 2023.
• Clarity is lacking on compliance standards for educational technology firms under the new Act.
• There are uncertainties regarding verifiable parental consent requirements, especially concerning minors' data under UDISE/APAAR.
• The DPDP Act stresses using personal data only for specific legitimate purposes.
• Sharing children's data beyond authorized purposes could breach this rule.
• The Ministry recognizes the benefits of nationwide student data sharing, such as tracking student migration.
• Efficient management of educational records is crucial for the system's smooth operation.

The three-part test

• The Supreme Court acknowledged the right to privacy as a basic right in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (2018).
• This evaluation is used to measure how state actions affect citizens' privacy rights.
• Under this evaluation, three criteria are outlined: 
  • There must be a valid state interest in limiting the right.
  • Any limitation must be essential and proportional to serve the interest.
  • The limitation must be established by law.
• The incorporation of Aadhaar in APAAR/UDISE must adhere to these three conditions.
• It is crucial to be cautious to prevent data breaches and cyber threats.
• Compliance with data privacy and minimization principles is especially important due to the sensitive nature of children's personal data.

The need for specific protocols

• Regarding sharing kids' personal information for unknown reasons, involving outside parties like DigiLocker may create uncertainty about their role.
• We need to figure out who plays what role—like data caretaker, data handler, and data owner—to assign responsibilities properly.
• While APAAR's privacy rules cover data security, combining, third-party links, saving data about kids for unknown use might need specific steps, which are currently missing.
• The data policy and yearly report stress that the Ministry isn't legally responsible for the accuracy or sharing of data on UDISE.
• The privacy policy guides complaints to a specific officer but doesn't explain how legal responsibility works.
• This reveals a clear absence of a system to address complaints and help individuals whose data is gathered and exchanged under APAAR.

 Way forward

• Standard operating procedures, whether technical or legal, within a comprehensive governance framework are a top priority.
• These procedures will help maintain the authenticity of data and specify the legal duties for the involved parties.