Newsletter 4

The anticipated complexity of privacy and data protection is surfacing as is shown in the flow chart below. For any institution wanting to start to use online proctoring one should consider the concept of Privacy by Design. This flow chart can be of assistance in designing processes and agreements with that goal. So, after identifying opportunities for online proctoring, each institution will have to develop and implement privacy and data protection policies, regardless of any proctoring system being used. The relevant officers need to be identified and the relevant procedures and agreements should be drawn up and agreed. This Privacy by Design approach needs to be conducted along other aspects of online proctoring that are of importance such as Security, Fraud detection, Fraud regulations etc. So, multiple streams of policies and technical studies need to be executed when an institution want to start using online proctoring.

Yet again, some general – and relative easy and obvious – guidelines can be identified already when doing any kind of online proctoring. We will provide a few examples:

  • When performing an online exam, candidates need to be informed in advance about the nature of the exam and their consent to use the data is needed. Furthermore, candidates need to be made explicitely aware of what is going to happen with the data (ownership, privacy,…). In some institutions this kind of experiments (with students) needs to be submitted to an ethical commission.
  • When conducting online remote examination, some Privacy Policy arrangements need to be provided, including protocols, procedures and rules of conduct. Both for the data owner (institution of higher education) as well as the data processor party (the proctoring solution provider). Privacy and security impact assessments need to be performed by institutional Privacy and Security Officers. In addition processor agreements should be drawn up and agreed upon between the proctor service provider and the institution as data owner. Additionally, it may be that also processor agreements are needed between the test supplier and the data owner.
  • Issues concerning Privacy Regulations when multiple and/or foreign countries are involved should be cleared out as well. For example: which regulations need to be complied with when an institution for higher education in the Netherlands is organizing online proctoring for remote examination of Russian students, and the video data is stored in Germany. How do international regulations (i.e. foreign laws, local laws) and institutional procedures match? Which specific regulations are applicable? Not at least because institutions for HE as responsible parties can face large fines if the act illegally or do not comply fully.

Leave a Reply

Your email address will not be published. Required fields are marked *