Datatilsynet (Denmark) - 2020-432-0034: Difference between revisions

From GDPRhub
No edit summary
 

Latest revision as of 16:39, 6 December 2023

Datatilsynet - 2020-432-0034
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5 GDPR
Article 5(1)(f) GDPR
Article 6(1) GDPR
Article 32 GDPR
Article 35 GDPR
Databeskyttelseslovens § 11, stk. 1.
Databeskyttelseslovens § 11, stk. 1 (Data Protection Act)
Type: Complaint
Outcome: Rejected
Started:
Decided: 26.01.2021
Published: 05.02.2021
Fine: None
Parties: IT University of Copenhagen
National Case Number/Name: 2020-432-0034
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Rie Aleksandra Walle

The Danish DPA (Datatilsynet) found that a university's use of an online proctoring service to identify exam candidates, supervise the online test and prevent cheating, was in line with the GDPR and national legislation.

English Summary

Facts

The DPA conducted an audit of the IT University of Copenhagen (ITU) and their use of an online proctoring service for one of their online exams.

Following COVID-19, ITU was required by Danish authorities to provide education and exams online. They were also instructed to ensure integrity of the exams, to prevent cheating. ITU considered the need for monitoring for each exam and found that one required the use of monitoring (”Algorithms and Data Structures”), because the exam answers would be identical for every student (it would be easy to copy and share answers). This processing would be based on Article 6(1)(e) GDPR, cf. § 6(1) the Danish Data Protection Act.

ITU stated purpose for using an online proctoring tool, which in this case was "ProctorExam", was 1) to supervise the student during the exam, and 2) to prevent cheating. The use of ProctorExam included that: 1) The student would show an ID to the webcam (a student card from ITU or other valid ID). This would be manually controlled by an ITU representative. 2) A video and sound recording, and a recording of the student's screen 3) Recording of the web browser browsing history The use did not include any processing of biometric data or facial recognition technology.

The DPA emphasized the following in their finding and decision:

  • ITU had conducted (and documented) a concrete necessity test of the need to use monitoring tools, for all their exams
  • ITU had chosen an online proctoring tool that was considered to be the least invasive one (for their circumstances)
  • ITU had informed the students in a concise, transparent, intelligible and easily accessible form, using clear and plain language, specifically for the type of processing when using ProctorExam, as well as providing the students with their general privacy notice
  • ITU had conducted a risk assessment, considered technical and organizational security measures and introduced measures to minimize the processing in question (e.g. encryption in transit and at rest, secure servers located in the EEA, access control and more)

Dispute

Did ITU have legal grounds for requiring students to accept being monitored while taking an online exam?

Holding

The DPA held that ITU had legal grounds for requiring students to acccept monitoring while taking an online exam.

Comment

The ITU uses a service (ProctorExam) with subprocessors in the US (Amazon AWS and Google cloud), i.e. a problematic situation as per the Schrems II ruling. However, and it's interesting to note, the DPA don't comment on this in their decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.



University's use of supervision program in online exams
Published 26-01-2021
Decision

The use of a program to control cheating during exams took place in a specific case within the rules, the Danish Data Protection Agency assesses in a new decision. Journal number: 2020-432-0034
Summary
The Danish Data Protection Agency has made a decision in a case where the Danish Data Protection Agency, on the basis of a telephone inquiry, decided to investigate the IT University's (ITU) use of a monitoring program in an online examination in more detail.
Due to the COVID-19 situation, the ITU had been required to hold classes and exams online. The ITU considered that in a single subject it was necessary to supervise the students by means of a supervision program which during the three-hour exam made video, audio and screen recordings and recording browser search history from the students' computers.
Specifically, the Danish Data Protection Agency found in the case that ITU's use of the supervision program had been made within the framework of the data protection law rules.
In its decision, the Danish Data Protection Agency emphasized, among other things, the following circumstances:

The ITU had made a concrete necessity assessment of the need for examination supervision in relation to the subjects offered by the ITU, and the ITU had assessed the need for a single subject.
In selecting the monitoring program, the ITU had chosen a program that was the least intrusive in relation to the specific circumstances.
The ITU had briefed the students on the extraordinary processing of personal data.
The ITU had taken a number of security measures in connection with the monitoring program's processing of student information.

