When it comes to data privacy and security, Proctorio—to borrow a classroom phrase—sets the curve. I’m open to debating the merits of Proctorio’s other features, but with regard to this topic, there is simply no competition. “You’re biased!” you say. Perhaps a little. As the learning and development manager for Proctorio, my primary job responsibility is to educate and empower our users by advocating our products’ features. However, before joining Proctorio, I worked in K-12 public education for nearly 14 years. I served as a classroom teacher, curriculum specialist, and—most recently—the technology coordinator for the University of Texas at Austin High School (UTHS), an online school that uses Proctorio to securely deliver exams around the world. I remain an educator at heart, and if you grant me the opportunity, I will attempt to contextualize Proctorio’s data and security practices drawing from my experience.

Crisis

Like so many institutions, UTHS had to quickly adapt its systems and processes in response to the COVID-19 pandemic. Already operating as a virtual school, the transition was less jolting than it had been for others, and many of our services, including our online courses and high school diploma program, remained relatively unchanged. Proctored testing, however, presented us with a significant challenge. Apart from traditional course exams, our institution was one of two accredited by the state to administer K-12 credit by exams (CBEs), used for credit recovery and accelerated placement.

Altogether, we could easily surpass 30,000 proctored exams in a year. At the time, students could elect to test online or on paper, but either medium required a human proctor. With traditional proctoring, students had to locate a testing center, schedule their exams, and arrange transportation (it all sounds terribly tedious). These logistical and financial barriers were not lost upon us, even before the pandemic, and our team had already begun to investigate online proctoring solutions. The nationwide closing of universities, school districts, and other testing locales simply accelerated our adoption timeline.

Adoption

A public institution, such as UTHS, can rarely, if ever, enter into an agreement with a third-party service provider without it first being extensively vetted. The review is traditionally performed by members of the institution’s information security office (ISO), who, over weeks to months, will audit the provider’s privacy and security policies, review available whitepapers, solicit customer references, and conduct system vulnerability tests. A rigorous analysis ensures the product and services are in practice secure and compliant with all applicable laws, regulations, and standards. The institution is, after all, assuming as much or more risk than the service provider.

What are the risks? Fines, litigation, and reputational damage to list a few, and not just for the institution but for the service provider as well. Both are bound by an extensive legal framework protecting students’ rights—privacy being chief among them.

The Family Educational Rights and Privacy Act (FERPA) is the principal legislation governing student privacy in the U.S.; others include the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), and, looking beyond the U.S., the European Union’s General Data Protection Regulation (GDPR). With users spread worldwide, Proctorio and UTHS are accountable for these laws and more.

Each law is highly nuanced, and some extend greater rights and protections than others, but they all fundamentally say the same thing: A student’s education records, including all personally identifiable information (PII), cannot be shared with a third party without the consent of the student’s parent or guardian. There is, however, an important exception made for schools—we’ll come back to that later.

In addition to the aforementioned legislative acts, institutions often impose additional data privacy and security standards on their service providers. For example, almost all public and private institutions require digital service providers to hold an ISO 27001 certification. To make an analogy, the ISO 27001 certificate is the telecom equivalent of a restaurant health permit. It ensures a business is doing all it can to manage and mitigate data security risks, and without it, a service provider can expect to do little business.

To acquire and maintain such industry certifications, Proctorio must regularly undergo exhaustive internal and external security audits. These are in addition to those already conducted by our potential clients. Audits are convoluted, resource-intensive processes, and yet Proctorio voluntarily submits itself to additional scrutiny on a regular basis. By partnering with trusted third-party organizations, including iKeepSafe, HackerOne, and White Oak Security, Proctorio can ensure its data privacy and security practices are valid and impervious to external threats.

I invite you to visit the Proctorio Trust Center where you can access Proctorio’s cybersecurity policies, industry certifications, and audit reports. Businesses do not routinely make such information publicly available–certainly none of Proctorio’s competitors do.

Was Proctorio ever approved by UT’s ISO office? Yes. This would be a much shorter post if it hadn’t been. You might also wonder if UTHS considered other services. Certainly, but Proctorio was ultimately chosen for three reasons: 1) We wanted only our staff to have access to our students’ data; 2) We wanted an automated solution that did not require scheduling; and 3) We wanted a service that integrated with our pre-existing learning management system (LMS).