Aadhaar-based student ID raises alarms for privacy

tl;dr

The Ministry of Education introduced the APAAR initiative without any pomp and show – no press releases, no policy documents, no website. Just a letter sent to schools to start enrolling students into a centralised registry based on their Aadhaar numbers and Aadhaar-based biometric authentication. As schools begin to roll out the initiative, we note several alarming concerns with the APAAR framework, which collects, stores, and shares a vast amount of student data with few safeguards in place.

Background

In July 2023, the Ministry of Education introduced the Automated Permanent Academic Account Registry (“APAAR” or “Registry”) and the National Credit Framework (“NCrF”) through a panel discussion on the implementation of the 2020 National Education Policy (“NEP 2020”). APAAR aims to issue unique IDs to students based on their Aadhaar number. An APAAR ID is a life-long longitudinal record of a student’s educational scores, achievements and related statistics, and is deemed voluntary. According to reports, the Ministry of Education has written to state chief secretaries, asking schools to persuade students into creating APAAR IDs, which will be based on and authenticated through their Aadhaars. The Ministry also asked schools to organise special parent-teacher meetings, educating parents on the APAAR initiative and encouraging them to give consent towards creating students’ APAAR IDs. 

As we dig deeper into the APAAR framework and implementation plan for public and private schools across India, several issues come to the surface. The unique student ID, issued to school-going children against their Aadhaar numbers, will store their permanent educational and extra-curricular records. This necessitates questions about data collection, usage, storage, and sharing, as well as its link with Aadhaar. Moreover, records of children require added layers of data security. We wrote to the Ministry of Education outlining these concerns, which are discussed in more detail below.

No policy documents, no transparency

Under the initiative, the Ministry has started widespread collection of student data and envisions processing, storing, and sharing of such data, without having released any law or policy documents backing the APAAR framework. There are no press releases, frameworks of implementation, data use or privacy policies, or any official notification of the initiative – yet, states have been asked to begin rolling out APAAR IDs in public and private schools. Proactive steps are underway– recently, the Maharashtra government asked all schools to take consent from parents for the creation of students’ APAAR IDs. Further, India’s overarching data protection legislation, the Digital Personal Data Protection Act, 2023 (“DPDPA”) is not in effect yet. Any collection, processing, storing or sharing of student data during this time is being done without any legal safeguards in place. This concern is exacerbated by the fact that the data belongs to children, which according to the Supreme Court in Justice (Retd.) K.S Puttaswamy v. Union of India, necessitates additional safeguards and airtight data protection measures. 

Excessive data collection

The datasets slated to be collected through APAAR enrolment are not limited to just educational certificates and grades, but spread far and wide. According to reports, “beyond traditional academic records, APAAR will also encompass co-curricular achievements, such as rankings in Olympiads, specialised skill training, and extracurricular accomplishments. This comprehensive repository will help students showcase their holistic growth and diverse talents, which are increasingly valued by universities and employers.” 

We noted a divide between data slated to be collected and data actually collected by schools. A powerpoint presentation introducing the APAAR framework states, “the types of the fields to be kept in the APAAR Registry shall be minimal and shareable through consent with other Government Departments, Regulators, Accreditating Bodies, State Governments etc for various puposes related to education” [sic]. However, reports point to the contrary. In schools rolling out APAAR IDs, parents claim they are not comfortable with how much data is being collected. The consent form for enrolment, which is to be filled by parents, requests that “parents grant access to students’ personal information, including their name, address, age, date of birth, gender, and photograph, to educational institutions and recruitment agencies.” At the outset, there are inconsistencies with one of the only available “policy documents” on APAAR (which is, yes, a powerpoint presentation), and ground realities. 

Interestingly, the types of data that APAAR is slated to collect, is already collected, stored and processed by schools through the UDISE+ interface, which is a flagship School Profile & Facilities Management system of the Ministry of Education. Teachers, too, have questioned the need for a new Registry, stating that they collect similar data on students for internal use under UDISE+, and APAAR will only add to their heavy administrative burden.

Founded on Aadhaar

There are a number of significant concerns with linking students’ APAAR IDs to their Aadhaars.