Decision
The Danish Data Protection Agency hereby returns to the case where, on 30 April 2020, the Authority decided on its own initiative on the basis of a specific inquiry to investigate the IT University of Copenhagen's (hereinafter ITU) processing of personal data using the program "ProctorExam".
Below is a more detailed review of the case and the Danish Data Protection Agency's decision.
Decision
Following an examination of the case, the Danish Data Protection Agency finds that ITU's processing of personal data has taken place within the framework of the rules in Article 5, Article 6 (1) of the Data Protection Regulation [1]. 1, and the Data Protection Act [2] § 11, para. 1.
The Danish Data Protection Authority also finds that ITU's processing in connection with the use of ProctorExam has taken place in accordance with Article 5 (1) of the Data Protection Regulation. Article 32 (1) (f) and Article 35.
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation
On 30 April 2020, the Danish Data Protection Agency received a telephone inquiry that the ITU intended to control the examinees' computers during examinations by written home examination using a monitoring tool called ProctorExam.
According to this, the ITU would in this connection have access to the examinee's webcams and screens, and the intended treatment would take place on the basis of the examinee's consent. If the examinee did not want to give consent, the examinee would not have the opportunity to go to the exam.
Against this background, the Danish Data Protection Agency requested an opinion on the matter on 30 April 2020 from the ITU. The ITU issued a statement on the matter on 7 May 2020.
On 12 May 2020, the Authority subsequently requested a new opinion on the matter. The ITU issued a supplementary opinion on 25 May 2020. Among other things, the ITU stated in the opinion that the exam was held on 13 May 2020.
2.1. ITU comments
2.1.1. Background for control by written home test
The ITU has initially explained that due to the COVID-19 situation, the government carried out a physical closure of the universities and that the government at the same time demanded that the teaching and examinations be conducted online.
Against this background, the ITU reorganized teaching and examinations to take place online.
At the same time, the Ministry of Education and Research instructed the ITU to hold examinations under the usual rules on integrity, even though examinations may not be held as a site test at the ITU.
As an educational institution, ITU is obliged to ensure that the quality of teaching and examinations is maintained, just as ITU guarantees as a certificate-issuing university that diplomas for completed bachelor's and master's programs and other study activity are correct and that the graduates have the professional competencies the certificate, and that the graduates have lawfully obtained the results obtained.
Furthermore, the ITU has stated that the ITU and other universities therefore have the right to take initiatives to check that the students have not received unlawful help to complete their exams, as stated in a letter of 12 September 2019 from the Danish Agency for Research and Education.
As a result of the conversion to online examinations, the ITU has assessed for each individual examination whether the conversion and implementation of the examinations could be completed without supervision.
As a result, the ITU has assessed that it is not possible to reorganize the examination in the subject "Algorithms and Data Structures" completely without supervision. The reason for this is that the subject is a basic course where the students have to show their basic skills within the subject area. All correct answers in this exam will be identical because there is one correct answer without explanation or elaboration, and it is therefore crucial in this exam that the examinees have not communicated with each other or received help from others. This need does not exist in relation to other examinations, where the purpose e.g. is that the students show and describe how they have arrived at the results, why the answers will be different, so that completely identical answers can thus be identified as plagiarism.
The ITU has therefore confirmed that the university intends to use the monitoring tool ProctorExam on 13 May 2020 in connection with the home exam in the subject "Algorithms and Data Structures", and that the ITU is in this respect data responsible for the processing of personal data using ProctorExam.
2.1.2. The need for ProctorExam and the processing of personal data in connection therewith
The ITU has stated that the purpose of using ProctorExam is to supervise the examinees during the exam and to avoid exam cheating. In doing so, the ITU shall ensure:

that a submitted answer has not been prepared by a third party, and
that the examinee has prepared the answer without receiving any kind of assistance.

The first point is ensured by the examinee identifying himself / herself by presenting his / her ITU-issued student card to the camera at the beginning of the examination. If the examinee does not have a student card, a driving license or passport can be presented instead.
The ITU considers that the video recordings of the examinee are a reasonable and necessary measure to ensure the identity of the person submitting the answer to the exam.
The second point is ensured by monitoring and recording the examinee's opportunities to communicate:

The sound recording ensures that it will be detected if the examinee is addressed.
The video recording ensures that it will be detected if the student uses a mobile phone or. lign. for communication, or if the examinee openly receives (silent) instruction from a person in the room.
The recording of the screen content ensures that it will be detected if the examinee communicates using e.g. mail, chat or internet forums directly on the examinee's computer.

