CNPD (Portugal) - Deliberação/2021/622
|CNPD (Portugal) - Deliberação/2021/622|
|Relevant Law:||Article 5(1)(b) GDPR|
Article 5(1)(a) GDPR
Article 5(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(1)(f) GDPR
Article 22 GDPR
Article 45 GDPR
Article 46 GDPR
|National Case Number/Name:||Deliberação/2021/622|
|European Case Law Identifier:||n/a|
|Original Source:||CNPD (in PT)|
The Portuguese DPA ordered an educational institution to stop using a proctoring app to evaluate students online due to the infringement of the lawfulness principle, the purpose limitation principle and the data minimization principle. The DPA also ordered the processor to delete all the previously stored data.
The Portuguese DPA (CNPD) received a complaint against the use of two applications ("Respondus Lockdown Browser" and "Respondus Monitor"), used for online evaluations to students. Those applications were used by an unknown party (probably an educational institution) and developed by Respondus Inc., an American company. Respondus and the controller had carried out a data processing agreement, that was part of the licensing contract.
Both applications could be integrated with learning platforms. "Respondus Lockdown Browser" is used to block the computer of the students, so they could not access any other application, while "Respondus Monitor" is used to monitor them.
Blocking the computer means that the students could not access any other application nor use any of the functions of the computer. Only the application was shown full-screen. "Respondus Monitor", a proctoring application, used the camera and video analysis techniques in order to monitor students. It also took photos of the students, including themselves and their IDs, and images of the surroundings. It also had a facial detection check system.
Monitoring is carried out every second through three vectors:
- facial, movement and light detection of the student and their surroundings
- obtaining information from the device (keyboard activity, mouse activity, hardware modifications) to identify patterns
- analysis of the students' interaction with the exam, including time counting and answer changing, as well as comparing answers between students
Even if the application records video, sound recording is deactivated by default, although can be activated by the institution. Videos are processed afterwards and put through a facial recognition and detection system to determine if the student stayed in the same place and whether there were other persons around, to detect if the same person started and ended the exam.
The application also monitored all the information from the device, including the quality of the internet connection and potential internet failure.
After the event, a report was also sent to the teachers.
Students were obliged to accept the terms and conditions of the application, including terms relating to data protection.
Additionally, Respondus processes data in servers located outside EEA, and that they use Amazon Web Services. The transfers are carried out on the basis of the Privacy Shield and/or SCCs.
The following categories of personal data are transferred:
- authentication data
- identification data
- contact data
- unique identification numbers and course identification
- pseudoanonymized identifiers
- pictures, video and audio
- educational data
- IP address
Respondus also process random data for improving their services, being also possible to share them with researchers (including biometric experts).
For this processing, the educational institution relied, as their legal basis, on having a legitimate interest in evaluating the performance of the students in a fair and equal way. In accordance to the DPIA carried out beforehand, the processing was necessary to evaluate students at a distance in the context of the pandemic. The controller concluded that the rights of the students were adequately protected.
The CNPD concluded, in the first place, that the educational institution was undoubtedly a controller, while Respondus was a processor.
Secondly, the DPA remarked that they had issued a recommendation for online education and evaluation in which they established that online evaluation should be carried out preferably via the institutional platform. However, the controller did not provide any explanation about the circumstances or criteria that led it to using the Respondus application.
Additionally, the DPA noted that "Respondus Lockdown Browser" can be used on its own, and that there was no need to use "Respondus Monitor" on top of that, therefore infringing the data minimization principle from Article 5(1)(c). The DPA also added that the fact that the use of the proctoring app, as well as some of its functionalities, was left to the decision of the departments or processors generated uncertainty with regards a very intrusive processing of personal data, and could thus lead to discrimination.
Thirdly, the DPA stated that the controller, as a public institution, should not have relied on a legitimate interest but on Article 6(1)(e), as the processing is carried out in order to comply with a task of public interest set by the law. Also, the DPA said, in case of having an actual interest in such processing, it would always depend on being able to prove that it could not have been done in any other way. Additionally, if using a legitimate interest as a basis, the controller should have balanced the interests and rights of the students against their own.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.