At a glance
Certificates and marksheets carry your full name, date of birth, roll numbers and institutions — identity-building data — but the bigger danger is physical: an employer or consultancy holding your originals holds leverage over you. The rule is verify, don’t surrender: recruiters verify against copies or digitally verifiable records (DigiLocker serves many boards and universities), originals stay with you and are only ever shown. Under India’s DPDP Act, whoever collects copies must state the purpose and delete them once it ends.
Educational resource only. This explains how your educational certificates are treated as personal data under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
Why certificates are identity documents in disguise
A marksheet is treated as proof of studying, but it’s also proof of you — name, date of birth, institution and unique numbers, exactly the fields identity is built from. Certificates get shared at high-pressure moments — job applications, admissions, visa files — when refusing any demand feels like losing the opportunity. That pressure is why bad practices persist: consultancies “holding” originals, employers demanding full document sets at the application stage, agents collecting certificate scans for jobs that don’t exist. Knowing what’s normal — verification against copies — is the defence.
What your certificates actually reveal
Identity data first, academic data second. A certificate or marksheet typically carries your full name (and often a parent’s name), date of birth, photograph on many boards’ documents, roll and registration numbers, the institution and year, and the marks themselves. The identity layer is what a fraudster wants: name-plus-DOB anchored to an official document. The academic layer is what a fake CV wants: genuine certificate images are the raw material for forged or “adapted” credentials.
Many boards and universities now issue digitally verifiable versions of the same documents through DigiLocker — which matters because it breaks the old assumption that verification requires handling paper.
Who asks for them, and what they really need
Employers, background-check agencies, universities and visa processes all legitimately verify your education — none of them needs to hold your originals to do it. Whoever collects copies becomes a Data Fiduciary with duties to you: a clear notice of why they’re collected (Section 5), and collection limited to what the stated purpose needs (Section 6).
- Reasonable — an employer or its background-verification (BGV) agency verifying your stated qualifications against copies or DigiLocker records at the offer stage; a university processing your admission; a visa file including attested copies.
- Question it — full certificate sets demanded at the application stage from every applicant; a consultancy or employer wanting to “keep” originals; an agent collecting certificate scans before any real role exists; demands for documents unrelated to the claimed check (your Class 10 marksheet rarely matters to a senior lateral hire — you can ask what’s actually being verified).
The real risks — misuse and the originals trap
Two distinct dangers: what copies enable, and what surrendered originals become. Stray copies can be used to:
- build identities — name, DOB and official document images are identity-fraud feedstock;
- manufacture credentials — genuine certificate images get altered into fake ones, and your details can end up on someone else’s CV;
- bait job-scam victims — “registration fees” and fake offers harvested against collected documents are a standing fraud pattern.
The originals trap is worse because it’s face-to-face: an employer or consultancy that physically holds your certificates holds you — leaving the job, declining the offer, or disputing terms suddenly costs your documents. No routine hiring process requires surrendering originals; showing them for verification is the extent of any legitimate need. Treat “we keep your originals” as the red flag it is, whatever the paperwork calls it.
What to share: copies and verification, never originals
Offer the verification route that proves authenticity without surrendering anything.
- Point verifiers to DigiLocker where your documents are on it — a digitally verifiable marksheet answers the authenticity question outright, with nothing to hold and nothing to forge.
- Share attested copies scoped to the ask — the degrees the role claims, not your every certificate since school.
- Show originals; never submit them. Verification happens by inspection — original shown, copy retained. If a process insists on holding originals, ask for the policy in writing and escalate before complying.
- Purpose-mark every copy — e.g. “For [employer], offer verification, [month/year] only” — across each page, clear of the certificate’s own text.
- Stage the disclosure — application needs your CV’s claims; the document check belongs at the offer/BGV stage, when a real process with a named agency exists.
How to share them safely
Portals and named agencies — certificate scans shouldn’t live in recruiters’ personal inboxes.
- Use the employer’s or BGV agency’s official upload channel, not a recruiter’s personal email or WhatsApp.
- Password-protect the PDF set and share the password separately.
- Keep your scans purposeful — one clean, attested, marked set per process, deleted from sent folders after, beats a certificate gallery drifting through your chats.
Masking, safe channels and minimisation work the same way for every document you handle — the steps above are the certificates version of that shared routine.
How to store them, and when to let go
Originals are irreplaceable-grade documents — store them accordingly, and chase the copies after every process. Keep originals together, physically secured, with good scans (and DigiLocker versions where issued) as your working layer — reissuing a lost degree certificate is a slow, painful process.
The copies you’ve shared expire with their purpose: a rejected application, a completed BGV, a lapsed admission. Under the DPDP Act the collector must secure what it holds and erase it once the purpose ends (Section 8) — an agency retaining your certificate scans “for future opportunities” needs your consent for that purpose, which you can decline. Ask what’s held, ask for deletion, and ask for written confirmation.
FAQ
Can an employer keep my original certificates?
No routine hiring process needs to hold originals — verification means inspecting them and retaining copies. An employer or consultancy insisting on keeping originals is creating leverage, not following procedure; get the demand in writing and treat it as a warning about the employer.
How does DigiLocker help with certificate verification?
Many boards and universities issue digitally verifiable marksheets and degrees into DigiLocker. A verifier can confirm authenticity directly from the issued record — no originals handled, no scans to forge, nothing for anyone to keep.
How many certificates should a job application include?
At the application stage, usually none — your CV states the claims. Document verification belongs at the offer or BGV stage, scoped to the qualifications the role actually relies on.
What if I already gave documents to an agent and the job vanished?
The purpose is over, so the erasure duty applies — demand deletion and written confirmation, and if documents were originals, demand them back immediately; withholding them is the point to escalate, loudly.
Should marksheets be shared for a rental or loan?
Rarely — education isn’t what those processes assess. If an unrelated process demands certificates, ask what purpose they serve; “additional ID” is better served by an actual ID document you choose.