The ITU considers that the three admissions are a reasonable and necessary measure to ensure that the examinee does not communicate during the examination and that the three admissions are separately necessary.
It also appears that approximately 330 students are enrolled in the subject "Algorithms and Data Structures" in the spring semester 2020, and that the ITU thus processes information on approximately 330 students.
Other persons may risk moving past the examinee's camera, which is why the ITU may process information about other than the approximately 330 students. However, it is a requirement that the examinee is alone, which is why it will be an accident, a crisis situation or in connection with cheating, if this is not the case.
Personal data, including some confidential information, is processed in the form of in particular:

Photo ID on the examinee - student card, driver's license or passport (normal exam ID)
Video recording of the examinee (instead of the normal examiners' observation of the examinees during the exam)
Audio recording of the examinee (instead of the normal examiners' observation of the examinees during the exam)
Screenshots of the examinee's computer (instead of the normal examiners' observation of the examinees during the exam)
Registration of the examinee's browser history in the three hours that the exam lasts (the browser history is registered neither before nor after the exam)

Sensitive information is not processed unless the examinee, consciously or unconsciously, shares it himself in front of the computer camera, orally or via his screen.
The processing of information about the examinees is based on Article 6 (1) of the Data Protection Regulation. 1, letter e, cf. the Data Protection Act § 6, para. 1.
It is not the ITU's opinion that sensitive information should be processed, but to the extent that an examinee, knowingly or unknowingly, shares such information, the legal basis for this processing is considered to be Article 9 (1) of the Data Protection Regulation 2, letter g, cf. the Data Protection Act § 7, para. 4. The ITU has also called on the examinees to arrange their computers in such a way as not to inadvertently process sensitive information in connection with the video, audio and screen recordings.
ITU further states that ITU is aware of the Danish Data Protection Agency's decision regarding Fredericia Gymnasium. In this connection, ITU's view is that the framework for ITU's use of ProctorExam differs significantly from Fredericia Gymnasium's previous use of ExamCookie, just as the systems themselves differ significantly from each other.
In this connection, the ITU has stated, inter alia, that ProctorExam, unlike ExamCookie, does not require the installation of general-purpose software; that ProctorExam does not monitor network traffic, clipboard content, or background processes; that the ITU only uses ProctorExam for exams where it is deemed necessary; that ExamCookie automatically sorted the students' data and showed any communication with the outside world or the use of unauthorized aids, while ProctorExam only records audio, video and screen, after which individual employees potentially subsequently review parts of the recordings manually; and that ExamCookie was used as an additional control for regular site tests, while the online site test held at ITU required remote supervision and thus a dedicated software such as ProctorExam.
Furthermore, the ITU has stated that biometric data about the examinee are not processed by the examinee's image identification at the beginning of the examination. At random checks, staff from the ITU manually check the identity of the examinee by holding a student card or other photo ID up to the face, which appears on the computer camera. The ITU does not use software-based face recognition or other technical treatment to uniquely identify the examinee.
In ITU's view, the processing of data on examinees complies with the basic principles of Article 5 of the Data Protection Regulation, including paragraph 1. 1, letters a, c and f.
In this connection, the ITU has stated that the processing is based on data protection legislation, that the information obligation has been fulfilled and that data processing via ProctorExam is, in the ITU's assessment, the least intrusive solution when compared to the purpose of conducting the examination online and the need for exam supervision. Finally, the ITU has stated that the ITU has implemented technical and organizational security measures that ensure an appropriate level of security.
