The Danish Data Protection Agency: IT University of Copenhagen has acted correctly in relation to the use of ProctorExam
In the spring 2020 the ITU made use of the programme ProctorExam, which is a monitoring tool used for monitoring written home exams. In connection with this, The Danish Data Protection Agency decided to examine whether the ITU had complied with the Data Protection Regulation rules when using ProctorExam. The Danish Data Protection Agency has now made its decision in this matter and has concluded that the ITU’s processing of personal data and the use of ProctorExam have taken place in accordance with the rules on data protection.
The massive shutdown of society in the spring 2020 as a consequence of the pandemic meant that written tests at campus were transformed into online written test at home. The ITU has a duty to monitor exams in order to prevent cheating. In connection with a single exam the monitoring tool ProctorExam was used in order to monitor students during their exam and avoid cheating. On the basis of a specific inquiry The Danish Data Protection Agency decided, of its own volition, to initiate an examination of the ITU’s processing of personal data by means of the programme ‘ProctorExam.’
In the beginning of 2021 The Danish Data Protection Agency has made a decision in relation to this matter and concluded that the ITU’s processing of personal data and its use of ProctorExam have taken place in accordance with the rules on data protection. The Danish Data Protection Agency thereby considers this matter to be closed.
The Danish Data Protection Agency expects to publish its decision on the agency’s website.
The ITU deemed ProctorExam to be the most suitable one
In connection with the ITU handling the new situation with transformation of written exams at campus, a range of monitoring tools were examined and it was concluded that ‘ProctorExam’ was the most suitable tool to use in relation to safety and data protection.
It was examined thoroughly if the tool was used in accordance with the data protection rules. In order to ensure that the processing of personal data took place in accordance with the rules on data protection, tough demands were placed on safety and data protection when the university entered into the commercial contract and data processor agreement with ProctorExam.
This is how ProctorExam was used
In connection with the use of ProctorExam the students were asked to identify themselves in front of the camera with their student card, driver’s licence or passport. In addition, the tool was used for monitoring and recording the examinee’s possibilities for communicating; this included monitoring of screen content, the question of whether there were other people present in the room plus the use of mobile phones. ITU deemed that it was necessary to avoid cheating in the sense that some students might communicate with other students during the exam.
The students were instructed as to how they could avoid that other information on their computers than what was necessary was processed.
Remarks from The Danish Data Protection Agency
The Danish Data Protection Agency has four remarks for the ITU as to how ProctorExam should be used.
• The ITU should to a larger extent encourage students to take measures to avoid accidental sharing of information, including sensitive personal data.
• The ITU should inform the examinees that registration of search history takes place during exams.
• The ITU should guide the students as to how they can configure their individual browsers for them to be set with data protection in mind.
• Control of authorised members of staff’s access should work on the basis of two-factor authentification.
Camilla Rosengaard, Head of Communication, phone 2555 0447, email email@example.com