Schools collect extraordinary amounts of sensitive personal data: children's names, ages, photographs, medical records, behavioral assessments, family income information for scholarship purposes, and precise daily location data from transport systems. This data, if mishandled, can cause real harm to real children. Data security is not an IT department concern — it is an ethical and legal obligation.
India's DPDPA 2023 and Schools
India's Digital Personal Data Protection Act (DPDPA) 2023 has specific provisions around data processing for minors. Schools that collect and process student data are classified as Data Fiduciaries and must: obtain parental consent for data collection, implement reasonable security safeguards, and enable parents to access and request deletion of their child's data.
Questions to Ask Every ERP Vendor
- Where is our data stored — which cloud region, which provider?
- Is data encrypted at rest and in transit?
- Who within your organization has access to our school's data?
- What is your breach notification policy and SLA?
- Do you sell or share anonymized data with third parties?
- Can we export all our data if we switch providers?
- What security certifications do you hold (ISO 27001, SOC 2)?
Role-Based Access Control
Not every staff member needs access to every student record. A fee clerk should see financial records, not medical history. A transport coordinator should see route data, not academic records. Proper role-based access control limits data exposure and reduces insider risk.
Incident Response
Ask every vendor for their incident response plan. How quickly will they notify you of a breach? What remediation steps will they take? A vendor that cannot answer these questions clearly is a vendor that has not taken data security seriously enough.