The recordings of the examinees are stored by ProctorExam on servers in Frankfurt for 21 days, after which the recordings are deleted. It is the ITU's assessment that 21 days is the shortest possible time, as there must be time to review admissions from 330 examinees.
2.1.3. Information about the treatment
The ITU has stated that the ITU fulfills the information obligation in the Data Protection Regulation by allowing students at the ITU at the start of their studies to receive and via the ITU's communication platform access the ITU's general disclosure obligation letter, from which information on the ITU's processing of personal data appears.
Furthermore, the ITU has provided a concrete description of the processing of personal data that takes place in connection with the examination in "Algorithms and Data Structures" and the use of ProctorExam. This description has focused in particular on hitting the target group - the examinees - in a concise, transparent, easily understandable and easily accessible form in a clear and simple language, as required by Article 12 (1) of the Data Protection Regulation. 1.
2.1.4. ProctorExam's technical application and level of security
ProctorExam's monitoring solution records video, audio and screenshots from camera, microphone and screen on the examinee's computer during the examination. The recordings are ongoing for the duration of the exam, which is three hours. Furthermore, ProctorExam records the examinee's browser history during the exam.
The recordings from the examinee's computer are continuously transmitted to ProctorExam's servers in Frankfurt, Germany.
After graduation, authorized ITU staff can access the recordings from their local computer via a web interface. The authorized staff consists of the course's three lecturers, ITU's technical support for the system (individual employees in Learning Support and the Study Administration) and the examination supervisor (employees in the Study Administration and Learning Support).
ITU employees' access to the recordings is controlled by username and password. The ITU has requested a 2-factor authentication, but has not received this. The ITU has therefore emphasized to the staff who have access to ProctorExam that the ITU's standing password policy also applies to ProctorExam - in particular that the staff must avoid password reuse and that the password must have sufficient strength.
Some employees from ProctorExam will also have access to the recordings. These are subject to confidentiality, which also applies to sub-processors.
The recordings are transmitted encrypted according to general best practices (https) - both during the ongoing transmission during the examination and the ITU staff's subsequent approach to the recordings via a web interface. TSL (via AWS) is used for this, and ITU’s IT department has verified that Protocol TLS 1.3, X25519, AES_128_GCM is used. The personal information is "at rest" encrypted by Amazon S3 server-side encryption, AES-256. The AWS architecture is ISO 27018 certified and complies with the "EU Cloud Code of Conduct".
The recordings are made via an extension (an "extension") to the web browser Google Chrome. The extension utilizes existing features to implement additional functionality, making it possible to record video, audio and screen content.
The extension is installed via Google's "chrome web store", and the installation is thus subject to Google's own control, which according to ITU's professors in IT security, is considered to be among the safest and best on the market. The extension is straightforward to install and uninstall, and the risk of the extension being uninstalled incorrectly or partially is very small.
The ITU has also entered into a commercial contract and a data processor agreement with ProctorExam to ensure that the extension to Google Chrome works as intended and that ProctorExam's processing of information on behalf of the ITU is in accordance with the data protection rules.
In determining an appropriate level of security, the ITU has taken as its point of departure the ITU's risk assessment for the treatment activity, which consists of three sub-assessments in relation to the students' rights and freedoms:

