This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

We have all taken an examination at one time or another. In the real world, it is a simple operation. However, its transfer to a virtual environment is challenging. Leaving aside proctoring and facial recognition which, due to their complexity, deserve a separate discussion, this paper focuses on the collection and recording of images during examinations.

The lack of adequate legislation for online teaching and examinations and the many dispersed academic regulations adopted by Autonomous Communities and Universities create legal uncertainty. In fact, the most common universities were presence-based universities without experience in online examinations. Urgent measures are needed in view of the risks of a resurgence of Covid-19 in the academic year 2020-2021. Indeed, universities face serious risks of fraud in physical and virtual exams through the use of sophisticated electronic means. National data protection authorities should be able to understand both the nature and purpose of the processing and the risks associated with fraud: they should provide useful criteria for fighting against fraud and preserving privacy, criteria that can be effectively implemented on the ground. Universities are strongly committed to guaranteeing fundamental rights. But they will not be able to carry out part of their work without adequate legislation. Society needs to be confident that universities accredit students achievements obtained without fraud. In achieving this objective, an appropriate balance must be ensured between the guarantee of privacy and an essential public interest in safeguarding the evaluation procedures (for insights into the complexity of the current university guidelines, click here and here).

1. Online Examination Scenarios

The regulatory impact study of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) in university area, requires the definition of the modalities of examination and the context or channel in which they are carried out and in which personal data are processed.

The Spanish University has had to face the need to define scenarios with the types of evaluation that could be carried out by the Universities without previous experience or regulation (See, CRUE. Report on Remote Assessment Procedures. Impact Study and Recommendations on the Implementation of Remote Assessment Procedures in Spanish Universities [Accessed: June 21, 2020). In addition, three channels were identified for carrying out evaluation: the virtual classroom, videoconference and working environment in cloud. And, moreover, common data processing in those scenarios, subject to the GDPR, were identified:

1. Identification of the persons evaluated and the examiners.
2. Administrative and academic management of the exams.
3. Controls on the normal development of the examination and guarantee of the requirements of transparency and legal certainty of the evaluation processes.
4. Correction of the exams.

5.-Ordinary review processes or first review of the exams.

However, specifically, key data processing operations in the online examination were identified:

1. Use of concerted keys for access to information systems.
2. Visual verification of the identity of the students and their actions during the test.
3. Recording of the test.

In the following Table we can see the different modalities of evaluation, their data processing and the channels by which they take place:

Channel	Ownership	Type of Examination	Data Processing
Virtual Classroom	Own (there may be a hosting or outsourcing) Integrates or uses third-party anti-plagiarism tools.	2. Open written assessment.	Remote viewing during the writing of scanned handwritten examinations.
		3. Objective assessment.	Data incorporated into works: interviews, recordings, videos, photographs.
		4. One minute paper (specific questions at the end of the class about the real understanding and opinions by students)
		5. Academic work.
		6. Concept map.	Subjective or personality data. Opinions and personal experiences processing
		7. Reflective diary.
		8. Portfolio.	Data incorporated into works: interviews, recordings, videos, photographs.
		10. Projects.	Data incorporated into works: interviews, recordings, videos, photographs. Webcam tracking Recordings
		11. Issue/Case.
Videoconference	Outsourcing .	1. Oral examination.	Webcam tracking Recordings
		2. Open written assessment.
		3. Objective assessment.
		9. Observation.
Working environment in Cloud	Outsourcing	4. One minute paper.	Data incorporated into works: interviews, recordings, videos, photographs
		6. Concept map.
		9. Observation.

Table. Data processing in relation to the channel and type of examination. CRUE.

2. Data Protection

2.1 Legitimation and requirements for the processing of personal data

Article 1 of Organic Law 6/2001, on Universities (“LOU”), assigns the provision of public service in higher education to universities. Its Articles 2.2.f) and 46 include the verification of students’ knowledge as an element of the university autonomy. In addition, the Royal Decree 179/2010 which approves the University Student Statute (hereinafter, USS) establishes the right of students to an objective evaluation.

According to Article 6 of the RGPD, the necessary personal data processing for university evaluation would be accepted under one of the following conditions: contractual relationship, compliance with a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, the university evaluation may involve the processing of sensitive data. Universities must adopt policies to attend to diversity in accordance with the provisions of the 24th Additional Provision of the LOU, as well as Article 26 of the USS and Article 20.c) of the General Law on the Rights of Persons with Disabilities and their Social Inclusion (Legislative Royal Decree 1/2013). These regulations, in addition to being precise in invoking the so-called principle of universal accessibility, requires the university institution to adopt the necessary active policies. Such data are obtained at the request of the persons concerned, which would make it easier to obtain the explicit consent referred to in Article 9 of the RGPD in relation to its counterpart in the Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights. Bearing in mind that the national system contemplates the reservation of university places and free registration for persons with disabilities, and for other categories of vulnerable persons, the concurrence of a service of a social nature could be considered, in the terms of article 9.2.h) RGPD regarding processing of preventive or occupational medicine. This undoubtedly implies that the university must have a specialized department or person in this area, which is bound by professional secrecy. On the other hand, it provides for procedures that define the information provided to the teaching staff that should be limited to the adaptations of the examination to be carried out, as well as the definition of a clear policy of confidentiality and security.

In the case of biometrics, a sub-working group of CRUE, composed of data protection officers from universities and created ad hoc during the pandemic, considered excluding facial recognition techniques from the recommendations. The essential reason was based on the lack of pre-existing legislation, later endorsed by the Spanish Data Protection Agency. (Report on the use of facial recognition techniques in online assessment tests. AEPD. Informe núm. 0036/2020. Available on: https://www.aepd.es/es/documento/2020-0036.pdf [Accessed: June 21, 2020].)

