CyAN Guidance on Use of Invigilation Software by Educational Institutions

Intended audience: Educational institution decision makers and policy makers, CISOs, professional IT/Cyber associations, student bodies, educator bodies,  parent bodies, vendors, suppliers / International / allowing localized translation

A           Having regard to the following factors:

1. The COVID-19 pandemic has increased the pressure on educational institutions and students to maintain course progress in circumstances where social distancing has been imposed.

• Resource issues and time pressure to deploy may impose limitations on normal assurance process for alternatives such as software based arrangements for remote supervision.

• Educational institutions may be left to rely substantially on vendor assurances. Vendor terms may disclaim liability relying on “own risk” provisions; students may bear ultimate risk.

• For some students, circumstances (impracticability of deferral, absence of alternative assessment options) may oblige them to use invigilation software.

• Privacy concerns have been raised by students and professional civil societies, however the capacity for developing detailed privacy impact assessments may be limited.

• Educational institutions are targets for sophisticated attack groups. Prior attack history suggests motivations may include theft of strategically relevant research intellectual properties, personal- and financial data; exertion of foreign influence on students, staff.

• Educational institutions may face potential liability (legal, compliance) arising from data breach attributable to use of relevant software.

• Jurisdictional issues may affect actions taken to limit harm where data is processed, stored or backed up offshore if there is a breach.

B           We, therefore, by way of guidance, recommend the followings:

That prior the deployment of software, a risk assurance process be undertaken to assess the presence of known or discoverable vulnerabilities and impacts, including on rights and freedoms. This would be part of or prior to a wider privacy impact  and risk assessment undertaken by the educational institutions.

              By this means, assess:

1. The presence, nature, extent and management of vulnerabilities and impacts.

• If vulnerabilities or impact exist, who should assume risk; can the risk be insured?

• Where vulnerability or impacts such as privacy breach is suspected, what options exist for educational institutions and students?

       Focus questions would include:

• Is there a legal basis (e.g. law, decree) that authorizes implementation and/or use? It might refer to guarantees to be implemented.
• Is the supplier of the software transparent on implemented security and privacy protective measures?
• Is there a duty to inform the vendor, the suppliers, the students (parents/caregivers) and the administrators?
• Is there a duty, recommendation or practice commanding to inform and/or take the advice of the data protection authority (depending on the legal system)?
• Is prior student consent required or is there an ability of students to opt out without penalty or detriment?
• Might consent be vitiated by a lack of transparency, especially non-disclosure of vulnerabilities?
• Is patching vulnerabilities practicable in the time remaining?
• Does the collection of data and/or the impacts including on privacy exceed needs and/or benefits, and if so, is minimization practicable in the time remaining?
• In particular, does risk of cheating outweigh risk to participating student cohort and potentially, the integrity of educational institution networks.
• On the same line, do risks on privacy, on confidential information or on students’ systems supersede the benefits of purposes such as maintaining examination at the scheduled date?
• In any case, current inconvenience vs future harm should be properly assessed and risks addressed.
• Are there other less intrusive or less vulnerable options available in order to reach the pursued aim, such as is the resumption of physical exam supervision, subject to social distancing, or the creation of new forms of re-sit examinations?

• In any case, easily accessible and unambiguous usage/privacy policies shall be applied.

• Actors, means, risks and remedies and safeguards of data processing shall be fully transparent as paramount elements of the regarding policies.

• Educational institutions should obtain independent technological advice, including an independent cyber security audit.

• Educational institutions should obtain independent legal advice (especially privacy and cyber policy) in relation to the above and any contractual terms.

• The use of such technologies must also take into account broader impacts with regard to the social status of students and their access to the necessary computer networks and tools.

Jean-Christophe LE TOQUIN, President of CyAN, CEO of SOCOGI (FR)

Peter CORONEOS, Vice President of CyAN, CEO of ICONCYBER (AUS)

Dr. Greg DZSINICH, Board member of CyAN, Member of DPEG, univ. lecturer, attorney at Dr. Dzsinich Legal (HU)

Dr. Estelle DE MARCO, Member of DPEG, founder and executive director of Inthemis (FR)

Allison STANFIELD, Member of DPEG, Solicitor Director of SG Legal Services (AUS)

Dr. Matthieu CAMUS, Member of DPEG, founder of PrivacyImpact.fr (FR)

Hein DRIES, Member of DPEG, CEO of VIGILO (NL)

Graham JEFFERSON, CEO of NTT Communications (AUS)