Unauthorized access to personal data = low
Unauthorized deletion or loss of personal data = low
Unauthorized modification of personal data = low

In the light of this risk assessment, the ITU has primarily taken the following measures:

A technical solution has been chosen that minimizes the IT security risk for the student's computer (Google Chrome plugin) and incorrect activation
A solution has been chosen that only takes up the most necessary things, and only during the exam itself.
A solution has been chosen where data is encrypted, both in transmission and stored.
ITU staff who access data do so only from their ITU work machines, which are themselves subject to ITU’s IT security policy.
The staff group that has access to data is limited to the minimum.
A very restrictive 21-day retention policy has been chosen
The examinees are fully informed about the recordings and they are encouraged to limit the visibility of private details in their private homes, e.g. by strategically choosing where they sit during the exam.

All in all, the ITU has assessed the risk to examinees' rights and freedoms as very low. Furthermore, the ITU assesses that the safety measures taken ensure an appropriate level of safety and that the remaining risks are commensurate with the need to supervise the examination.
Justification for the Danish Data Protection Agency's decision
3.1. Processing of personal data using ProctorExam
3.1.1.
It follows from Article 2 (1) of the Data Protection Regulation 1, that the Regulation applies to the processing of personal data which is wholly or partly carried out by means of automatic data processing, and to other non-automatic processing of personal data which is or will be contained in a register.
Article 6 (1) of the Data Protection Regulation 1 states that the processing of personal data is only lawful if and to the extent that at least one of the conditions in letters a-f applies. Subparagraph (e) states that personal data may be processed when processing is necessary for the performance of a task in the public interest or which falls within the exercise of public authority imposed on the data controller.
Furthermore, it appears from the Data Protection Act, section 11, subsection. 1, that public authorities may process personal identity number information for the purpose of unique identification or as a record number.
On the basis of the ITU's statements in the case, the Danish Data Protection Agency assumes that the ITU is data responsible for the processing of personal data that is carried out in connection with the use of ProctorExam, and that the purpose of the processing of personal data in question is to supervise the examinees during the examination. Algorithms and Data Structures and avoid exam cheating.
Personal information is processed according to the information in the form of video and audio recordings of the examinees, screenshots of the examinees 'computers, registration of the examinees' browser history and photo identification in the form of passports, study or driving licenses for approximately 330 examinees. The video, audio and screen recordings take place during the examination time, which is three hours.
On the basis of this, the Authority assumes that, depending on the circumstances, the ITU also processes information about the examinees' social security number when using ProctorExam, as the social security number appears on the passport and driving license.
The Danish Data Protection Agency has also emphasized that, as a result of the COVID-19 situation, an physical closure was imposed on the ITU, and that all teaching and all examinations in the future should be conducted online, while online examinations should be held under the usual rules on integrity. As a result, the ITU reportedly made an assessment of the need for examination supervision in the subjects offered by the ITU.
The ITU assessed that exam supervision in the subject “Algorithms and Data Structures” was particularly necessary, as the subject was a basic course where the students had to show their basic skills within the subject area. All correct answers in the exam would be identical, as there was one correct answer without explanation or elaboration, which is why, unlike other subjects, it was crucial to be able to demonstrate that the examinee did not receive help from others.
After a specific assessment of the information in the case, the Danish Data Protection Agency finds that there is no basis for overriding ITU's assessment of the need for supervision in connection with the examination in the subject “Algorithms and Data Structures”, and that ITU's processing of personal data using ProctorExam within the framework of Article 6 (1) of the Data Protection Regulation 1, letter e.
The Danish Data Protection Agency also finds that the ITU can process the examinees' personal identity numbers, cf. section 11 (1) of the Data Protection Act. 1, for the purpose of unambiguous identification of the examinees in order to prevent and prevent examination fraud.
3.1.2.
The basic principles for the processing of personal data, as set out in Article 5 of the Data Protection Regulation, must be observed in any processing of personal data.
This means, among other things, that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject, cf. 1 (a) ('legality, fairness and transparency'). This means, among other things, that the processing must be proportional in relation to the purpose (s) for which personal data is processed.
Furthermore, personal data must be sufficient, relevant and limited to what is necessary in relation to the purposes for which they are processed, cf. 1 (c) ('data minimization').
The Danish Data Protection Agency finds that the ITU's processing of information about examinees in the subject “Algorithms and Data Structures” using ProctorExam is in accordance with Article 5 (1) of the Data Protection Regulation. 1, letters a and c.
It is hereby emphasized that the purpose of the treatment is to supervise the examinees during the examination and avoid exam cheating, and that video, audio and screen recording of the examinees as well as registration of browser history while the examination is in progress meet the purpose of the treatment and ensure that the examination answer not assisted by or made by third parties.
The ITU has explained the specific necessity of and the specific scope of the processing of personal data in question, as audio, video and screen recordings as well as browser history ensure that the ITU can detect whether an examinee's examination answer has been prepared improperly.
The ITU has also reported on the IT and security measures that have been taken to ensure that information about the examinees is processed properly. The Danish Data Protection Agency refers to section 3.3 for more on this.
Due to the subject's examination form and nature as well as the scope of the processing of personal data in question, the Danish Data Protection Agency has not found reason to override this assessment.
Finally, the Danish Data Protection Agency has noted that the ITU has set a short retention period of 21 days, after which the recordings will be deleted.
In conclusion, the Danish Data Protection Agency notes that in connection with the assessment of the need for supervision in online examinations, the data controller must consider whether it is possible to reorganize the examination form so that the examination can be conducted safely and at the same time as minimally intrusive as far as processing personal data is concerned. .
3.1.3.
It is clear from Article 9 (1) of the Data Protection Regulation 1, that the processing of personal data on racial or ethnic origin, political, religious or philosophical beliefs or trade union affiliation as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or information on a natural person's sexual or sexual relations orientation is prohibited.
Of the provision's paragraph. 2, letters a-j, certain exceptions to the prohibition appear in para. 1. It appears i.a. of point g that the information listed in para. May be dealt with if the processing is necessary in the interests of the public interest under EU law or the national law of the Member States and is proportionate to the objective pursued, respects the essential content of the right to data protection and ensures appropriate and specific measures; for the protection of the data subject's fundamental rights and interests.
It also follows from the Data Protection Act, section 7, subsection 4, that the processing of data covered by Article 9 (1) of the Data Protection Regulation 1, may take place if the processing of information is necessary in the interests of the public interest, cf. Article 9 (1) of the Data Protection Regulation. 2, letter g.
The ITU has stated that, in principle, personal data not covered by Article 9 of the Data Protection Regulation are not processed, but that it cannot be ruled out that personal data covered by Article 9 of the Regulation may be monitored in connection with the monitoring of examinees' computers.
The ITU has referred to the fact that information covered by Article 9 of the Regulation is in that case processed in accordance with section 7 (1) of the Data Protection Act. 4.
This provision is in the nature of a collection provision with a narrow scope which, in the Authority's view, cannot constitute a basis for the processing of data covered by Article 9 of the Regulation, through the use of ProctorExam.
The Authority has noted that the ITU does not, in principle, process information covered by Article 9 of the Data Protection Regulation when using ProctorExam, and that the processing of such information must to a large extent be considered unintentional to the extent that it may occur.
In order to avoid that the examinees' behavior inadvertently gives rise to the processing of sensitive information, the Danish Data Protection Agency recommends that the ITU to a greater extent encourage the examinees to and emphasize the need for the examinees to take measures to avoid unintentional sharing of information so that it is made clear to the students how they should behave in the exam situation in relation to the treatment activities that take place during monitoring using ProctoExam. The audit refers to section 3.2, where the need for information about the treatment is further reviewed.
3.1.4.
In summary, the Danish Data Protection Agency thus finds that ITU's processing of information about the examinees in connection with the examination in the subject “Algorithms and Data Structures” on the basis of the information in the case can take place within the framework of Article 5 of the Data Protection Regulation. Article 6 (1) (a) and (c) and Article 6 (1) 1, letter e, and the Data Protection Act § 11, para. 1.
However, the Danish Data Protection Agency finds that section 7 (1) of the Data Protection Ordinance 4, does not authorize the processing of information covered by Article 9 of the Regulation in connection with the ITU's use of ProctorExam.
3.2. Information about the treatment
It is clear from Article 5 (1) of the Data Protection Regulation 1 (a) that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ('legality, fairness and transparency')
It follows i.a. of which the data controller has an obligation to ensure that the data controller's processing of personal data is transparent to the data subject (s).
Initially, the Danish Data Protection Agency notes that it is the Authority's assessment that the ITU's processing of information about the examinees using ProctorExam does not have the character of further processing for another purpose, which triggers a new duty to provide information pursuant to Article 13 (1) of the Data Protection Regulation. However, in view of the specific nature of the processing, as the ITU has specifically done, additional information should be provided to the data subject (s) to ensure the transparency of the processing.
Overall, the Danish Data Protection Agency finds that the ITU has provided the examinees in the subject “Algorithms and Data Structures” with information on the processing of the examinees' personal data in connection with the use of ProctorExam in accordance with the Data Protection Regulation.
Particular emphasis is placed on the fact that the examinees in the subject "Algorithms and Data Structures" in connection with the exam have received a letter of information, which specifically describes the processing of personal data about the examinees, which is made in connection with the use of ProctorExam, and that this letter has had a special focus on providing the target group - the examinees - with the information in a concise, transparent, easy-to-understand and easily accessible form and in a clear and simple language.
