The push for Digitisation in Education.
APAAR (Automated Permanent Academic Account Registry) is a student identification system designed by the central government for all students in India and is an integral part of its National Education Policy (NEP), 2020, and its vision of “One Nation, One Student ID”. The program was launched on 13 February 2024. A 12-digit unique identifier is assigned to students, and it is envisaged as a complete lifelong record for academic achievement and progression from the moment a student is enrolled in the education system. The registry is designed to track students' academic progress, storing records such as grades, certificates, and co-curricular achievements in a digital repository. It not only applies to schools but also includes vocational training courses and higher education institutes (HEIs), along with other participating entities in the Ed-tech market.
The system is designed to function as a digital record and also facilitate admission into higher education institutions like colleges and universities. APAAR is also slated to complement recruiters and allow students to access internships, employment, and upskilling opportunities.
To understand APAAR better, it is important to introduce related technological measures it is linked to, such as the Academic Bank of Credits (ABC) and UDISE/UDISE+, which together form key platforms to administer NEP 2020. ABC is a digital repository that stores, validates, and facilitates the transfer of academic credits earned by students across various institutions.
UDISE+ (Unified District Information System for Education Plus) is a data collection system by the Ministry of Education (MoE) designed to manage and monitor school education in India. It collects data from recognized schools imparting formal education from Pre-primary to XII and has access to detailed information from over 1.5 million schools, 9.5 million teachers, and 260 million students.
APAAR integrates the functionalities of DigiLocker and the ABC to collect and store academic records, credentials, and other educational information provided by users or authorized institutions. Aadhar integration allows for academic verification with educational institutions and employers through e-KYC in accordance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits, and Services) Act of 2016. When using APAAR, student data may be shared with authorized third parties for verification purposes, and their data may be handled according to the privacy policies of the integrated services and institutions.
Flawed enrolment methodology – Parents and students face coercion and deception
The government has clarified in its response to parliamentary questions as well as its reply to SFLC.in's RTI, APAAR ID is voluntary and that all APAAR student enrolments are done so after collecting consent from parents. In fact, the APAAR website highlights a parent-teacher meeting(PTMs) as a crucial step for creating awareness and sensitising them towards the initiative so as to collect free and informed consent.
Unfortunately, there is a wide gulf between intention and practice. Parents revealed that PTMs on APAAR are not being conducted uniformly across the board and they had no idea about the purpose of APAAR and the data collected under it despite having given consent for it. Despite its voluntary nature, schools are pressurised to achieve 100% enrolment which in turn is passed on to students and parents.
Parental consent is obtained through a form which has been criticised by teachers and parents alike for the lack of an option to withhold consent. Teachers have also protested the additional burden on them to log APAAR data and question the need to collect individual Aadhaar IDs of students when they already have to record it as part of UDISE+.
A personal interview with college students in Kerala revealed that even adult students were not spared the arm-twisting tactics. These students were told by faculty to mandatorily link their college ID with APAAR ID, of which the latter is linked to the Academic Bank of Credits (ABC ID) by default. They were told that APAAR is the new system to collect exam results through Digilocker, failure to link the IDs would lead to results being withheld. Strangely enough, these students later received results through the conventional route, questioning the need for APAAR linkage and the pressure for consent in the first place.
It is pertinent to highlight a personal instance where my ABC ID data was used to create an APAAR ID without obtaining meaningful consent. ABC ID was operationalised in 2021 [through the UGC (Establishment and Operation of Academic Bank of Credits in Higher Education) Regulations, 2021] , 2 years before APAAR, and I chose to make an ABC ID as an undergraduate student during the same year. Consent was given exclusively for making the ABC ID for its limited purpose of storing and transferring academic credits.
While writing this article, it was discovered that APAAR had become clubbed under ABC and an APAAR ID had been created for me in DigiLocker without any notification of changes that took place with the scheme. By any stretch, one could reasonably be expected to provide consent only for the ABC scheme at the time, yet somehow this consent was also used for the entirely different purpose of creating an APAAR ID. So, the question arises what regard does the government show to an individual’s discretion to give free and informed consent?
Legal backing – DPDPA compliance?
