Industry2026-05-13·8 min read

Student Exam Data Under India's DPDP Act 2023: What Universities Must Get Right

India's Digital Personal Data Protection Act 2023 applies directly to examination records. As digital evaluation becomes standard, universities face new obligations around consent, data retention, breach notification, and student rights.

India's First Comprehensive Data Law Has Arrived

The Digital Personal Data Protection (DPDP) Act, 2023 came into force progressively through 2024 and 2025. For Indian universities and examination boards, it is not a distant corporate compliance concern — it is a framework that applies directly to the data collected, processed, and stored during the examination and evaluation lifecycle.

A student's answer script, marks, roll number, evaluation history, and revaluation request are all personal data. The institution that collects and processes this data is a Data Fiduciary under the Act. The student is the Data Principal.

As digital evaluation becomes the standard — eliminating paper answer books in favour of scanned scripts evaluated on secure platforms — the volume of structured, searchable examination data that institutions hold increases substantially. With that increase comes a corresponding set of legal obligations that many institutions have not yet mapped to their examination processes.

What Examination Data Is Covered

The DPDP Act applies to "digital personal data" — personal information that exists in digital form or is digitised from physical form. In a university's examination system, this includes:

Student identity records: Roll numbers, application data, identity verification documents, biometric data captured at examination centres

Answer scripts and annotations: Scanned answer books, evaluator marks and annotations, question-wise scores assigned during evaluation

Evaluation records: Evaluator identity, marks awarded per question, timestamps of each marking action, moderation notes

Revaluation records: Any changes to marks, reasons for changes, moderator identity, before-and-after mark data

Result data: Consolidated marks, grade records, pass or fail status, rank within the examination cohort

Grievance records: Revaluation applications, supporting documents, institutional correspondence and resolution outcomes

All of this data, once in digital form, falls within the Act's definition of personal data. When it relates to examination performance — a metric directly consequential to a student's career — institutions should treat it with the heightened care the Act expects of Data Fiduciaries processing sensitive information.

The Six Core Obligations for Examination Bodies

Universities and examination boards acting as Data Fiduciaries have six core obligations under the DPDP Act.

1. Lawful Purpose and Consent

Processing personal data requires either the student's consent or a recognised lawful ground. For examinations, the primary ground is "public function" — universities conducting examinations in fulfilment of their statutory role under UGC or state university acts. However, this ground has scope limits: it covers evaluation for the purpose of awarding marks, not secondary uses of evaluation data such as sharing with third parties, using for commercial analytics, or retaining beyond the period required for the stated purpose.

Where students are minors — as is the case for Class 10 and Class 12 board examinations — the Act requires verifiable parental or guardian consent for data processing that goes beyond the core examination function.

2. Purpose Limitation

Data collected for evaluation cannot be repurposed without a fresh legal basis. An institution cannot use detailed question-wise performance data from semester examinations to build commercial analytics products, share identifiable evaluation data with external research bodies, or supply it to admissions screening services without explicit student consent covering that specific use.

The evaluation data exists within the student's examination record. Its use must remain within that scope unless a new consent or lawful ground applies.

3. Data Retention Limits

The Act prohibits retaining personal data beyond what is necessary for the stated purpose. Examination records serve specific retention purposes: result verification, certificate issuance, revaluation, academic record maintenance, and statutory compliance. Beyond these purposes, institutions must define a data lifecycle and implement deletion protocols.

For scanned answer books specifically — stored as high-resolution image files in digital evaluation platforms — storage costs and retention policies need formal documentation. A scanned answer book may legitimately need to be retained for three to five years to cover revaluation and RTI request windows. Retaining it for twenty years without a legal basis creates a compliance risk.

4. Data Quality and Accuracy

Institutions have an obligation to ensure that data is accurate and promptly corrected when errors are identified. In the examination context, this means:

Mark corrections cannot sit in a pending queue indefinitely after errors are reported

Revaluation outcomes must be reflected in official records within a defined timeframe

Student-identified discrepancies between their answer script and recorded marks must have a documented correction process

Digital evaluation platforms with structured audit trails support this obligation by design: every change to a mark is logged with a timestamp and an authorisation record, making accuracy verification traceable and the correction history transparent.

