The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a complaint about McMaster University’s (McMaster or the university) use of Respondus exam proctoring software under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). The software comprises two programs. Respondus LockDown Browser limits what users can access on their computers and Respondus Monitor analyzes audio and video of students during the exam to scan for possible cheating. The complainant did not want the IPC to provide their name and complaint to the university, so the IPC opened this Commissioner-initiated complaint to address the university’s use of this exam proctoring software.
This report concludes that conducting exams and appointing examiners is a lawfully authorized activity of the university. Proctoring exams online to ensure their integrity is an appropriate component of conducting certain types of exams and is therefore also a lawfully authorized activity. On the question of whether the collection of personal information through the use of Respondus exam proctoring software is necessary to proctor exams, I find that Respondus LockDown Browser collects little personal information, and only collects and uses what it needs to function. Respondus Monitor collects more sensitive personal information, including biometric information, and uses artificial intelligence (AI) technology, which carries heightened concerns. Because the personal information collected by Respondus Monitor on behalf of the university is necessary for that tool to fulfill its function of exam proctoring, it is authorized under section 38(2) of the Act. However, the university has not provided adequate notice for its collection of personal information as required by section 39(2) of the Act and the use of students’ personal information through Respondus Monitor is not in compliance with section 41(1). Moreover, the current contractual arrangement between the university and Respondus is contrary to section 41(1) of the Act in so far as it does not adequately protect all of the personal information collected and allows Respondus to use personal information for system improvement purposes without the consent of students.
In this report, I make a number of recommendations for the university to bring itself into compliance with the Act. Given the heightened risks associated with AI technologies, I also recommend that the university adopt additional guardrails around its use of Respondus Monitor and incorporate these stronger protections into its ongoing use of the software and any future agreement with Respondus.