This summer semester brought many novelties. For a lot of students, it was the first time to take a proctored online exam. Mixed feelings arise when starting the exam. Will everything work the way it should? Do all get tested under the same conditions? And first and foremost: What happens with personal data?

But online tests are not limited to universities. Also, eLearning, assessment centers, and personal development tests are increasingly moving online. Testing situations are fundamental personal acts where skills, knowledge, strengths, and weaknesses are shared. Consequently, data privacy is very important when online tests are taken.

Reviews of online proctoring services underline this finding: most of the examinees are concerned about the handling of their data. To create a safe testing environment, complying with the highest safety standards is crucial for the success and acceptance of online exams. A prerequisite for this is to make sure that the proctoring tool is GDPR compliant. But what does this mean?

In general, the GDPR “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” (Art. 1(1) GDPR). Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’)” (Art. 4(1) GDPR). To verify the identity of an examinee at the beginning of the exam, it is mandatory to compare the webcam image with an identity document, such as student ID, ID card, or passport. In this special category of personal data (Art. 9(1) GDPR), the verified person must give “explicit consent to the processing of those personal data” (Art. 9(2a) GDPR). The consent, in which the verified person agrees to the processing of personal data, must be voluntary, for a specific case, and unambiguous (Art. 4(11) GDPR).

Specifically, GDPR endows the examinee with eight rights:

1. The right to be informed (Art. 15(1) GDPR) — individuals must have information about whether and what kind of personal data is processed and why the data is processed.
2. The right to access (Art. 15(2) GDPR) — individuals can request access to the processed personal data. They can review and check their data or make copies. Thus, the company must take appropriate measures to provide the information in a “concise, transparent, intelligible, and easily accessible form” (Art. 12(1) GDPR).
3. The right to rectification (Art. 16 GDPR) — individuals can have their data updated if it is incomplete or incorrect.
4. The right to be forgotten (Art. 17 GDPR) — individuals can have their data deleted.
5. The right to restriction of processing (Art. 18 GDPR) — individuals can request that their data is not used for processing. Their record can remain in place but must not be used.
6. The right to data portability (Art. 20 GDPR) — individuals have a right to transfer their data back to themselves or other responsible persons. The data must be provided in a machine-readable format.
7. The right to object (Art. 21 GDPR) — individuals can request stopping the processing of their data. There are no exemptions to this rule, and any processing must stop as soon as the request is received. Also, this right must be made clear to individuals at the very start of any communication.
8. The right to be notified (Art. 33 GDPR) — individuals have the right to be informed when there has been a data breach that compromises an individual’s personal data. The notification must happen within 72 hours after having become aware of the data breach.

At cubemos, we highly value personal data. Therefore, we design our online test platform to enable data privacy by design. Of course, personal data must be recorded during an online test. Furthermore, examinees are required to give their consent to the recording before starting the test. But with taking the exam, we also create an account of the examinee which facilitates the review and the management of their personal data. Examinees get a notification once their personal data is deleted, which usually happens several days after the test is completed. With this mechanism, we can ensure that all rights that the GDPR requires are incorporated and promoted in our system design.

With our platform, organizations can run any test online in a trustworthy and valid way. The examination process is completely automated, and the system is designed to fully comply with data privacy regulation. If you want to try out our system for your tests, text us via meet@cubemos.com or read more on www.cubemos.com.

‍