Implementation

UTHS used Proctorio’s automated proctoring service to remotely administer its high school course exams and CBEs for grades 3-12. To function, Proctorio must be able to associate a student’s or test-taker’s information with their exam data, which means it must also access some academic and personally identifiable information (PII). Now, you may be wondering if or how UTHS acquired parental consent to share data with Proctorio. We didn’t—not at first—but we also weren’t required to.

Recall the “exception” I mentioned earlier: Most student privacy laws include either a “school official” or “legitimate educational interest” exception that permits a school to share students’ academic records and PII with third-party service providers without parental consent. In essence, the school consents on behalf of the parent and is permitted to do so because the service fulfills an educational need. Still, the service provider is prohibited from using any student data beyond the purposes of delivering its agreed-upon services. That is to say, a service provider cannot claim the same exception, nor does the exception empower a school to authorize the sharing or selling of student data on behalf of the parent. Such actions would certainly require parental consent.

What is mandated under these exceptions is “notice.” For U.S. parents and students, the “school official” exception is described in their institution’s annual FERPA notice.

While not obligated to, UTHS eventually began asking all prospective full-time students and parents to review and agree to its exam policies regarding Proctorio before registering. Parental authorization (or authorization by another school) had always been required to take a CBE; therefore, it was just a matter of updating the CBE registration form and website to include information about Proctorio. Given the sensitivity and cynicism surrounding online proctoring, our goal was to be as transparent as possible with all of our stakeholders. How Proctorio functioned, what data it collected, and who could access the data–we shared as much as we could in webinars, on our website, and within all of our online courses and exams.

It’s easy to explain something when there’s little nuance. Fortunately, Proctorio’s approach to data privacy and security is relatively straightforward, even if the technology they use to achieve it is quite advanced.

1. Don’t collect more data than what is absolutely necessary. To function, Proctorio’s automated proctoring service requires minimal student data. This may include the student’s name, email address, or another unique identifier provided by the school’s LMS, but no more than what is absolutely needed to function. A testing institution, like UTHS, however, can choose to collect additional information by turning on specific exam settings, but Proctorio cannot access or view that data unless authorized by the institution.
2. Make it impossible for anyone other than authorized institution staff to access test-taker data. Proctorio employs two methods to ensure that test-taker data is illegible and inaccessible to any unauthorized individuals. A process known as pseudonymization scrambles any identifiers, such as name or email, into random alphanumeric sequences. As the technology coordinator at UTHS, I could see our students’ names alongside their exam data; as a Proctorio employee, I would see something like “c15d8d531050465196…” You might think I could use that string to look up a test-taker’s exam data. Nope. Proctorio’s zero-knowledge, end-to-end encryption ensures that. Like pseudonymization, encryption scrambles all test-taker data, and the only way to unscramble it is to have the right decryption key. Each key is unique and known only to the testing institution (hence, the “zero-knowledge” piece). With this approach, the institution—not Proctorio—has complete control over who can and cannot access test-taker data. Indeed, one of my team’s primary responsibilities at UTHS was managing Proctorio permissions.
3. Manage risks to data privacy and security. Managing risk is all about identifying potential threats and liabilities and building systems and processes to overt them. As stated earlier, Proctorio is accountable to the same student privacy laws as any public school and undergoes regular internal and external audits to ensure compliance. Procotrio’s systems are furthermore subjected to routine vulnerability scans and penetration tests (i.e., intentional attacks) meant to identify possible security risks. Risk, however, is not just intrinsic to software but people and processes as well. Hence, all Proctorio employees are required to undergo an FBI background check and participate in FERPA and cybersecurity training. No other online proctoring service, as far as we are aware, requires this of their employees.*/

Now, there are acceptable circumstances in which a designated Proctorio employee can access test-taker data. If an institution requires technical assistance, it may give a support agent or product engineer temporary access to its LMS or assessment platform. I did this on multiple occasions at UTHS. At the time, I was surprised (and a little frustrated) to discover that no one at Proctorio could access our students’ exam data. How could they not have access to their own system, their own data? But it’s true, and not a scenario I often encountered with our other service providers. Rather, I had to create a “Proctorio” user, assign the appropriate permissions, and add them to the affected course. Only then could a Proctorio employee see what I saw as an institution administrator and troubleshoot the issue.

Test-takers can also call, email, or chat with a Proctorio Support agent anytime (24/7/365) should they require technical assistance or simply have a question or concern. During these exchanges, a test-taker may volunteer personal information, such as their name or email address, or allow a support agent to view their screen and device setup. This information may be temporarily stored in Proctorio’s systems, but it’s never used outside of providing requested assistance.

While UTHS only ever used Proctorio’s automated proctoring service, other institutions subscribe to additional Proctorio services. Live Proctoring, Live ID, Verify Environment, and Professional Review are all services that require Proctorio employees to access and review test-taker data. Again, the institution must first turn on those services; only then can Proctorio access the data.

Okay. That was a lot. Here it is summarized into three key takeaways:

• Proctorio meets and often exceeds data privacy and security requirements, here in the U.S. and abroad.
• Proctorio cannot and will not share or sell user data. It’s a scrambled mess anyway, so it’s useless.
• Only authorized individuals chosen by the institution can access and view test-taker data. The only way Proctorio is seeing a test-taker’s data is if the institution allows it.

Of course, the most secure data is data that doesn’t exist. This is why Proctorio seeks to limit how much data it accesses and collects, and why all institutions must implement a data retention policy as part of their agreement with Proctorio. A data retention policy defines the period of time data can be kept before it’s destroyed—not just deleted. For most institutions, Proctorio exam data is retained between 1-12 months. Institutions may also manually delete and destroy exam data, but any remaining records are automatically destroyed by Proctorio once the retention period expires. Is the data truly irretrievable? Yes, speaking from experience. On one or two occasions at UTHS, I asked Proctorio to restore a test-taker’s exam data; I was politely informed that it wasn’t possible.