Data Protection and Proctoring Best Practice

When conducting remote proctoring, it is important to balance security and data protection considerations.

Security is important because if people cheat at a test, the results are not valid or trustworthy, and this impacts all test takers and the whole test program.

However, test takers have a right for their privacy and data protection to be respected, and there are data protection laws that need to be followed.

This page contains some high level general good practice information and resources for those using Questionmark remote proctoring on how to respect test taker privacy and comply with data protection legislation.

General principles

  1. Be open and transparent with test-takers. Share in advance why you are doing proctoring, what information you capture, how long you keep it with and what you do with it.
  2. Adopt a policy on how to respond to requests from test takers, for example if they want a copy of their personal data or if they want to delete it.
  3. Adopt good security practices. Questionmark itself adopts security practices in line with our independent third-party audited ISO 27001 certification, and make sure that your organization also protects its access to confidential data (e.g. use strong passwords).
  4. Don’t use data collected during proctoring for purposes other than test review and integrity.
  5. If you record video as part of your proctoring, set a retention period for the video which you can justify based on a fair balance between data protection and security.
  6. If you are testing in Europe, you need a legal basis for conducting the video review and/or recording within the proctoring (and indeed for any personal data processing). European data protection law provides a number of possible legal basis for the processing of personal data, including legitimate interests, necessity for performing a task in the public interest and consent. If you decide to rely on legitimate interests – that it is in your legitimate interests to proctor test takers to reduce test fraud – you should document a formal assessment balancing the advantages to security vs the risks to test takers, and communicate your use of legitimate interest to test takers.  
  7. If your use of proctoring is large scale or if you are testing in Europe, you should also consider taking the legitimate interest assessment further and conduct a data protection impact assessment (DPIA). In some cases it can be sensible to do a mini DPIA to see if there is any real risk and only do a full one if there seems to be.

1000s of organizations around the world use remote proctoring successfully and millions of test takers take advantage of the convenience of being able to take a test securely at home and in offices. If you are conducting remote proctoring, it makes sense to follow these data protection guidelines to fairly balance the test program needs against the rights of test takers.

Questionmark good practice resources

Questionmark has produced the following resources which are specifically aimed at organizations using Questionmark proctoring and where the GDPR applies. These are strongly recommended reading if you are conducting proctoring in Europe.

We also have the following more general resources available:

Community good practice resources

Questionmark is active within the testing community in the area of good practice in data protection and assessments. Founder, John Kleeman, and Group Legal Counsel, Jamie Armstrong are both members of the Association of Test Publishers (ATP) International Privacy Subcommittee and recommend the following resources.

Get in touch

Questionmark cannot give legal advice but if you have any questions on data protection and Questionmark assessments, please reach out to privacy@questionmark.com.