DPDP Act 2023

The Digital Personal Data Protection Act, 2023 is India's main law for handling digital personal data. It applies to personal data collected in digital form, and also to non-digital personal data once it is digitised. The law is meant to protect the rights of individuals while allowing organisations to process data for lawful purposes.

At a practical level, the Act expects organisations to clearly inform people what data is being collected, why it is being collected, and how they can exercise their rights. Consent must be free, specific, informed, unconditional and unambiguous, and it must relate only to data that is necessary for the stated purpose.

The Act also gives individuals important rights, including the right to access information about their personal data, the right to correction and erasure in applicable cases, and the right to grievance redressal. It also requires reasonable security safeguards to prevent personal data breaches, and breach intimation to affected persons and the Board in the prescribed manner.

As of November 13, 2025, the Government also notified commencement of different provisions in phases, established the Data Protection Board of India, and notified the Digital Personal Data Protection Rules, 2025.

How Institute OS takes care of data privacy

At Institute OS, we understand that student, parent, staff, and institutional data must be handled responsibly. We design our platform and processes to support privacy-first handling of personal data and to align our practices with the principles of the DPDP framework.

1. Clear purpose for data collection

We aim to collect personal data only for defined platform functions such as admissions, student records, attendance, communication, fee management, and related institutional operations. We work to avoid collecting unnecessary personal data beyond what is needed for the service. This reflects the Act's requirement that consent be tied to a specified purpose and limited to data necessary for that purpose.

2. Transparent notices and consent flows

Where consent is required, our goal is to present clear notices explaining what information is being collected and why. We also work to make it easy for institutions and users to understand available privacy choices and how to raise requests or concerns.

3. Access, correction, and deletion support

We build features and internal processes that help institutions respond to requests related to access, correction, updating, and deletion of personal data, subject to legal and operational requirements. Where data must be retained for compliance or valid institutional records, that retention is handled accordingly.

4. Security safeguards

We implement technical and organisational measures intended to protect personal data under our control. This includes secure access controls, role-based permissions, authentication, system monitoring, and other reasonable safeguards designed to reduce the risk of unauthorised access, misuse, or data breaches.

5. Controlled access inside the platform

Institute OS is designed so that data access can be limited based on user roles such as school admin, admissions staff, teachers, finance teams, and parents. This helps institutions ensure that only authorised users can view or manage relevant information. This supports the broader obligation to handle personal data responsibly and with organisational controls.

6. Retention with purpose

We work to retain personal data only for as long as required for the relevant purpose, contractual need, or legal obligation. When data is no longer required and there is no legal basis to retain it, deletion or erasure workflows should be followed.

7. Grievance and support channels

We support institutions and users with channels to raise privacy-related questions, corrections, or concerns. This is important because the Act requires readily available grievance redressal mechanisms.

8. Special care for children's data

Because educational institutions often process data relating to children, privacy handling must be especially careful. The Act places additional obligations around children's personal data, including restrictions on tracking, behavioural monitoring, and targeted advertising directed at children.

Our commitment

Institute OS is committed to responsible data handling, privacy-aware product design, and ongoing improvement of our security and compliance practices. As the DPDP Act, related rules, and implementation requirements continue to evolve, we review and update our processes to support institutions in managing personal data more responsibly.