Considering the significant operational inconsistencies discussed above, it would be natural to look for answers and accountability in the legal policy or statutory guidelines from which APAAR originates; however, the alarming truth is that this massive student data collection apparatus which the Central Government has designed has no legal backing and is against Indian privacy jurisprudence laid down by the Supreme Court in K.S Puttaswamy (2017) judgement. The judgement held that privacy is a fundamental right under Article 21 of the Constitution and any invasion of privacy, including collection and processing of personal data must fulfil the threefold requirements of legality(existence of a law), legitimacy, and proportionality. It also held that education is a fundamental right and neither a benefit nor a service and that Aadhaar cannot be a requirement to receive education.
Through APAAR, the government is effectively bypassing the Supreme Court’s verdict and makes Aadhaar mandatory to sign up. The Digital Personal Data Protection Act, although enacted, is yet to be brought in force so there is no effective law that governs data collection under APAAR. Despite this, the government boasts a figure of 31.56 crore APAAR registrations on its website.
Under the Digital Personal Data Protection Act (DPDPA), the government has significant leeway to process citizens' personal data without explicit consent through "certain legitimate uses" provisions under section 7. Section 7(b) allows “the state and its instrumentalities” to use personal data for providing services like subsidies, benefits, licenses, or permits under two conditions: either you have previously consented to similar data processing by the state and its instrumentalities, or your data already exists in databases operated by these entities that have been officially notified by the Central Government.
This creates a legal framework that essentially enables the government to link Aadhaar with other systems like APAAR/ABC ID without requiring consent from citizens. If you have previously allowed your Aadhaar data to be used for any government service, or if your information already exists in digitized or offline government records which are then subsequently digitized, authorities can potentially repurpose this data for initiatives like APAAR and share the data to other governmental entities without seeking additional permission.
As long as such a vacuum exists where the state can process data without consent, the consent forms are a meaningless formality to give APAAR’s operation a colour of fairness. The process is fundamentally flawed. It lacks verifiability of consent, the option to withhold consent initially, and the ability to easily revoke it at a later stage.
Section 17(4) of the DPDPA exempts state and its instrumentalities from several critical data principal rights. Government bodies are not obligated to correct, complete, or update your personal data when requested. They do not have to erase your data upon request, nor are they required to delete your information when you revoke consent, nor when it is reasonable to assume the specified purpose for data processing is no longer being served .
APAAR’s privacy policy is also silent on data principals’ rights for erasure and policy for inter-department data transfers. The contact details for the grievance officer are left blank, providing no clarity on whom to approach or the procedure for requesting withdrawal of consent, deletion or correction of data, and submitting grievances.
Clause 2 of APAAR’s privacy policy states that personal data may be processed for Account Management, Communication Purposes, and for Aggregation of Data. It further states that “aggregated and anonymized data may be employed for research, statistical analysis, and the enhancement of educational services”.
Alarmingly, Data fiduciaries are also exempt from provisions of the DPDPA according to Section 17(2)(b) if the processing of personal data is “necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.”
These grounds and use cases are extremely vague. Function creep, i.e. the diversion of collected data for functions not originally intended, and the widening of the scope of data collected are more than likely without comprehensive purpose limitation, data minimisation, and storage limitation principles being baked into law.
Once Aadhaar and aggregate data linked to APAAR is in the government’s systems, you have limited control over its accuracy, continued storage, end use, or ability to withdraw it. A permanent digital record is created with virtually no mechanism for control, leaving students powerless to intervene in or exercise any meaningful autonomy over their own data.
Conclusion
APAAR reflects a shift in thinking of students as data points and assets to be managed rather than learners and fully capable persons with agency. Students should be allowed the space to learn, experiment, make mistakes, overcome challenges and redeem themselves. APAAR’s pervasive logging of academic data contradicts this conventional understanding of student lives.
Unfortunately, APAAR presents the dark possibility of making second chances obsolete. Every mistake or underachievement could be highlighted as a data point, judged, and stored indefinitely for use by entities with access to APAAR. The permanence could disproportionately impact an individual’s higher education and career trajectories.
Cybersecurity lapses in previous government EdTech initiatives like DIKSHA (Digital Infrastructure for Knowledge Sharing app) serve as a warning. A centralised repository like APAAR is a tempting target for threat actors and presents the risk of severe data breaches, de-anonymisation and re-identification of students.
Accountability and transparency are not just ethical imperatives; they represent the most efficient path forward. APAAR requires a strong legal foundation and a thorough assessment of whether its objectives can be better achieved through a streamlined and targeted approach that limits data collection to what is absolutely necessary, with measures that preserve student privacy and data autonomy.
