Confidential Dispatch
At a glance

A solo tutor’s WhatsApp group for homework updates and a fee register with student names, class and phone numbers hold real personal data belonging to minors — and a one-person coaching practice doesn’t have the institutional relief formal schools get for tracking a child’s data. The practical baseline: verifiable parental consent before adding a child’s data to any digital system, and treating the WhatsApp group and fee records as personal-data channels, not just convenient admin tools, however small the operation.

Educational resource only. This explains the parental-consent baseline under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for solo and small-scale coaching practices; it is not formal legal advice.

The situation

A neighbourhood coaching class or a solo home tutor runs on the same tools every small business does — a WhatsApp group for updates, a notebook or spreadsheet for fees, a phone for parent calls. None of it feels like “data processing.” All of it is: the WhatsApp group holds student names and often photos of schoolwork; the fee register holds names, class, contact numbers and payment history for minors. The DPDP Act’s children’s-data rules apply to that, regardless of how informal the setup is.

Why “it’s just a small tuition class” doesn’t lower the bar

The DPDP Act’s duties don’t have a size or formality exemption — a solo tutor is a Data Fiduciary the same way a large coaching chain is. The moment a tutor decides why and how a student’s personal data is used — even just a name and phone number in a WhatsApp group — they’re a Data Fiduciary with the baseline duties that come with it. Where the child is under 18, that specifically means the children’s-data provisions: verifiable parental consent, and no behavioural tracking or targeted advertising directed at the child.

Does the school-safety relief cover a solo coaching class?

Generally no — that relief is scoped to specific institutional classes, not an individual tutor or a small coaching practice. The Rules carve out narrow relief under Rule 12 and the Fourth Schedule for defined institutional classes — schools among them — processing a child’s data for specific educational or safety purposes. A solo tutor or a small, informally-run coaching class typically doesn’t fit the institutional definition that relief is written for, which means the general children’s-data rules — verifiable parental consent, no tracking or targeting — apply without that narrower carve-out to lean on.

What verifiable parental consent looks like at this scale

It doesn’t need to be a formal system — it needs to be real, and it needs to come from the parent, not the child. For a solo or small practice, a workable version is:

  • Enrolment-time consent from the parent, in writing (even a simple form or a confirmed message), naming what will be collected (name, class, contact number, fee records) and how it’ll be used (class updates, fee reminders).
  • The parent’s number, not just the student’s, as the primary contact for anything data-related — including the WhatsApp group, where practical.
  • A plain statement of what won’t happen — no sharing the group or fee list with third parties, no using student photos or updates for the tutor’s own marketing without a separate ask.

Handling the WhatsApp group and fee records specifically

Both are personal-data systems, even at this scale — treat them with the same basic discipline a larger institution would apply.

  • The WhatsApp group — add only what the enrolment consent covers; avoid posting individual students’ marks, attendance issues or photos into a group visible to all parents, since that’s a different (and often unconsented) use than general updates.
  • The fee register — whether paper or digital, limit who can see it, and don’t repurpose it for anything beyond fee tracking (e.g. building a marketing contact list) without fresh parental consent.
  • Retention — delete or archive a former student’s records once they’ve left the class and any fee-dispute window has passed, rather than keeping years of past students’ contact details indefinitely.

Multi-tutor and franchise coaching centres

A coaching centre with several subject tutors, or one operating under a franchise brand, adds an internal-sharing question the solo-tutor picture doesn’t have — the same student’s data now potentially moves between multiple tutors who each teach them a different subject. A parent consenting to enrol their child at the centre has agreed to the centre processing the child’s data for coaching; that doesn’t automatically mean every tutor on staff should have standing access to every enrolled student’s contact details and fee records, only the ones actually teaching that student. Practically: keep the master fee register and contact list access limited to whoever administers the centre (owner, front-desk staff), rather than shared wholesale with every tutor, and give each tutor their own class-specific WhatsApp group and student list rather than one centre-wide group everyone can see into. For a franchise operation specifically, the same brand-versus-locally-operated-property distinction that applies to gyms and hotels applies here: a franchisor’s head-office data practices don’t automatically bind how an individual franchisee actually handles enrolment data day to day unless it’s built into the franchise agreement and the local centre’s own systems — each franchise location is still the Data Fiduciary for its own students’ data.

FAQ

Should every tutor at a coaching centre have access to all enrolled students’ contact and fee details?

No — access should be limited to whoever actually needs it (centre administration, the tutor teaching that specific student), not shared centre-wide by default just because everyone works at the same practice.

Does a single home tutor count as a Data Fiduciary under the DPDP Act?

Yes — size and formality don’t create an exemption. Deciding why and how a student’s data is used, even informally, makes a tutor a Data Fiduciary with the corresponding duties.

Can a coaching class rely on the same relief schools get for tracking student data?

Generally no — the Rules’ institutional relief is scoped to specific institutional classes and purposes; an individual tutor or small coaching practice typically doesn’t fit that scope and should default to the general children’s-data rules.

Is a WhatsApp group for class updates itself a problem under the DPDP Act?

Not inherently — it’s a normal, low-friction communication channel. The issue is scope: only add what parents consented to, and avoid posting individual, sensitive student information (marks, discipline issues) into a group visible to everyone.

What happens to a former student’s data after they leave?

It should be deleted or archived once the enrolment ends and any practical need (like resolving a fee dispute) has passed — not kept indefinitely as a running contact list.

Reviewed by Confidential Dispatch Editorial Team
Last updated 18 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →