John Kleeman MBCS, founder of assessment company Questionmark and a director of the Association of Test Publishers, explains how to balance security and privacy when tests and exams are taken at home.

Most UK school exams have been cancelled in 2020 due to COVID-19, but many tests and exams in other areas like IT certification, corporate testing and university exams have carried on at home.

What’s changed?

If you take an exam at home, instead of travelling to a test centre or exam room, you use a personal computer with an online proctor (invigilator) observing you via webcam video. The proctor watches whilst you take the test, to check you are the person you claim to be and that you are taking the exam fairly, without help.

Online proctoring has been used for several years prior to COVID-19, but it got a strong boost during lockdown. You benefit by not having to travel and being able to take a test when convenient for you, but you have to accept a stranger viewing you by video in your home (or office).

Is online proctoring secure? And is it a reasonable privacy compromise or an intrusion? And what about GDPR? I’ve worked in assessment software for over 30 years with UK headquartered Questionmark and am the 2021 Chair of the Association of Test Publishers, whose International Privacy Subcommittee write and publish on assessment privacy. Here is a brief summary of the issues:

Why test security matters

Individuals rely on test results to show achievement and merit. Organisations rely on test results to select people for roles and to check competence, including for work that impacts life and limb. Society benefits from good quality assessments to resolve skill challenges and encourage diversity and selection by merit.

But assessment results need to be trustable to be useful. If you cheat at a test, your qualification or certification is invalid. You may not be competent. You may not be safe. And you have crossed an ethical line - what else might you lie or cheat about in the workplace in future?

Test security measures reduce cheating and since we all rely on test results to help make decisions about people, test security matters.

Pakistan International Airlines illustrates this in a sad way. The airline has a poor safety record and in the latest disaster in May 2020, 97 people died in a crash. Initial investigations suggested a cause of pilot error, with the pilots chatting away rather than following protocols. A shocking announcement was then made in June 2020; 260 Pakistani pilots, who lacked technical knowledge to pass aviation exams, had cheated by having others impersonate them. Despite the cheating, they were still given licenses.

Such incidents do not just happen in developing countries, there are many examples of test cheating in the UK. For example, a few years ago, some workers who needed to pass health and safety exams before being allowed onto UK construction sites were found to be cheating in an organised way.

Not all test cheating results in threat to life. But just like in Peter Pan when every time a child says ‘I don’t believe in fairies’, a fairy somewhere dies, every time someone cheats in your test programme, there is a small loss to your programme and to society.

Why test taker privacy matters

So, since test cheating can be so serious, should we put our best technology in place to detect test cheating - biometrics, artificial intelligence and more? Well, maybe.

We also must consider that most test takers are well-intentioned. A good test or exam delves deep into test takers’ psyche and works out what they know. Test sponsors have a moral obligation to respect privacy. You might want to celebrate or make public passing an exam, but you likely don’t if you fail.

The kinds of things test takers worry about are:

  • Will you be videoing my private space?
  • Why should you be able to see where I live?
  • What happens if my child / dog / partner walks in?
  • What happens if you are hacked and my data is leaked?
  • Does the test put spyware on my computer?
  • How long will you keep my personal data?
  • Do you take a copy of my passport / government ID; what happens to that?
  • What are you doing to my biometric data?

Testing is ultimately a partnership between test taker and test sponsor, so you need to take this into account. And then, of course, there is GDPR.

What GDPR says about online proctoring

GDPR doesn’t cover specific rules on tests and exams, nor directly the use of video, but it does have strong rules on personal data. The European Data Protection Board (EDPB) issued some guidance on the use of video in January 2020. These were very wide-ranging and focused mostly on shops, banks and other public use of video, but they required careful justification of use and retention of video for all situations. They also reminded organisations that any use of biometrics with video (e.g. facial recognition) counts as special data under GPDR.

To guide the testing industry on use of video in testing, including in online proctoring, I recently collaborated with other privacy experts within the Association of Test Publishers to produce guidance for organisations looking to use online proctoring. Here are some of our key recommendations:

  1. Identify and document a lawful basis for conducting online proctoring. Since consent has several weaknesses, the best approach is usually the legitimate interest of the test sponsor. Test sponsors have a genuine need for test security, and you can use this to justify online proctoring. You should do so in a written Legitimate Interest Assessment, and may wish to consider a more formal Data Protection Impact Assessment.
  2. Use proctoring data only for the purposes of test security and ensure all of your suppliers are acting under your instructions and do not use the data for their own purposes.
  3. Retain video recordings of tests only for as long as is needed to ensure test security. Keep them secure (think ISO 27001).
  4. Be transparent and open with test takers and be ready to deal with their GDPR requests.
  5. For the most part, you cannot safely use biometrics or facial recognition when testing in the UK or Europe as the GDPR makes this impractical. There are some legal approaches (e.g. genuine, optional consent) but if you’re doing this, get some advice.

If you are interested in learning more, see the resources, below.

What have the courts said?

Clearly, test security and test taker privacy rights are critically important and you need to balance the two. Often in such situations of flux, the courts can be a useful arbiter to set the tone for society.

There has been one such court case in June 2020 in the Netherlands. Because of COVID-19, the University of Amsterdam moved exams from campus to online proctoring at home. Students claimed this was over-intrusive, unreasonable for instructors to see their homes and contrary to GDPR.

The court assessed the claim and decided that in the circumstances of the case, online proctoring was legitimate and aligned with GDPR. A key reason for the ruling was that the University had conducted a thorough privacy evaluation and put in place strong measures to protect student privacy and access to recordings.

The balance will no doubt be tested again, but at least for the moment, online proctoring provides a way of conducting tests and exams at home, which meets the balance between security and privacy.

About the author

John Kleeman is Founder and Executive Director of Questionmark. He has over 30 years of experience in the assessment industry and is a director of the Association of Test Publishers (ATP). He is lead author of the ATP’s Privacy Guidance When Using Video In The Testing Industry. He writes regularly for the Questionmark blog and has written articles for many publications including recently in Training Journal and HR Daily Advisor.

Where to find out more

More information is available at: