5 key privacy questions for remote testing organizations

Privacy concerns certainly existed before many organizations turned to online proctoring to support their exams during the global health crisis. Even though privacy has been strengthened by legal developments over the past five years, all participants in the field of testing and assessments - whether running a large-scale global certification program or a smaller in-house test - should think carefully about privacy issues in the design and implementation of their assessment activities. No one size fits all. However, here are five key questions about remote testing that all stakeholders should ask themselves.

1. What data is being collected and for what purpose?

Understanding the nature and extent of the data that is being collected in the assessment process and for what purpose is crucial. Most testing programs require the processing of at least some personal information, so you should check what does and does not comply with the applicable privacy laws. For instance, in some parts of the globe, it is either a legal requirement or recognized good practice to follow the principle of data encryption or data minimization - i.e. only collect personal data that is really needed for your purposes.

At ProctorExam, test organizers will decide whether we gain access to test taker data. In case it is allowed, we only use essential information to proctor their test. They may include limited personal data (name, email address, ID number) to identify candidates for the exam, and their image, audio and screen recording to be able to evaluate whether irregularities occur during the test. From a technical standpoint, we gather information like the browser type, operating system and/or IP address to make our service work on their device.

2.  Do I communicate well enough about data collection?

To ensure that candidates are fairly prepared for their online test, you should provide clear and early information on what data will be collected, why it is needed and what it will be used for. Thus, you should sufficiently inform about data collection. This can be done by providing test participants with a notice when they sign up for the exam or during the system check, and re-providing the same notice on the exam date. We all know that candidates frequently overlook privacy notices, thus it is essential that the information is given on multiple occasions and in prominent fashion. Do not bury it within or at the end of other documentation - instead use a dedicated notice or a pop-up window to avoid the risk that this message is overlooked. 

3. Am I fully aware of test taker rights?

Privacy laws across the world are increasingly framed to avoid trespassing on test taker privacy. Testing organizers need to know that assessment participants have rights that they can enforce against them. Therefore, they should always be prepared to properly respond when those rights are asserted. For example, the EU General Data Protection Regulation (GDPR) includes amongst others, rights to information, rectification, erasure and access. Assessment stakeholders need to be aware of the rights their candidates have, who will be responsible for responding to the assertion of these rights, the timeframe within which a response must be given and what the appropriate response should be in each case.

As an organization, it’s your responsibility to designate the appropriate lawful basis that applies and explain why you need to process personal information. The legal basis for many testing organizers in the EU and EEA to process personal data is Article 6(1)(e) of the GDPR, since processing is required in order to carry out a task in the public interest, or a task within the context of the exercise of public authority entrusted to a controller.

Next to documenting your lawful basis, a Data Protection Impact Assessment (DPIA) is also required each time you initiate a new project which involves high-risk data processing activities, especially when it involves using a new technology. At ProctorExam we always establish a Data Processor Agreement (DPA) with our customers. The agreement regulates which data we can process and how we can do it. Our promise to our customers and end users is that we will never process data in any other way, or for any other purpose than what is agreed in the DPA. For further guidance, check out the detailed publication on DPIA which resulted in the OP4RE project founded by Erasmus+.

4. Is security up to date?

There is no exaggeration in the statement that you can have security without privacy, but you cannot have privacy without security. It is therefore important that organizations that collect and use personal data for assessments are able to provide sufficient security for that data. For example, the GDPR requires “appropriate technical and organizational measures” commensurate with the level of risk involved. There are a number of well-recognized independent security that organizations may use to establish their information security management systems.

At ProctorExam, we always try to take the extra mile and upgrade our security policies. That is how we recently have acquired a Security Verified certificate by the ICT Institute information security team. The structure of Security Verified is similar to ISO 27001, a normative standard that contains mandatory security elements. One difference is that Security Verified has integrated GDPR compliance, since these are legal requirements in the EU.

5. How will my data be shared with third parties?

If you rely on third parties for your assessment program, for example to provide assessment management services or proctoring solutions, you should execute appropriate due diligence to ensure those third parties can be entrusted with the data. Are these organizations well-established in their market, with demonstrated experience in delivering the services you require? Do they understand privacy and can they prove that to you? Will they enter into appropriate contracts that provide for legally defined allocation of obligations and risk? These and others are good questions to ask when evaluating vendors to be entrusted with personal data.

At ProctorExam, we work with a data processing registry that provides insights on which third party software vendors have access to what data. Furthermore, the registry provides insights on where the vendor is located and where the data is stored. For example, ProctorExam uses Amazon Web Services to support the proprietary ProctorExam streaming infrastructure. The servers supporting the infrastructure are based in Frankfurt, Germany. Between ProctorExam and Amazon Web Services, a Data Processing Agreement is in place which provides clear insights on what data is collected, what security measures are taken and lastly that no data is shared with another party.

We hope this information and questions to consider help you and your organization better understand privacy and security, and how you can have both. At ProctorExam, we work to make sure you feel that you can trust us, our software, and our processes. Let us know how we can help you.