An unstoppable force versus an immovable object?
This article is written by Questionmark Founder, John Kleeman, in collaboration with Jamie Armstrong, Learnosity and Questionmark in-house counsel and privacy lead.
What happens when privacy and security clash in testing? Usually, they go hand in hand, but not always, and it’s this grey area that can cause headaches for many organizations.
The critical question is: how do you ensure test security without breaking privacy rules?
Recently, Jamie Armstrong, Learnosity and Questionmark general counsel, and I gave a short session at the Conference on Test Security on this subject. We considered a few scenarios where privacy and security conflict and gave some suggestions on how to resolve them.
In this blog, I will share three of these scenarios and what our suggested resolution was. We focused particularly on the GDPR and CCPA/CPRA aspects of security and privacy in relation to adult test takers. While this article contains useful opinions and suggestions, it should not be treated as advice of a legal or other nature.*
3 privacy and security scenarios
If you catch someone cheating at a test, and as a result, they demand you delete all their personal information under privacy legislation, do you have to delete it?
There is a risk that you might find a test taker cheating, but they demand that you delete all their personal information. If you do delete it, you cannot take action about the cheating, nor even perhaps record who they are to prevent future cheating. Is this a real issue?
Usually, no.
It is true that privacy principles and laws like GDPR do allow people to request that you delete personal information, but the good news is that privacy laws also seek to protect against fraud. Test takers have a right to make a request for their data to be deleted, but you can, if appropriate, refuse that request.
Laws vary. In California which sets the tone for most US laws, the CCPA/CPRA has a specific exception to deletion where you need to keep data to detect security incidents or protect against fraud. In Europe, under GDPR rules, it depends on the legal basis under which you are processing test taker data.
If the legal basis under GDPR is consent of the data subject, then you will need to delete their personal data, unless legal claims are involved. But it’s usually sensible to ensure that you can process test taker data under the legal basis of your legitimate interest as a test sponsor. In such a case, you need to document carefully your interests in a formal document called a Legitimate Interests Assessment (LIA). In a LIA, you can balance a test taker request for deletion against your interests. If you can make the case fairly that your interest in refusing the deletion request is to prevent test fraud, counterbalancing the request to delete, you can refuse to delete the data.
One of your customers claims that under privacy legislation they are allowed to audit your systems to check your security. Do you have to comply?
Maybe.
Organizations have an obligation to choose good suppliers and regulators expect organizations to check their suppliers. Both the GDPR and the CPRA have language around audit.
But in practice, most audit rights are dealt with under contract, and often dealt with by a commitment to share audit reports (e.g. SOC 2 or ISO 27001). Or sometimes there is a commercial charge to do an audit. Try and ask Microsoft or Google to audit their data centers and you will not be successful – they will tell you that their audit reports are good enough!
However, for those of us who are smaller than Microsoft or Google, if a reputable customer asks to audit you, it’s likely best to comply. Customers have a genuine interest in making sure that you as a supplier are secure. All decent security teams are very busy, and they will likely use your and their time wisely. Audits help improve security by allowing a third-party expert to probe and review what you are doing. Over the years, Questionmark has had many audits and reviews from our customers, and they’ve usually helped us improve our security.
If AI indicates a high probability of cheating, can you stop the exam without a human review?
The promise of AI is that it might be able to detect cheating and allow you to stop the exam, and so, for example, prevent a fraudulent test taker from stealing test content.
It may not violate any specific laws to do this in some places but given the current state of development of AI techniques and risks of bias and false positives, it is at best highly risky and in reality, likely unwise to do this regardless of where you are and particularly in the context of high-stakes exams.
In Europe, GDPR includes a general prohibition on subjecting individuals to decisions that are based solely on automated data processing, and which produce legal or similarly significant effects. Depending on the context of the exam and the rules set, stopping the exam could have such effects. Even when automated decision making is allowed, for example, based on the test taker providing valid consent, you still have an obligation to
safeguard the rights of the test taker, including the right to obtain human intervention
If you do decide to let AI stop an exam, you need to accept that there is some risk. You should clearly define the rules in advance, and these rules should be clearly communicated to test takers before the exam date. You should also have measures in place to check the AI for bias and to allow a human appeal.
However, the reality is that AI techniques to detect cheating are for the most part not yet reliable enough to do so fairly without human review. If you are using AI and need to prevent cheating, it should be reasonable to temporarily pause the exam to allow for human review of the AI-generated flag. That said, stopping the exam permanently based solely on AI is likely to generate some instances of people being stopped unfairly and may open you up to accusations of bias.
Privacy and security: The bottom line
But what about the general issue? Although privacy and security often have a shared objective, they can sometimes conflict.
It’s worth remembering that you can have security without privacy, but not privacy without security. Something that is not secure is going to automatically fail privacy requirements. So security is critical to privacy.
However, there isn’t a binary choice between security and privacy. In the event of conflicts, you need to do context-specific analysis and take a reasonable and defensible approach. Ultimately privacy and security programs need to work hand in hand to keep test taker data safe.
For more information on test fraud, why not take a look at our test fraud resources. For other questions about how online assessments can transform your business, why not talk to us, we’d love to hear from you.
*Disclaimer: this article is written by Questionmark in good faith, but we can’t warrant that following these actions will necessarily stop test fraud or mitigate privacy concerns.