The Authority has also emphasized the information provided by the ITU that students at the ITU at the start of their studies receive a copy of the ITU's general disclosure letter, which contains general information about the ITU's processing of personal data about the students in connection with the students' education.
The general disclosure letter is also available on the ITU's communication platform, which students can access on an ongoing basis.
After reviewing the information letters, the Danish Data Protection Agency can state that the ITU has predominantly provided information on the processing of personal data in question in a concise, transparent - and for the target group - easy-to-understand and easily accessible form and in clear and simple language in accordance with Article 5 (2) of the Regulation. . 1, letter a. Regardless of the fact that the searches made are made by recording the screen, the Data Inspectorate finds, however, that it would have been more correct for the ITU to have informed the examinees that during the examination a search history is also made,
The Danish Data Protection Agency also recommends that the ITU clarifies the need for and encourages the examinee to take measures to avoid unintentional sharing of information, including information about others or information covered by Article 9 of the Regulation, cf. Art. 5 pieces. 1, letters a and c.
Finally, the Danish Data Protection Agency recommends that the ITU provide the examinees with guidance on how the examinees can independently configure the individual browser solution - in this case Google Chrome - so that the browser solution can be set up for data protection, in accordance with the principle in Article 25 of the Data Protection Regulation.
3.3. Precautions
Article 5 (1) of the Data Protection Regulation Article 1 (1) (f) provides that personal data must be processed in a way that ensures adequate security of the personal data in question, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ( "Integrity and confidentiality").
It also follows from Article 32 of the Regulation that the controller and the processor, taking into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing in question, as well as the risks of varying probability and seriousness of natural persons' rights and freedoms. and organizational measures to ensure a level of security appropriate to these risks.
In addition, Article 35 of the Data Protection Regulation states that, prior to processing, which is likely to involve a high risk to the rights and freedoms of natural persons, the data controller shall carry out an analysis of the impact of the data processing activities envisaged on the protection of personal data.
The Danish Data Protection Agency finds that ITU's processing of personal data through the use of ProctorExam has taken place within the framework of Article 5 (1) of the Data Protection Regulation. Article 32 (1) (f) and Article 35.
In this connection, the Danish Data Protection Agency has emphasized the information that the ITU has carried out a risk assessment in relation to the processing activities in question, and what risks these activities posed to the data subjects' rights and freedoms. According to the assessment, the treatment activities generally posed a low risk to the examinees' rights and freedoms.
Based on the information provided to the Authority, there is no basis for overriding the assessment that the risk must be considered low.
The Danish Data Protection Agency has also emphasized that the ITU has examined the market for solutions that enabled the examinees to supervise during the examination in the subject "Algorithms and Data Structures", and that the ITU has chosen the solution (ProctorExam) that immediately performs the least intrusive processing of personal data and at the same time enables the purpose of the treatment to be met.
ProctorExam only makes recordings during the exam, and the solution, which is an "extension" to Chrome, does not require more permissions for the examiners' computers than is relevant and necessary. In addition, the solution is easy to install and uninstall.
Furthermore, the recordings are continuously transmitted from the examinees' computers encrypted, using protocol TLS 1.3 with X25519 and AES-GCM-128. The same applies when the recordings are subsequently to be accessed by the relevant staff.
Finally, the recordings are stored within the EU on servers in Frankfurt, and the recordings are only stored for 21 days. The footage is "at rest" encrypted by Amazon S3 server-side encryption, AES-256.
Finally, the Danish Data Protection Agency has emphasized that the ITU has limited access to the recordings in question to what, in view of the number of examinees and the retention period, must be considered necessary. The access for the authorized employees takes place on the employees' local work computers via a web interface, and the transmission of data is also encrypted here using the above-mentioned protocol.
In conclusion, the Danish Data Protection Agency notes that it is regrettable that there is no two-factor authentication for access control. However, the Authority has noted that it was in demand by the ITU and that the ITU has taken relevant steps in relation to password security to address this shortcoming.
The Danish Data Protection Agency's perception of the choice of the IT solution for monitoring examinations is based on the fact that ITU has configured the browser extension in question in such a way that information about the examinees, including search history that is not relevant in relation to examination monitoring, is not passed on. to Google.
In this connection, the Danish Data Protection Agency generally encourages the data controller to choose the most privacy-friendly solution, for example when choosing a browser, cf. the principle in Article 25 of the Data Protection Regulation.
In summary, the Authority's assessment is that the ITU's processing of personal data through the use of ProctorExam has taken place within the framework of Article 5 (1) of the Data Protection Regulation. f, Article 32 and Article 35.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).
[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of natural persons in connection with the processing of personal data and on the free movement of such data / the Data Protection Act).