5. Data Principal Rights

Students have the right to access, correct, and seek erasure of their personal data. In examination contexts, this maps to existing processes — mark verification, photocopy requests, revaluation applications — but the Act formalises these with a statutory framework:

The right to access means students can request the institution to provide what data it holds about them in a readable format

The right to correction requires the institution to fix inaccuracies upon request, with a response within the Act's specified timeframe

The right to erasure applies to data no longer required for any lawful purpose — once the result cycle is complete and retention obligations are met, lingering data must be deletable upon request

The right to grievance redressal means examination-related data complaints must be acknowledged and resolved, not indefinitely deferred

Institutions need to map these rights to their existing examination processes and identify where formal procedures are absent or inadequate.

6. Breach Notification

If a data breach occurs — unauthorised access to answer scripts, mark records, or evaluation platform credentials — the institution must notify the Data Protection Board of India and affected students within the Act's prescribed window. This obligation requires breach detection capability, not just breach prevention. Institutions that discover a breach weeks after it occurred, through external reporting rather than internal monitoring, are in a significantly weaker legal position.

Practical Implications for Digital Evaluation Deployments

For institutions adopting or expanding digital evaluation systems, DPDP compliance should be embedded in the procurement and deployment process, not treated as a post-implementation checklist.

During vendor selection:

Confirm that the evaluation platform processes and stores data within India; data localisation is an implicit expectation under the Act and an explicit requirement for future enforcement

Review the Data Processing Agreement — the university is the Data Fiduciary and the platform vendor is a Data Processor; the agreement must specify permitted data uses, security standards, and breach notification obligations

Verify the vendor's access controls: evaluator data (marks, annotations) and student identity data should be access-controlled separately, and platform access logs should be available to the institution for audit

During examination operations:

Use only the data collected for the evaluation purpose; do not route answer script data through external analytics tools not specified in the processing agreement

Log all access to answer script data; role-based access control should ensure evaluators can only see the scripts assigned to them, not the full student population

After examinations:

Define a data retention schedule — active records, archives, and deletion timelines — and document it in the institution's data protection policy

Implement a formal process for responding to data access and correction requests within the statutory timeframe

Document the process for identifying, containing, and notifying breaches

The Intersection with RTI

The Right to Information Act, 2005 and the DPDP Act, 2023 create a complex overlay in the examination context. Answer scripts have historically been subject to RTI requests following Supreme Court judgments holding them to be public documents in limited circumstances. Under the DPDP Act, third-party access to personal data — including another student's performance data or an evaluator's identity — is constrained.

Institutions should establish clear policies for handling RTI requests involving examination data under the dual framework: what must be disclosed under RTI, what is protected as personal data under DPDP, and how the institution will adjudicate conflicts. The two laws do not straightforwardly override each other, and the intersection will likely require regulatory guidance as enforcement matures.

Why Digital Evaluation Makes Compliance More Achievable

It may seem counterintuitive: digital evaluation generates more structured data, which creates more compliance obligations. But the logged, structured nature of digital evaluation data actually makes compliance demonstrably easier.

Compliance Obligation	Paper Evaluation	Digital Evaluation
Access logs (who viewed which script)	Not available	Automatically generated
Audit trail for mark changes	Register entries, if maintained	Every change logged with timestamp
Breach detection capability	Not feasible	System anomaly alerts possible
Data retention enforcement	Manual archive retrieval	Configurable retention schedules
Response to correction requests	Physical retrieval, manual correction	Platform-level correction with audit log
Data localisation verification	Not applicable (physical)	Cloud region configurable and auditable

Paper evaluation, by contrast, offers none of these controls. Scripts in transit between institutions are invisible to any audit. Marks entered manually have no automatic trail. The DPDP Act's obligations apply equally to institutions using paper — but their ability to demonstrate compliance is structurally weaker.

A Compliance Readiness Checklist

For examination controllers and IQAC teams preparing their institutions for DPDP compliance:

Map your data flows: Identify every stage where student examination data is created, processed, transferred, or stored

Review your vendor agreements: Ensure all third-party platforms you use for examination management or evaluation have signed Data Processing Agreements that specify purpose, security standards, and breach notification

Document your retention schedule: Specify how long each category of examination data is retained and what the legal basis is for that retention period

Establish student rights procedures: Create documented processes for handling access requests, correction requests, and grievance complaints, with defined response timelines

Implement breach response protocols: Define who is responsible for detecting, assessing, and notifying breaches — and ensure that process can operate within the Act's notification window

Train examination staff: Data protection is not solely an IT responsibility; examination administrators who handle student data need to understand what they can and cannot do with it