Testing and distance learning: yes to proctoring, no to processing biometric data

Legitimate supervision with proctoring systems (programmes that allow the identification of each individual participating in the course or taking the test) in the context of the conduct ofdistance tests and courses, always following the adoption of technical and organisational measures that ensure the compliance of processing with data protection regulations. As set out in EU Regulation 2016/679, if the systems used are provided by third parties, it will be necessary to give the controller the necessary instructions, ensuring that functions without a legal basis, for example, are disabled. Instead, solutions that merely inhibit specific functionalities, such as the opening of windows other than the one in which the test or course is taking place, without keeping track of the operations performed, should be preferred. This is reiterated by the Privacy Guarantor in a number of Faqs concerning supervision systems for the regularity of examinations and distance courses.

Depending on the individual contexts of reference, it will be possible to assess the need torecord video and audio of the examination, also by filming the person's face but without the extraction of biometric data. An appropriate period of retention of the recording itself will then have to be identified, as set out in the Regulation, also in view of the time limits for challenging the outcome of the test or the failure to recognise attendance at the course. The systems, however, may not entail excessive interference in the sphere of the person concerned, nor invasive monitoring of his activities that would constitute disproportionate processing with respect to the public interest pursued, as the chairman of the Garante had established in his Memoir of 27 April 2021 before two Senate committees.

The biometric dataof those taking part in courses and examinations cannot be processed, however, since an appropriate legal basis and protection of the persons concerned is provided for their processing, as the regulation emphasises. Forbidden therefore, in the absence of a specific legal basis, are technologies that enable the identification of participants and the detection of abnormal events. The use of systems that process students' behaviour during the examination, such as body movements or operations performed on the keyboard, is also prohibited according to the profilation Rules. In fact, the use of algorithms that generate new and additional information to that directly provided by the person concerned is not permitted, unless there is an appropriate legal basis. On the other hand, the use of suppliers of supervisory systems established outside the European Union is permitted, provided that the conditions laid down in data protection legislation are met. As regards the impact assessment, on the other hand, as the regulation makes clear, it is only necessary in the case of the use of proctoring systems and, if a high risk emerges that cannot be mitigated with appropriate measures, the owner is required to consult the supervisory authority beforehand.

In any case, specific information must be provided to students and users of distance learning courses, the regulations specify. Finally, during the conduct of distance examinations, specific security measures must be adopted to mitigate the risk, such as the traceability of access or the adoption of authentication procedures, according to the Regulations. In fact, the IT tools used for remote lectures and examinations by universities, higher education institutions and other authorised bodies must be configured in such a way as to minimise the personal data to be processed, the time of storage, if any, and to avoid unnecessary processing.