1. First, the APAAR infrastructure, as rooted in Aadhaar identification and authentication of students, goes against the previous stances of the union government on the issue. Through a circular dated September 5, 2018, UIDAI stated that no child will be denied “due benefits or rights” for lack of production of Aadhaar. This is echoed in the Education Minister’s July 2023 response to a Parliamentary Question on the validity of making Aadhaar compulsory for school admissions. Further, the Department of School Education & Literacy issued a notification dated November 29, 2021 stating that “no eligible child shall be denied benefit under the [Integrated Education] Scheme in case of failure to establish his identity by undergoing authentication or furnishing proof of possession of Aadhaar number or in the case of a child to whom no Aadhaar number has been assigned, producing an application for enrolment, the benefit shall be given to him by verifying his identity on the basis of other documents…”. Therefore, in public or private contexts, requiring schools to empanel in APAAR and enrolling students to an Aadhaar-based unique ID, is contrary to the accepted legal-ethical norms on the issue.
2. According to the final report of the panel on NEP 2020, student enrolment for the APAAR ID is “voluntary”. However, there is an underlying mandatory nature to the process. Like most other government schemes, the school may provide options to enrol using other official documents, such as drivers’ licence, voter ID, or PAN card. However, the population being targeted for enrolment is students, or children, who would not have access to any such documents – except Aadhaar, which is age agnostic. Although PAN cards are available to minors, they are conditional to the minor having recurring investments in their name, income, nomination to shares/ dividends, disabilities, or entitlements under the Sukanya Samriddhi Yojana for the girlchild. These conditions make minor PAN cards accessible to only a small fraction of the population, as opposed to Aadhaar, which is age agnostic and widely available. Therefore by elimination, students may be compelled to use their Aadhaar, rendering it “mandatory”. 
3. The Supreme Court of India in Justice (Retd.) K.S. Puttaswamy v. Union of India stated that it hoped that the union government would not widen the Aadhaar net and unduly expand the scope of subsidies and benefits. In this case, Aadhaar is being used for a function that can be performed through any educational verification documents, such as the 10th or 12th standard marksheet, thereby unjustifiably widening its ambit. 

Unsecured data sharing

The APAAR framework was introduced as a “federated, standardised, compatible, unified, interoperable open API based 4th generation electronic registry which is authentic, trustworthy, uptodate and reusable for different applications and eco-system(s)” which is “built to allow single sign-on (SSO) using existing IDs in other registries.” APAAR IDs will be further linked with Digilocker and the Academic Bank of Credits (“ABC”) accounts, and will allow ministries, departments and other public and private entities to access information on enrolled students through APIs. The design envisages data sharing across interfaces without making any references to safeguards or data security measures. 

Additionally, Section 9(3) of the DPDPA specifically prohibits “tracking or behavioural monitoring of children or targeted advertising directed at children” by entities. Having open APIs and channels of data sharing without any robust safeguards, can expose children's data to third parties who may use it for such purposes. Before it is rolled out, any such interfaces must be secured and legal safeguards put in place.  There is an added responsibility on the APAAR framework to ensure cyber security, as the data being processed pertains to children, as affirmed by the Puttaswamy judgement and also echoed in Regulation 38 of the GDPR.

Weak consent framework

Schools require express consent from parents to enrol a child for an APAAR ID. This is in line with Section 9(1) of the DPDPA, which requires verifiable parental consent before processing children’s data. Section 6(4) of the Act further states that students, through their parents, shall have the right to withdraw their consent at any time, with the ease of doing so “being comparable to the ease with which such consent was given.”

We note that though parental consent is sought under APAAR, it cannot be withdrawn easily. According to reports, parents pointed out that there is no option to deny consent on the APAAR enrolment form given by the school, as well as the data-sharing terms. Schools are also unclear on how to proceed if a parent refuses to complete the form. On the contrary, the process to give consent is easy, and even facilitated. In the letter reportedly sent by the Ministry of Education to states, schools have been encouraged to hold “special parent-teacher meetings” to educate parents on APAAR and obtain their consent to enrol their child. We wrote to the Ministry and filed an RTI Application inquiring as to the content of this letter, and await a response.

Public and private schools across India have begun heeding to the Ministry and rolling out APAAR IDs without the requisite legal protections in place. IFF has filed three separate RTI Applications seeking clarity on inter-ministerial orders, policy documents for implementation, and data processing under the APAAR framework. We will continue to monitor implementation and progress on this front and make due interventions to protect digital rights – this time, of children.

Important documents

1. IFF’s Letter to the Ministry of Education on the APAAR ID (link)
2. IFF’s RTI to Ministry of Education on the letter sent to state Chief Secretaries (link)
3. Ministry of Education’s Thematic Session on NCrF and APAAR (Powerpoint Presentation) (link)
4. Ministry of Education’s Thematic Session on NCrF and APAAR (Final Report) (link)