Examination Boards as Data Fiduciaries: DPDP Act Obligations Universities Must Know

The Crisis That Changed the Governance Conversation

On February 2026, a 19-year-old student-researcher reported critical vulnerabilities in the CBSE On-Screen Marking portal to CERT-In. By May, when Class 12 results were declared amid widespread controversy over blurred scans, mismatched answer sheets, and mark anomalies, those vulnerabilities remained substantially unaddressed. CBSE's payment portal for post-result services was subsequently targeted by a cyberattack affecting approximately 50 students. IIT Madras and IIT Kanpur specialists were brought in to contain the damage.

The Observer Research Foundation's June 2026 analysis identified the central issue precisely: the crisis was not merely a technology failure. It was a governance failure. And it played out under a new legal framework — the Digital Personal Data Protection Act 2023 and its accompanying Rules 2025 — that makes data governance obligations for examination bodies explicit, enforceable, and consequential.

Every university and examination board in India should read what happened at CBSE as a case study in what the DPDP Act was designed to prevent, and in what it now requires.

What Makes Examination Data a Distinct Category

Under the DPDP Act 2023, examination records are personal data. They contain information that directly identifies individual students — roll numbers, names, answer sheet images, marks per question, evaluator identifications, revaluation history — and they directly determine educational outcomes. Access to a premium college, eligibility for a scholarship, qualification for a professional program: all of these flow from marks that are, in law, personal data about the student who earned them.

What distinguishes examination data from other personal data in the educational context is that collection is mandatory. Students cannot realistically opt out of board registration or digital evaluation. The RPwD Act-style logic applies here: compulsory data processing carries heightened protection obligations. The institution that says "you must give us this data to receive an education" cannot also say "our handling of it is not our core concern."

The DPDP Act identifies entities that determine the purpose and means of data processing as data fiduciaries. Examination boards, universities, and affiliated colleges that run their own examinations are data fiduciaries. Their obligations under the Act are substantial and specific.

Eight Governance Obligations for Examination Bodies

1. Treat Examination Records as Sensitive Personal Data

Answer sheet images, marks awarded, and verification trails constitute a category of information that, if exposed or altered, directly affects individual educational opportunity. The legal purpose for collection must be defined explicitly — and data must not be processed for purposes beyond that scope. Using examination performance data for research, ranking, or commercial profiling without separate consent and purpose definition is a compliance failure.

2. Apply Minimum Security Standards Across All Digital Platforms

"All digital platforms" means every system that touches examination data — not just the primary evaluation portal. Testing environments, result portals, payment gateways, and revaluation applications each carry the same obligation. The CBSE experience is instructive: the security gap was in the payment system for post-result services, not in the core marking platform. A chain of examination data systems is as secure as its weakest component.

Minimum standards include: encryption at rest and in transit, access controls that limit visibility to those with a defined need, multi-factor authentication for examiner and administrator accounts, and regular penetration testing — including of staging and testing environments.

3. Enforce Purpose Limitation and Data Minimization

Evaluators should see only what is necessary for the marking function. Student names are not necessary for evaluation — only roll numbers need be visible. Institution names, gender, disability status, and any other identifying information that could introduce bias is also not necessary for marking. What is not visible cannot bias evaluation and cannot be a vector for data exposure.

Data minimization is not only a privacy principle here. It is simultaneously a quality-of-evaluation principle. The same architectural choice that reduces privacy risk also reduces evaluator bias.

4. Apply Equal Security Rigor to Testing Environments

The CBSE vulnerability disclosure revealed that a testing or staging environment had security standards below those of the live evaluation system. This is a common failure mode in organizations that treat production security as the compliance target and development/testing environments as internal concerns.

Under DPDP Act obligations, if a testing environment contains real student data — even temporarily, even anonymized — it carries the same protection obligations as the live system. Institutions migrating to or upgrading digital evaluation platforms must include test environment data governance in their procurement and deployment specifications.

5. Make Vendor Accountability Explicit Through Contracts

Third-party technology vendors who process examination data are data processors under the DPDP Act. The data fiduciary (the institution) remains responsible for the data processor's handling. This means vendor contracts must:

The CBSE's experience with its examination platform vendor, and the subsequent vendor transition in June 2026, illustrates what insufficient vendor accountability looks like at scale. Due diligence before procurement — not remediation under crisis conditions — is the governance standard.

6. Design Clear Incident Communication Protocols

When a security incident occurs, the DPDP Act requires notification to the Data Protection Board. But institutional obligations extend further. Students whose data may have been affected must be informed clearly and promptly. Communication must be accurate about what happened, what was affected, and what the institution is doing — not minimizing language designed to reduce perceived severity.

Pre-defined incident response protocols — who assesses the incident, who makes the notification decision, who communicates to students, what templates are used — must exist before an incident occurs, not be improvised under crisis conditions when reputational pressure distorts decision-making.

7. Treat Post-Result Services as Essential Student Infrastructure

The examination result cycle does not end with result declaration. The period immediately following results — when students access answer sheets, apply for revaluation, manage college admissions against tight deadlines — involves concentrated, high-stakes personal data processing. For students facing admission cutoffs while waiting for revaluation outcomes, delays in post-result services are not inconveniences; they are material harm.

Post-result services must be designed, load-tested, and secured with the same rigor as primary evaluation systems. The CBSE experience of 1.6 lakh admissions at risk from revaluation delays illustrates the downstream consequence of treating post-result infrastructure as secondary.

8. Build Internal Capacity for Data Protection Compliance

The DPDP Act requires designated grievance redressal mechanisms. For examination bodies processing data at scale, this means named, accessible, trained personnel. It also means training examination administration staff at the controller level, the center level, and the evaluation center level on their obligations — including what constitutes a data breach and what the reporting obligation is.

Compliance is not a one-time certification activity. It requires ongoing training, periodic audits, and a culture in which data protection concerns are raised through legitimate channels rather than suppressed.

The Stakes for Non-Compliance

The Data Protection Board of India can impose financial penalties of up to Rs 250 crore for significant personal data breaches. For state universities and smaller examination bodies, the reputational impact is likely more consequential than the financial penalty.

Under NAAC Criterion 6 (Governance, Leadership, and Management), institutions must demonstrate good governance practices. A documented examination data protection policy, with evidence of implementation — vendor contracts reviewed, incident protocols established, staff trained — directly strengthens SSR evidence for Criterion 6. Absence of such documentation is increasingly difficult to explain to DVV panels familiar with DPDP Act requirements.

Where to Start

Examination offices that have not yet assessed their DPDP Act compliance position can begin with a data audit: list every system that touches student examination data, from answer book inwarding to result declaration to archival storage, including all third-party platforms and payment gateways.

From that map, identify which systems have explicit security standards, which vendor contracts include data processor obligations, and where incident communication responsibilities are unclear. The gaps between current state and the eight obligations above define the compliance work required.

The CBSE crisis of 2026 demonstrated that digital examination infrastructure, managed well, builds institutional credibility; managed poorly, it destroys it. Data governance is the difference between those outcomes.

Related Reading