Back to docs

Playbook · Schools

Schools, colleges, coaching institutes

A 30-day operational playbook for K-12 / college / coaching DPDP compliance. Written for the school office staff who actually has to run this — not the lawyer who wrote the act.

Why this matters: DPDP §9 + Rule 10 require verifiable parental consent for processing children's data. Schools handle this for hundreds of students. Without an audit trail, every photo in the school newsletter is a potential ₹250 cr penalty exposure.

What DPDP requires from a school

  • §9 + Rule 10: verifiable parental consent before processing a child's personal data. Email + phone confirmation of the parent identity is the minimum bar.
  • §6 (consent): separate, granular consent for each purpose — admission, photo usage, alumni communication, transport, etc.
  • §11 (right to access): parent can ask "what data do you hold on my child?" — you must respond within 30 days with the full list.
  • §12 (correction / erasure): parent can ask you to correct address, delete photos, withdraw alumni-comm consent.
  • §13 (grievance): you must publish a grievance officer email and respond to complaints within 30 days.
  • Breach reporting: CERT-In needs a Form A within 6 hours of detection; DPB Form B within 72 hours of confirmation.

30-day rollout

Day 1 (Setup, ~30 min)

  1. Sign up at /dpo/signup, pick "School", enter UDISE+ code, district, board (CBSE/ICSE/state).
  2. Verify email. Console pre-loads sector defaults (5 policies, retention table, 3 consent templates).
  3. Walk through the setup checklist (5 steps; ~10 min): tenant info, grievance officer, first consent, retention review, processing-activity register skeleton.
  4. Add the school principal + admin staff as users. Assign roles (DPO / admin / staff / read-only).

Day 2–7 (First-week operations, ~2 hrs)

  1. Issue your first parental admission consent via /dpo/consent/issue using the "School admission" template — pre-fills purposes (admission, exam records, fee payment, transport optional, photo usage optional).
  2. Print the signed receipt PDF; staple to admission file. Parent copy goes home with the welcome packet.
  3. Bulk-import existing students' parental contacts via CSV; send a re-consent campaign for "currently held data" to bring legacy records into compliance.
  4. Set the grievance officer's mailbox to forward to /dpo/rights intake — incoming "delete my photo" emails become trackable rights requests.

Day 8–30 (Steady state)

  1. Per-event photo consent: when an event is announced (sports day, annual day), issue a photo / event-comm consent to all affected parents. Receipts are linked to event ID, so when you publish photos in the newsletter you can prove which students opted in.
  2. Install Sentinel on the office's Windows endpoint — captures encryption posture, AV, patch state, signs heartbeats hourly. The MSI is EV-code-signed; SmartScreen shows COGNOSHIFT PRIVATE LIMITED as the verified publisher.
  3. Run one tabletop incident drill: simulate "USB stick lost with class XII results." The portal generates CERT-In Form A and DPDP Form B drafts.
  4. Generate the first monthly compliance report from /dpo/reports — file with the school management committee.

The four consent templates a school must run

CR-SCHOOL-ADMISSIONParental admission consent

When: One-time at admission for every new student.

Purposes:

  • Admission processing
  • Academic records
  • Examination & results
  • Fee collection
  • Transport (optional)
  • Insurance enrolment (optional)

Retention: Until 7 years after the student leaves the school (CBSE bye-laws + IT records norm).

CR-SCHOOL-PHOTO-EVENTPhoto & event communication consent

When: Per academic year, ideally at the start of each term.

Purposes:

  • Class photo in newsletter
  • Sports day / annual day photos in printed magazine
  • Photos on school website / social media (separately enumerated)
  • WhatsApp / SMS event reminders to parent

Retention: As long as the published material exists; revocable on parental request, with the school making best-effort takedown of digital copies.

CR-SCHOOL-TRANSPORTTransport / pickup / GPS-tracking consent

When: Once per student per school year.

Purposes:

  • Bus route assignment
  • Live GPS tracking for parents
  • Pickup-drop logging for safety audits

Retention: 2 years after the student stops using transport, then summary purged; raw GPS logs purged at 90 days.

