Choosing the right online proctoring tool: some timely advice

The global pandemic has turned the conventional classroom into a virtual classroom. Universities’ quick transition to online learning, instruction and assessment has raised myriad concerns and questions for faculty, students and administrators as they navigate this “new normal.”

A key question is how course instructors will administer final examinations this month. Institutions are surveying existing systems and scanning the market for virtual monitoring tools to emulate invigilated examinations. This article will help you identify what you need to consider when selecting a tool to serve as a virtual proctor.

Diligence: consult with in-house advisors

As a first step, be sure to consult your privacy officer and/or counsel. Effective diligence requires a legal and privacy review of the software and the supplier terms and conditions (often found in a complex set of documents, including the supplier agreement, policies referenced in the agreement, and terms of use for end users). This review will help assess privacy implications and ensure compliance with privacy legislation. Your stakeholders are sensitive to privacy issues and will expect you to have answers about the use of their personal information and protection of their privacy.

Second, your privacy advisors will assess what the university needs to do internally with notices and consents. Privacy law generally requires that individuals understand what is being disclosed and consent to the use of their personal information (including images captured in video and audio recordings) for the envisaged purpose. For example, under Ontario’s privacy legislation, an institution cannot use personal information that is in its custody or under its control unless it has appropriate notices and consents in place.

Third, advisors offer invaluable risk-mitigation strategies for implementation and these can be incorporated into supplier agreements. For instance, supplier agreements have provisions that allow them to keep information for different periods. Your institution can and should seek to reduce the supplier’s records retention period to the statutory minimum, request copies of its annual security audit reports, and develop a set of internal procedures restricting access to authorized personnel who may only view recordings that are flagged by the software as depicting an agreed-upon level of “abnormal activity.”

Evaluation: hallmarks of a balanced virtual proctoring tool

What are the hallmarks of a balanced virtual proctoring tool? What represents a balanced solution that detects potential dishonesty and violations of academic integrity while minimally interfering with the students’ privacy? Here’s a non-exhaustive list of must-haves:

1. Compliance with the law. The supplier must explicitly agree to comply with applicable privacy laws regarding the collection, use, processing, storage, disclosure and retention of personal information.
2. Robust administrative, physical and technical safeguards. The terms of use should explicitly describe the ways in which personal information is secured against unauthorized access, use and disclosure. Robust safeguards include but are not limited to: data security policies, firewalls, industry standard SSL or TLS encryption, virus and intrusion detection, authentication protocols, third-party penetration testing, security audits and training.
3. Retention and destruction of data. The retention of personal information should be limited to the shortest duration possible so as to comply with statutory requirements and/or to satisfy clients’ needs.
4. Permissible uses of the data. Personal information that is collected by the supplier should be used for the limited purposes of: (i) that for which the end user has granted permission; (ii) that which is necessary to deliver, update and improve the services; and (iii) that which is required by applicable law. Wherever possible, statistical or aggregate information collected about the use of the services should not be linked to identifiable personal information.
5. Disclosure to third-party companies. Third parties should be prohibited from accessing or using personal information with limited exceptions. Exceptions should only be made for third parties who are explicitly identified and authorized by the end user. These parties should agree in a contract to maintain the recordings in confidence and under terms at least as strict as the terms of the supplier’s policies and agreements. Recordings should be stripped of, and not contain, any personally identifiable information, and should only be used for the sole purpose of delivery or enhancing the services.
6. Security breach reporting. The privacy policy should outline the supplier’s incident response management plan for reporting, responding to and containing breaches or suspected breaches where personally identifiable information may have been compromised.
7. Indemnity for security breaches. Ideally, although infrequent, a supplier will provide a full indemnity to the institution and/or the end user for all security breaches resulting in a breach of personal information. Typically, liability for security breaches is fixed at a nominal amount of damages and is predicated on a finding of negligence or willful misconduct on the part of the software company. Institutions should seek to enshrine the supplier’s commitment to cooperate with the institution in the event of a security breach.
8. Residency of the data. If you are located in a jurisdiction that requires personal information to remain in Canada, the software must be capable of satisfying this statutory requirement. Otherwise, selecting a supplier who operates in Canada, processes data in Canada and stores data on servers located in Canada is a “good to have” feature as it reduces exposure in the event of a security breach.

Implementation: educate and plan for resistance

As we all know, people struggle with change. In these unprecedented times, where change is the only constant, you can expect students to be vocal about and interested in the protection of their privacy. Faculty too, may have concerns. Expect that the technology will not be embraced by everyone. In our experience (and perhaps oddly in this social media age), the resistance appears to stem from the captured images. “Who can see my image and for what purpose?”, “How long is the recording stored?”, “Can third party companies use my information?”, “What happens in the event of a security breach?” are among the questions raised. Students correctly observe that virtual monitoring is different than in-person monitoring: the recordings persist over time, can be replayed and viewed by any number of individuals, are stored in the cloud and susceptible to security breaches, and will capture private information from inside one’s abode and potentially the images of other third-party occupants, none of which would be observed by a proctor in a traditional in-person exam setting.

Anticipating student concerns is helpful insofar as it allows you to proactively address some of the anticipated challenges. Consider an implementation plan that is supported by: (i) an FAQ that summarizes relevant legal terms in plain language and preemptively responds to student queries; (ii) guidelines that restrict internal use of recordings as much as possible; (iii) a designated faculty or staff member who triages all student-related concerns; and (iv) a consideration of options for students who refuse to use the software or whose device is not equipped with a functioning camera and microphone.

A compromise for exigent times

There is no perfect, ironclad technology that dispenses with all risk. The university must determine whether the privacy risk is reasonably mitigated by contractual, administrative, physical and technical safeguards employed by the supplier and must help its stakeholders understand and become comfortable with the risk.