Privacy Update
By Martin U. Wissmath and Cameron A. Axford Mar 2024 & NFP Law Update
Published on March 27, 2024
Ontario Privacy Office Investigates Student Complaint about Exam Monitoring SoftwareUniversities are within their lawful rights to use software to monitor students during exams taken with computers, but they should take extra measures to protect student data, according to the provincial privacy commissioner. In its report, published February 28, 2024, the Office of the Information and Privacy Commissioner of Ontario (the “IPC”) addressed a complaint concerning McMaster University’s utilization of exam proctoring software under the Freedom of Information and Protection of Privacy Act (“FIPPA” or the “Act”). This software consists of two components: Respondus LockDown Browser, which restricts users’ computer access, and Respondus Monitor, which scrutinizes audio and video feeds of students during exams to screen for potential cheating. The IPC initiated an investigation to examine McMaster University’s use of this proctoring software. The complainant requested anonymity without the IPC disclosing their identity and complaint to the university. Charities and not-for-profits are not subject to FIPPA, however, this complaint highlights the importance of taking precautions to protect personal information when using software, and ensure that a best-practice standard is maintained to avoid potential liability with regard to privacy laws. The IPC investigation found that McMaster University’s administration of exams and appointment of examiners fall within its lawful authority. Online proctoring to maintain exam integrity is deemed an appropriate measure for certain exam types, thus also lawful. Regarding the necessity of personal data collection through Respondus software, the IPC found that Respondus LockDown Browser collects only minimal personal data essential for its functionality. However, Respondus Monitor gathers more sensitive personal information, including biometric data, utilizing AI technology, which raises significant privacy concerns. Despite this, the collection of personal information by Respondus Monitor on behalf of the university is deemed necessary for effective exam proctoring, thus authorized under subsection 38(2) of the Act. Nonetheless, the university falls short in providing adequate notice of personal data collection as mandated by subsection 39(2) of the Act. Furthermore, the use of students’ personal information via Respondus Monitor does not align with subsection 41(1) of the Act. Additionally, the existing contractual arrangement between the university and Respondus fails to fully safeguard collected personal data and permits Respondus to utilize such data for system enhancement without students' consent, contravening subsection 41(1) of the Act. Consequently, the IPC proposed a series of recommendations to bring the university into compliance with the Act. The university was advised to consolidate its notice of collection of personal information related to Respondus Monitor in a clear, comprehensive statement for student accessibility. It should obtain written assurances from Respondus to cease certain data practices and prompt notification of compelled disclosures. Contractual requirements with Respondus should include regular data deletion and confirmation, alongside thorough testing for software removal. Given the heightened risks associated with AI technologies, the IPC further advised that the university implement additional safeguards concerning the use of Respondus Monitor, including algorithmic impact assessments, student consultation, opt-out options, easier flag challenges, and scrutiny of data sources. Prohibitions on unauthorized data use and ongoing monitoring for biases were also recommended. These enhanced protections should be integrated into the university's ongoing utilization of the software and any future agreements with Respondus, according to the Report. |