Online proctoring and GDPR: a guide for a compliant implementation

How should you build your case for compliant implementation of online proctoring in your institution?
The Covid-19 pandemic has led most Higher Education Institutions to deploy digital solutions in order to maintain educational continuity. In the meantime, Institutions also had to face data privacy concerns from some of their students or candidates, worrying about what lies behind the practice of online proctoring. Read the article below to help your institution navigate through these challenges, prepare the upcoming year and ensure your data processing activities are handled appropriately.

Online Proctoring and Data Management Compliance Requirements 

What does the European Union (EU) law say?
Online proctoring opens new horizons in the educational field by enabling secured remote exams. By nature, it involves personal data processing, which falls under the European General Data Protection Regulation, commonly referred to as the GDPR.

This regulation, which went into effect in 2018, aims to protect personal data of European Union citizens by setting the rules for organisations processing this type of data.

In short, GDPR defines requirements for data controllers to minimize processing of personal data strictly to what’s necessary, for a specific purpose. Organizations are fully in charge of demonstrating compliance to these requirements.

Lawful bases: what does it mean for Higher Education Institutions?
The GDPR sets out “lawful bases” for processing personal data; in other words, acceptable circumstances under which organisations can collect and handle this type of information. For data to be processed lawfully, at least one of the following lawful bases must apply, otherwise your organization does not comply with the GDPR:
  • Consent
  • Performance of a contract
  • Legal obligation
  • Protecting of vital interests
  • Public interest and exercise of official authority
  • Legitimate interest
As an Institution, it’s your responsibility to designate the appropriate lawful basis that applies and explain why your organisation needs to process personal information.

Which lawful basis applies depends on your purpose for processing data and your relationship with the person it belongs to. A Public Higher Education Institution will not necessarily have the same primary lawful basis as a Private one for instance. The latter owns a contractual relationship with candidates and might rely on the “contract” lawful basis, which does not apply in the public sector.

According to the French CNIL (independent body and authority figure ensuring the data privacy law is applied), in a context such as the lockdown we have just experienced, consentment can hardly be an applicable lawful basis as it implies freedom of choice. In other words, it means guaranteeing a student that would refuse to take an online exam that he/she would not suffer any consequence. On the contrary, "public interest" could be claimed both for public and private institutions as long as they pursue a mission of public interest. 

Guidance for Demonstrating GDPR Compliance

1. Start by documenting your lawful basis
Ensuring you comply with the GDPR should be anticipated before beginning any data processing activity. Your applicable lawful basis should be precisely defined based on your specific use case, and fully documented.

Show how you have thoughtfully considered which lawful basis applies in your specific situation, based on your data processing purpose. To justify that decision you should provide arguments, details that justify how the lawful basis applies.

For an example of how to present your argument for the lawful basis, please check out our research note on "A Lawful basis for Online Proctoring".  

2. Conduct a Data Protection Impact Assessment (DPIA)
To comply with the GDPR, a DPIA is required each time you initiate a new project which involves “high-risk data processing activities”, especially when it involves using a new technology. Your DPIA assessment should:
Describe the nature, scope, context and purpose of the processing, including data minimization measures (example: delay over which recordings are destroyed, scope of processing only limited to necessary data required to prevent fraud)
Identify, describe and assess risks of potential impact on candidates, and document risk mitigation measures (such as providing detailed instructions for a secured session access to candidates, detailed instructions to the proctoring personnel to ensure destruction of video footage after exam results)

Other evidence can weigh in your assessment, such as performing a balancing test if you have determined that your processing is necessary for a legitimate interest. This test justifies that the candidates’ interests and rights are proportionately protected over identified risks, by documenting for instance the minimal likelihood of illegitimate data processing and listing safeguards in place to mitigate negative impacts.

For further guidance, check out the detailed publication on DPIA which resulted for the OP4RE project founded by Erasmus+. It provides guidelines and Templates for Higher Education Institutions to build their own DPIA set, based on an assessment conducted on ProctorExam.

GDPR compliance is ProctorExam’s primary concern, in order to ensure fairness and security for our customers and their candidates. 
We can help in building the case for your institution, contact us now.