• Home
  • Proctoring
  • Can you have security AND privacy when conducting online proctoring?
  • Can you...

Posted by John Kleeman, Founder

Covid-19 has seen a dash to test people at home. Universities who used to test students on campus are testing them remotely. Companies who used to give face to face training are now training and testing at a distance. And awarding bodies are delivering exams at home, rather than requiring candidates to come into a test center.

For testing organizations, there is an obvious security concern. Will people who take tests at home do so fairly, without getting unauthorized help? Many such tests use online proctoring, where video surveillance is used to monitor test-takers, to encourage integrity. But some test-takers have privacy concerns about this; if proctoring is used, then a stranger will see their private space at home and potentially record a stressful experience of the test-taker answering an exam.

Clearly a balance is needed. Testing organizations should be able to use reasonable measures to ensure test security and validity, but test-taker privacy rights must be respected.

Meanwhile, there has been much legal and regulatory activity in the privacy space in 2020:

  • In the US, the California Consumer Privacy Act (CCPA) has come into effect giving California residents privacy rights. And in Illinois, there have been several court cases arising from the Biometric Information Privacy Act which puts restrictions on using facial recognition and biometrics.
  • In Europe, the European Data Protection Board brought out GDPR video processing guidance in January which sets a high barrier for some uses of video. And the Cyprus, French and Spanish data protection authorities brought out guidance on remote testing in May 2020.
  • And in June, students took the University of Amsterdam to court in the Netherlands claiming that online proctoring wasn’t legal under the GDPR due to privacy concerns. However, the court ruled that the University could continue to use online proctoring and that, if done properly, online proctoring is legal under the GDPR.

I’m Co-Chair of the Association of Test Publisher’s (ATP) International Privacy Subcommittee which contains lawyers and others with expert knowledge of privacy and assessment. We’ve recently published guidelines “Privacy Guidance When Using Video In The Testing Industry”. This covers good practice on using video both in online proctoring and at test centers. I was lead writer on the project, but was supported by several expert contributors. 

We have suggested 10 considerations for test sponsors to put in place when using video to balance between privacy and security. Here is a summary:

  1. Identify a lawful basis for processing video data in testing. Many organizations use their legitimate interest in test security as a rationale for videoing test-takers. It’s useful to write a formal Legitimate Interest Assessment to document this.

  2. Apply purpose limitation and data minimization. Part of this is you should usually only use video data for assessment security purposes.

  3. Retain video data for only the time needed. If you can, don’t record video at all. Many programs do need to record and retain video but if so, justify the retention period carefully.

  4. Maintain the security of video data. ISO 27001 or SOC 2 is useful.

  5. Be transparent and open in communication with test-takers. Make it clear to them that they are being videoed and what the boundaries are. Share information on how video data is used.

  6. Be consistent in responding to test-taker requests. Depending on jurisdiction, you may need to send test-takers copies of video records and consider deleting their records. Define a policy and apply it consistently.

  7. Carefully consider any use of facial recognition or biometrics. If operating in Europe or Illinois, it’s safest not to. If you do use it, get legal advice.

  8. Consider carefully before using automated decision making. Allow automation and AI to flag issues for human review but don’t allow AI to make decisions, e.g. to accuse a test-taker of cheating.

  9. Conduct a Data Privacy Impact Assessment (DPIA or PIA). Not mandatory for all, but useful to protect yourself in the event of regulatory enquiry.

  10. Adopt a written policy relating to video. Helps with consistency and accountability.

If you’re interested in learning more, you can purchase the 50-page ATP guide on their book store at https://www.testpublishers.org/book-store or on Amazon.

The ATP guide applies in all jurisdictions, but the GDPR is the most onerous for test sponsors. In order to help Questionmark customers who are using Questionmark Proctoring and are subject to the GDPR, we’ve prepared some short introductory guidance for Questionmark Proctoring Record & Review and Questionmark Proctoring Online. You can also book a free demo to see how our Platform can meet your needs.

I hope this article helps understanding on privacy and security balancing in online proctoring.