Privacy Update – Privacy Protection

Ontario Privacy Office Investigates Student Complaint about
Exam Monitoring Software

Universities are within their lawful rights to use software to
monitor students during exams taken with computers, but they should
take extra measures to protect student data, according to the
provincial privacy commissioner. In its
report, published February 28, 2024, the Office of the
Information and Privacy Commissioner of Ontario (the
“IPC”) addressed a complaint concerning McMaster
University’s utilization of exam proctoring software under the
Freedom of Information and Protection of Privacy Act
(“FIPPA” or the “Act”). This software
consists of two components: Respondus LockDown Browser, which
restricts users’ computer access, and Respondus Monitor, which
scrutinizes audio and video feeds of students during exams to
screen for potential cheating. The IPC initiated an investigation
to examine McMaster University’s use of this proctoring
software. The complainant requested anonymity without the IPC
disclosing their identity and complaint to the university.
Charities and not-for-profits are not subject to FIPPA,
however, this complaint highlights the importance of taking
precautions to protect personal information when using software,
and ensure that a best-practice standard is maintained to avoid
potential liability with regard to privacy laws.

The IPC investigation found that McMaster University’s
administration of exams and appointment of examiners fall within
its lawful authority. Online proctoring to maintain exam integrity
is deemed an appropriate measure for certain exam types, thus also
lawful. Regarding the necessity of personal data collection through
Respondus software, the IPC found that Respondus LockDown Browser
collects only minimal personal data essential for its
functionality. However, Respondus Monitor gathers more sensitive
personal information, including biometric data, utilizing AI
technology, which raises significant privacy concerns. Despite
this, the collection of personal information by Respondus Monitor
on behalf of the university is deemed necessary for effective exam
proctoring, thus authorized under subsection 38(2) of the Act.

Nonetheless, the university falls short in providing adequate
notice of personal data collection as mandated by subsection 39(2)
of the Act. Furthermore, the use of students’ personal
information via Respondus Monitor does not align with subsection
41(1) of the Act. Additionally, the existing contractual
arrangement between the university and Respondus fails to fully
safeguard collected personal data and permits Respondus to utilize
such data for system enhancement without students’ consent,
contravening subsection 41(1) of the Act.

Consequently, the IPC proposed a series of recommendations to
bring the university into compliance with the Act.

The university was advised to consolidate its notice of
collection of personal information related to Respondus Monitor in
a clear, comprehensive statement for student accessibility. It
should obtain written assurances from Respondus to cease certain
data practices and prompt notification of compelled disclosures.
Contractual requirements with Respondus should include regular data
deletion and confirmation, alongside thorough testing for software
removal. Given the heightened risks associated with AI
technologies, the IPC further advised that the university implement
additional safeguards concerning the use of Respondus Monitor,
including algorithmic impact assessments, student consultation,
opt-out options, easier flag challenges, and scrutiny of data
sources. Prohibitions on unauthorized data use and ongoing
monitoring for biases were also recommended. These enhanced
protections should be integrated into the university’s ongoing
utilization of the software and any future agreements with
Respondus, according to the Report.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Canada