3. Treatments consisting of capturing and recording images

In face-to-face exams, teachers are authorized to require documents that confirm the identity of the person examined, verify his or her picture, control the proper progress of the exam and interact in an oral exam. The complete migration of the exams to an online environment may involve treatments related to the image of the teaching staff, the persons examined and/or their immediate environment. These include:

• Recording of oral exams.
• Viewing the student in real time and their environment.

In the circumstances of confinement, captures by a webcam could affect not only the student but also the private and family life space protected by article 18.1 of the Spanish Constitution and the Organic Law 1/1982 on the civil protection of the right to honour, personal and family privacy and one’s own image. It was therefore necessary to analyse whether or not such visioning and registering of images could be a measure disproportionate to the legitimate purpose pursued.

From the point of view of the proportionality test, the Spanish DPA considered:

1. that viewing the student without using biometric techniques of facial recognition was a measure that could achieve the intended objective.
2. that no other more moderate measure existed for achieving that purpose with equal effectiveness.
3. that was balanced, because it was more beneficial or advantageous to the general interest than detrimental to other conflicting assets or values.

Without detriment to the fact that in this case the competence of the universities could be invoked to establish the procedures for verifying the knowledge of the students of Article 46.3 of the LOU, it turned out to be on additional grounds. On the one hand, the viewing, which is common in online classes, constitutes a social practice admitted in the terms that the Organic Law 1/1982 defines in its second article. On the other hand, Article 29.3 of the USS states that professors must keep written material, paper or electronic support or the corresponding document of the oral examinations. From this legal framework it could be inferred that there is a legal ground for:

• viewing and supporting students during their online assessment tests by simply viewing images by activating their webcam
• the recording of oral exams -usually accepted in academics rules- insofar as it also operates as a safeguard of the right to review the qualification.

Obviously, both the viewing of students taking an examination, and the oral recording of any of their performances, would require certain additional guarantees:

• Legal predetermination, at least in procedural terms, by including specific provisions in the regulations for evaluation and/or examination, as well as in the corresponding guides or teaching programmes, approved by the competent bodies.
• Adequate transparency through:
  • The express notification to the students of the information foreseen by article 13 RGPD.
  • The additional notification about the conditions of use of their webcams and the eventual recording as well as its consequences. In particular with specific recommendations ordered to avoid the capture of images related to family life excluding the responsibility of the university with respect to the capture even incidental of such images.
  • The express notification to students of the consequences of recording images to which they may have access in assessment examinations involving several students.
  • A multi-channel communication strategy using:
    • Information in the course-teaching guide.
    • Direct e-mail notification.
    • Notification systems on the virtual classroom.
    • At the beginning of the examination.
  • The definition of the roles, duties and responsibilities of the professors in this issue.
  • The definition of the method of recording exams or viva’s that involve transferring to the virtual world the principle of publicity through the presence of other students or persons.

It is worth mentioning the possible capture and recording of images of teachers. In the case of recording, it is necessary to point out the impact on the rights of the professor. In this case, the possible recording of an oral examination by a teacher does not operate at all as a measure of employer’s control. In this case, its function is instrumental to the right to education insofar as it allows the professional to review and evaluate the performance of the person examined, and provides the latter with the necessary evidence in the event of a complaint against the qualification. It also complies with the established obligation to preserve the evidence of the evaluation, which is not only contained in the University Student Statute (article 29.3), but also in most of the evaluation rules approved by the universities. Here again, due safeguards must be adopted:

• Legal predetermination.
• Adequate transparency through direct notification to professors.
• The definition of the roles and responsibilities of professors in this area.

It was essential to ensure that the principle of purpose limitation was guaranteed by:

• the use of the recordings to be strictly limited to the purposes of the evaluation and not be stored longer than necessary for those purposes (usually contained in academics rules).
• the recordings not to be used for any other purpose and the requirement that no compatible uses are to be allowed without the consent of the persons concerned.
• the fact that no third party is involved in the evaluation process or entitled to evaluate the student or group of involved students.

These safeguards were also appropriate for the protection of other rights such as the safeguarding of authorship and intellectual property, and even the right to the image or professional honour of the persons examined. All this, without forgetting the necessary security measures adopted and the obligation to use the means that the university authorises and provides for the members of the university community.

To conclude, the data protection officers of the Spanish universities have had to make a considerable effort to analyse the legal framework. With their work, they have offered a functional result that allows for the alignment of online examinations with GDPR. However, regulatory scenarios are needed that permit an efficient fight against fraud, eliminate any doubt about proctoring techniques and clarify whether their combination with facial recognition techniques can be compatible with the fundamental right to data protection.

Mónica Arenas Ramiro, Lecturer of Constitutional Law and Data Protection Officer at the University of Alcalá)

Ricard Martínez Martinez, Lecturer of Constitutional Law, director of the Microsoft-University of Valencia Chair of Privacy and Digital Transformation, director of a team that supports universities and scientific research projects as data protection officers.

This paper is based on the report: CRUE. Informe sobre el impacto normativo de los procedimientos de evaluación online: protección de datos y garantía de los derechos de las y los estudiantes”. Available on: http://www.upv.es/entidades/SJ/noticia_1110302c.html/ [Accessed: June 21, 2020].

 

For more information on the context of this e-conference and the other papers see

Don’t miss the next paper tomorrow at 12 p.m. (GMT+1) Covid-19 and data protection in Portugal, by Rui T. Lanceiro