Online proctoring
In some situations, sitting a test or an examination in a classroom or at another physical testing location is not possible for pupils or students. Some educational institutions use surveillance software for monitoring pupils and students who sit a test or an examination at home. This is also called online proctoring. The impact of this practice on the privacy of pupils and students is significant. That is why educational institutions have to meet strict requirements if they want to implement online proctoring.
On this page
Watching during test or examination
The suppliers of proctoring software offer several options to keep an eye on a pupil or student:
- Watching through the webcam while the test is taken. This allows a teacher or an examiner to see what happens on the computer of the pupil or student.
- Tracking mouse movements and keystrokes. This may take place live or afterwards with the help of recordings.
- Having someone from outside the educational institution watch the images.
- Having the images analysed automatically by an algorithm. This is called automated reviewing.
Court judgment on online proctoring
On 1 June 2021, the Amsterdam Court of Appeal found that the implementation of online proctoring by the University of Amsterdam (UvA) is lawful. But note: this only applies in this specific case. It does not mean that online proctoring can always be applied.
Online proctoring is only permitted if:
- its deployment is necessary for achieving the purpose;
- no more data are processed than necessary for the purpose;
- no alternative form of testing is possible that is less intrusive for the privacy of the pupils or students.
DPIA in the case of online proctoring
Before implementing online proctoring as an educational institution, you have to take sufficient measures to limit the privacy risks. One of these measures is carrying out a data protection impact assessment (DPIA).
Pursuant to the General Data Protection Regulation (GDPR), you are obliged to carry out a DPIA for personal data processing operations that result in a high privacy risk. In the case of online proctoring, there will likely be a high risk.
But whether this applies in your case depends on the purpose for which and the manner in which you want to use online proctoring. You therefore have to assess for yourself if your processing results in a high risk for your pupils or students.
Risk assessment concerning online proctoring
Step 1 is that you check if your processing is on the list of processing operations for which carrying out a DPIA is mandatory. The following types of processing operations on this list may be relevant to online proctoring (depending on your specific situation):
- large-scale and/or systematic monitoring of personal data for combating fraud;
- large-scale and/or systematic use of flexible camera surveillance;
- systematic and comprehensive assessment of personal aspects of natural persons based on automated processing (profiling);
- large-scale processing of personal data, during which behaviour of natural persons is systemically observed or influenced though automated processing or data about this behaviour are collected and/or recorded.
Is your processing not on this list? Then you have to assess whether your processing will nonetheless result in a high privacy risk. You can use the 9 criteria for a DPIA for your assessment. As a rule of thumb, you will have to carry out a DPIA if your processing meets two or more of these criteria.
The following criteria may in particular be relevant in the case of online proctoring:
- assessing people on the basis of personal characteristics (such as behaviour analysis based on an algorithm);
- the large scale of the data processing;
- the vulnerable position of the persons whose data are processed (skewed power relationship between the educational institution and the pupil or student);
Other (fundamental) rights and freedoms
When carrying out a DPIA, also pay attention to risks that touch on (fundamental) rights and freedoms other than merely the right to protection of personal data, such as unjustified exclusion of pupils or students from a test or an examination.
Continuous process
Carrying out a DPIA is continuous process. Check periodically if your DPIA requires revision, among other things for re-assessing the necessity of online proctoring. If possible, also ask (representatives of) pupils and students for their opinion.
More information
For more information about the DPIA, see section 3.1 of the report Investigation into online (video) calling and online proctoring in education.
Policy or guidelines for online proctoring
An important organisational measure to limit the privacy risks of online proctoring is to draw up a clear policy or clear guidelines. This includes giving clear and simple instructions to your pupils or students.
Include in any case agreements about the following in your policy or guidelines for online proctoring:
- The cases in which you, as an educational institution, can deploy online proctoring.
- The obligation to always consider the options that least invade the privacy of your pupils or students first.
- Documenting the assessment you make when you decide to deploy online proctoring for a specific test or a specific examination;
- With which means and in which manner the personal data of pupils or students are processed.
- The identification of pupils or students during digital tests. Note: you are not allowed to have the pupil or student show a full (not blocked) identity document.
- Human intervention in the assessment of whether a student may be committing fraud during a test or an examination is mandatory. You are therefore not allowed to have this assessed fully by an algorithm.
For more information about frameworks and guidelines, see section 3.2 of the report Investigation into online (video) calling and online proctoring in education.
Informing pupils and students
Your pupils or students and/or their parents are entitled to information about the processing of their personal data or those of their child. This is also true in the case of online proctoring. That is why you should inform them actively prior to a digital test or a digital examination.
When doing so, you have to pay attention not only to the contents of the information, but also to the form in which you provide that information. The information must be understandable and easily accessible for pupils or students.
You may not, for example, expect your pupils or students to understand legal jargon or read long privacy statements. Especially not if they are under age.
Tip: Visualise the information by means of an infographic. Or have teachers provide an oral explanation before a test or an examination starts.
Which information?
You are obliged to provide information about, among other things:
- which personal data you process;
- for which specific purpose you do this;
- what the legal basis for processing is;
- whether you share the personal data with third parties.
Pay special attention to:
- the right to object;
- fraud detection.
Right to object
Let your pupils or students know that they have the right to object to online proctoring. Does a pupil or student object and are you unable to demonstrate that your interests outweigh the interests of the pupil or student? Then you have to offer a suitable alternative. This alternative may not have any negative consequences, such as a disproportionate delay in studies.
Fraud detection
Do you deploy online proctoring based on automated reviewing, during which the video images and other data are automatically assessed using an algorithm that detects signals which may be an indication of fraud?
Then inform your pupils or students about the way in which fraud is detected. You do not have to provide all information about the functioning of the algorithm, but explain the main points about which behaviour is targeted by the software.
More information
For more information about your obligation to provide information, see section 3.3 of the Investigation into online (video) calling and online proctoring in education.