At a glance
A solo tutor’s WhatsApp group for homework updates and a fee register with student names, class and phone numbers hold real personal data belonging to minors — and a one-person coaching practice doesn’t have the institutional relief formal schools get for tracking a child’s data. The practical baseline: verifiable parental consent before adding a child’s data to any digital system, and treating the WhatsApp group and fee records as personal-data channels, not just convenient admin tools, however small the operation.
Educational resource only. This explains the parental-consent baseline under India’s Digital Personal Data Protection Act, 2023 (DPDP Act) for solo and small-scale coaching practices; it is not formal legal advice.
The situation
A neighbourhood coaching class or a solo home tutor runs on the same tools every small business does — a WhatsApp group for updates, a notebook or spreadsheet for fees, a phone for parent calls. None of it feels like “data processing.” All of it is: the WhatsApp group holds student names and often photos of schoolwork; the fee register holds names, class, contact numbers and payment history for minors. The DPDP Act’s children’s-data rules apply to that, regardless of how informal the setup is.
Why “it’s just a small tuition class” doesn’t lower the bar
The DPDP Act’s duties don’t have a size or formality exemption — a solo tutor is a Data Fiduciary the same way a large coaching chain is. The moment a tutor decides why and how a student’s personal data is used — even just a name and phone number in a WhatsApp group — they’re a Data Fiduciary with the baseline duties that come with it. Where the child is under 18, that specifically means the children’s-data provisions: verifiable parental consent, and no behavioural tracking or targeted advertising directed at the child.
Does the school-safety relief cover a solo coaching class?
Generally no — that relief is scoped to specific institutional classes, not an individual tutor or a small coaching practice. The Rules carve out narrow relief under Rule 12 and the Fourth Schedule for defined institutional classes — schools among them — processing a child’s data for specific educational or safety purposes. A solo tutor or a small, informally-run coaching class typically doesn’t fit the institutional definition that relief is written for, which means the general children’s-data rules — verifiable parental consent, no tracking or targeting — apply without that narrower carve-out to lean on.
What verifiable parental consent looks like at this scale
It doesn’t need to be a formal system — it needs to be real, and it needs to come from the parent, not the child. For a solo or small practice, a workable version is:
- Enrolment-time consent from the parent, in writing (even a simple form or a confirmed message), naming what will be collected (name, class, contact number, fee records) and how it’ll be used (class updates, fee reminders).
- The parent’s number, not just the student’s, as the primary contact for anything data-related — including the WhatsApp group, where practical.
- A plain statement of what won’t happen — no sharing the group or fee list with third parties, no using student photos or updates for the tutor’s own marketing without a separate ask.
Handling the WhatsApp group and fee records specifically
Both are personal-data systems, even at this scale — treat them with the same basic discipline a larger institution would apply.
- The WhatsApp group — add only what the enrolment consent covers; avoid posting individual students’ marks, attendance issues or photos into a group visible to all parents, since that’s a different (and often unconsented) use than general updates.
- The fee register — whether paper or digital, limit who can see it, and don’t repurpose it for anything beyond fee tracking (e.g. building a marketing contact list) without fresh parental consent.
- Retention — delete or archive a former student’s records once they’ve left the class and any fee-dispute window has passed, rather than keeping years of past students’ contact details indefinitely.
Multi-tutor and franchise coaching centres
A coaching centre with several subject tutors, or one operating under a franchise brand, adds an internal-sharing question the solo-tutor picture doesn’t have — the same student’s data now potentially moves between multiple tutors who each teach them a different subject. A parent consenting to enrol their child at the centre has agreed to the centre processing the child’s data for coaching; that doesn’t automatically mean every tutor on staff should have standing access to every enrolled student’s contact details and fee records, only the ones actually teaching that student. Practically: keep the master fee register and contact list access limited to whoever administers the centre (owner, front-desk staff), rather than shared wholesale with every tutor, and give each tutor their own class-specific WhatsApp group and student list rather than one centre-wide group everyone can see into. For a franchise operation specifically, the same brand-versus-locally-operated-property distinction that applies to gyms and hotels applies here: a franchisor’s head-office data practices don’t automatically bind how an individual franchisee actually handles enrolment data day to day unless it’s built into the franchise agreement and the local centre’s own systems — each franchise location is still the Data Fiduciary for its own students’ data.
FAQ
Should every tutor at a coaching centre have access to all enrolled students’ contact and fee details?
No — access should be limited to whoever actually needs it (centre administration, the tutor teaching that specific student), not shared centre-wide by default just because everyone works at the same practice.
Does a single home tutor count as a Data Fiduciary under the DPDP Act?
Yes — size and formality don’t create an exemption. Deciding why and how a student’s data is used, even informally, makes a tutor a Data Fiduciary with the corresponding duties.
Can a coaching class rely on the same relief schools get for tracking student data?
Generally no — the Rules’ institutional relief is scoped to specific institutional classes and purposes; an individual tutor or small coaching practice typically doesn’t fit that scope and should default to the general children’s-data rules.
Is a WhatsApp group for class updates itself a problem under the DPDP Act?
Not inherently — it’s a normal, low-friction communication channel. The issue is scope: only add what parents consented to, and avoid posting individual, sensitive student information (marks, discipline issues) into a group visible to everyone.
What happens to a former student’s data after they leave?
It should be deleted or archived once the enrolment ends and any practical need (like resolving a fee dispute) has passed — not kept indefinitely as a running contact list.