FAQ: Impact of California Privacy Act 2018 on Schools Globally
Each month Heidi-Anne O'Neill, 9ine's in-house Data Protection Solicitor shares a frequently asked question to assist school leaders in solving...
On 29th September 2021, a University in Milan (the University) was subject to an administrative fine of EU200,000 under the GDPR by the Italian data protection authorities, Garante. This came shortly after complaints surrounding the proctoring software that they were using for online exams during distance learning. An injunction case was implemented, thus prohibiting the University from using the software for online examination.
What actually is online proctoring?
Online proctoring software can be used to monitor student behaviours during examination, tracking movement, desktop activity, and internet history whilst using the software. It can also use AI algorithmic recommendations to provide teachers with feedback of the students’ learning behaviours. The positive side to using online proctoring software is that staff can ensure that there is no cheating during the exam process. Using the software also ensures that the students are held to a higher level of academic standard. However, with the positives of using this type of software also come negative impacts and risks to student data.
For the latest privacy and cyber security trends, read our Education Privacy and Technology Magazine!
The issue in this case lies with the fact that students were not sufficiently informed on how their data would be used when they participated in exams whilst using the proctoring software. The university failed to mention the ways in which students and their behaviour would be tracked when using the software. By not informing the students of this, there was risk of a loss of trust between students and the university. This not only led to a violation of GDPR regulations but also violated the rights and freedoms of the students.
How did they violate GDPR requirements?
Under GDPR, one of the rights and freedoms of natural persons is the right to be informed. This means that the data subject should always be given an in-depth understanding of every way that their personal data will be processed by the Controller (the school) and the processor (in this case, the external vendor providing the proctoring software). The fact that this did not happen invalidated the consent that the students gave when agreeing to the use of software, thus making the processing of their data non-compliant. The violation of the students’ rights and freedoms under the GDPR, together with the complaints that were received, lead to the University facing administrative fines from authorities.
The consent of the students was not only invalidated by the lack of transparency from the University, but it was also invalidated by an imbalance of power. The University told students that if they did not use the proctoring software during their exams in distance learning, that they could not participate in the exam at all. Exam results lay out the future of a student’s education and career, by telling a student that they must use the software even if they do not agree with the ways in which the external vendor processes their data creates an imbalance of power between the data subject, and the data Controller.
Say the student decided they didn’t want to put their data at risk and ultimately didn’t take the exam. Would the school have any other way of allowing that student to participate and showcase their hard work? Not only this, but if the grade of that exam were detrimental to the student’s future, should they have to put their data at risk knowingly? The answer is no. When a data Controller is asking for consent, there should always be a way in which the data subject can participate in something as crucial as an exam in a way that does not alienate them or allow them to feel as though they are indifferent. In this instance, there would be other ways for the student to participate in the exam without using the proctoring software.
Another right and freedom of natural persons is the right to object. Meaning that the University violated two of these rights when using the proctoring software. A data subject’s right to object is not always absolute, but in the case where there could be an alternative option made available for those that do not want to have their data processed in a way that a vendor is suggesting, the right to object should be valid.
How could this have been avoided?
The University could have avoided the negative repercussions that they encountered by implementing some simple procedures. Firstly, having sufficient privacy and policy notices in place would have allowed students to understand exactly how their data would be processed whilst using the online proctoring software. It would also be the University’s responsibility to ensure that the external vendor had sufficient privacy notices, if they had done this then the University would have avoided any loss of trust from students, and the administrative fines.
Another way the University could have avoided the unwanted fines would be to implement an alternative way that the students could participate in the examination process. Whether this would be through being invigilated by a person, or another form of examination, it would have eliminated the imbalance of power between the University and the students, thus creating a healthier process of gaining consent.
Finally, by completing a vendor assessment, and evaluating the risks associated with the online proctoring software, the school would have been able to make more educated decisions around using the vendor’s services. Documenting why they made the decisions that they did would have given light to the fact that they were not being as transparent as they should have been. If the University had made an educated decision on why they did not offer an alternative option for students to take the exam, having it documented could have saved the University reputational and financial damage. 9ine’s vendor management tool, in the Privacy Management App, integrates documentation throughout your processes, whilst helping you quantify the risks associated with using these types of software.
If you would like more information on how 9ine can help your school with online proctoring software and vendor assessments, speak to one of our team!
Each month Heidi-Anne O'Neill, 9ine's in-house Data Protection Solicitor shares a frequently asked question to assist school leaders in solving...
A useful and positive aspect of using student pictures on your school’s website and social media platforms is that it creates a sense of community...
On 29th January 2021, the Personal Data Protection Commission (PDPC) announced that there would be amendments to the Singapore Personal Data...