Posted by John Kleeman, Founder & Executive Director

Remote/online proctoring is currently having a surge in use due to global lockdowns, with lots of people needing to take tests from home.  As well as my main role at Questionmark, I’m also Co-Chair of the Association of Test Publishers (the industry body on testing, International Privacy Subcommittee, and I recently answered a question on a privacy mailing list about the privacy of remote proctoring. To help the wider community, I thought I’d share my answer in this blog post. The opinions in this post are my own and not endorsed by the Association of Test Publishers.

The questioner was asking for opinions on remote proctoring. They wondered whether when someone is taking a test at home, it’s reasonable to do things such as mouse movements, live camera and voice, video recording, voice recording, screen recording, web traffic monitoring etc. And what legal rationale is appropriate for doing it. Here was my response (slightly edited to make sense standalone).

The first thing to say is that it is down to the test sponsor who is usually the data controller to determine its needs, including how important the security of its testing is and the reasonable expectations of its test takers. If you are delivering a quiz to help people learn, then it may well be over intrusive to introduce remote proctoring. But if you are using a test to measure someone’s skills to help give a qualification or to select someone for a role, then it may be important to reduce the risk of cheating or other integrity issues to ensure (for your organization, for society and for other test takers) the integrity of the test.

The second thing to say is that most remote proctoring vendors have a range of different ways in which they can proctor, e.g. what parts of the experience are monitored and recorded. They are the data processor/service provider and take instructions from the test sponsor/data controller. And so you should have a choice on what measures to take. Testing service companies should only process data on instructions of test sponsors – they do not retain or use data except as the test sponsor instructs.

Having said this, remote proctoring has been widely used in scale for many years. It provides the huge benefit (useful in normal times but accentuated hugely in the current pandemic) that test takers can take a test from home and do not need to travel to a test center. It makes it much easier to take a test if you live in a remote location, far from testing centers, and if you have disabilities that make travel hard. It is common for in-person exams to have strong monitoring, and it makes sense to do the same when exams are taken remotely.

If you are doing remote proctoring, here are some key considerations from a privacy perspective:

  1. Follow the principles of purpose limitation and data minimization. Only collect the data you need and do not use it for other purposes.
  2. Enter into a privacy-compliant contract with the remote proctoring supplier that meets data protection needs. Ensure that they are acting as data processor/service provider and process data only on your instructions and delete it when you advise.
  3. Provide good quality, transparent information to test takers in your privacy notice or in other prominent places about what you do with personal data.
  4. Establish a retention policy for how long you retain data and follow it. Note that a one-size-fits-all retention policy won’t work.  If some test takers’ information has been cleared (no irregularities), then there is no reason to keep recordings that do not involve such irregularities.  So, the controller can direct the service provider to delete those records while retaining those that show irregularities and will need to be kept until resolution of the score/challenge.
  5. Put in place good technical and organizational measures to protect proctoring data, including limiting access and encryption. Using providers that are certified or attested by a standard e.g. ISO 27001, ISO 27701 and/or SOC 2 is helpful.
  6. Identify a legal mechanism for the processing of data (particularly if subject to the GDPR). The most common reason is legitimate interest of the test sponsor, in which case you need to document a Legitimate Interests Assessment which sets out the reasons why test security is important, why it is necessary to use video or other monitoring mechanisms and balance these against the rights and interests of test takers.
  7. Ensure that proctors execute confidentiality agreements and are well trained in privacy issues.

I hope this information is helpful to those considering remote proctoring in these difficult times.