CR-SCHOOL-ALUMNIAlumni communication consent

When: Issued at the time of leaving / graduation.

Purposes:

  • Alumni newsletter
  • Reunion invitations
  • Fundraising / endowment outreach

Retention: Until the alumnus withdraws consent or 10 years, whichever earlier.

Retention schedule (CBSE / ICSE / state-board aligned)

Record typeRetentionSource
Admission file (TC, mark sheets, certificates)7 years after leavingCBSE bye-laws + IT 10A
Class XII / Board exam results (in-school copy)PermanentCBSE archival rule
Fee receipts8 yearsIncome Tax Act §44AA + GST
Transport / GPS logs (raw)90 daysInternal — minimisation
CCTV footage30 days unless an incident is loggedInternal — POSH / safety norm
Photos used in published materialUntil parent withdraws + best-effort takedownDPDP §6 + §12
Staff records (employment)7 years after exitIndustrial Disputes Act §7
Health / immunisation recordsUntil age 25, then per parent's instructionICMR guidance

Sanad's pre-loaded retention schedule for the School sector matches this table. Edit at /dpo/retention to customise.

Incident scenarios — what the playbook does

Photo published without consent

A parent emails complaining their child's photo was in the school's Facebook post — they never gave permission.

  1. In /dpo/rights, log a §12 erasure request (reason: invalid consent). The rights tracker assigns an SLA timer (30 days under DPDP).
  2. In /dpo/incidents, log this as a low-severity incident (category: "Unauthorised processing"). The IR-* artifact is signed and chained.
  3. Pull down the post + cached copies on linked surfaces. Confirm action in the rights ticket.
  4. If the published material was monetised or reached >100 individuals, escalate to a §27 reportable breach — the system generates a CERT-In Form A draft.
  5. Issue a written response to the parent (template in the rights detail page) attaching the signed action receipt.

USB stick with class XII results lost

A teacher reports a USB stick with marked answer scripts is missing, ahead of result publication.

  1. Within 6 hours, file a CERT-In Form A in /dpo/incidents (Sanad pre-fills sector + asset class).
  2. Within 72 hours, file the DPDP Form B with affected categories (academic records of N students).
  3. Issue a notification to all affected parents using the breach-notice template — must include type of breach, data exposed, mitigation, your contact.
  4. Close the loop: re-encrypt all teacher-issued USBs, mandate Sentinel-installed school laptops only.
  5. File a closure report with the management committee + DPB once mitigation is verified.

SMS sent to wrong parent

A clerical error causes a fee-defaulter notice to go to a different student's mobile number.

  1. Apologise to the affected parent in writing; log a §12 correction request (number on file).
  2. Log this as a low-severity incident — Sanad records it with no breach escalation if exposure was a single attribute (name + fee status).
  3. If repeated more than 3 times in a year, raise a process-improvement task — typically requires the SIS to validate phone number against an OTP at admission.

What to show an auditor / regulator

A typical regulator visit (Education Department, NCPCR, or post-DPB notice) opens with these questions. Sanad answers each in one click.

"Show me consent for these 30 students."

Open /dpo/consent. Filter by student name or class. Each row is a signed CR-* artifact; click to download the PDF receipt.

"Show me everything that happened in March."

/dpo/activity with period = 30d (or custom range). Cross-artifact stream: every consent, every right, every incident, every policy change.

"Prove these signatures aren't fake."

Send the auditor to /verify. They paste the artifact JSON, the page does Ed25519 verification in their own browser via Web Crypto. No trust in our servers required.

"What's your retention policy and have you executed deletions on time?"

/dpo/retention shows your schedule. /dpo/erasure-jobs shows every deletion the system has scheduled or executed, with proof of completion.

"Show your processing activity register."

/dpo/governance/ropa — the live RoPA. Each entry is a signed PR-* artifact.

"What's your grievance flow and SLA performance?"

/dpo/rights with status filter. The aggregate page shows median + p95 response time per right type vs. the 30-day DPDP requirement.

Ready to start?

The school playbook is prebuilt into Sanad — sign up, pick "School", and your console arrives with templates / retention / sector dashboard ready.

Start a school tenant

Question about a sector-specific scenario? Email us.