In September 2021 the Italian Data Protection Authority (DPA) fined Luigi Bocconi University €200 000 for using Respondus, a proctoring software, without sufficiently informing students of the processing of their personal data and, among other violations, for processing their biometric data without a legal basis. Bocconi is a private University based in Milan and during the COVID-19 pandemic introduced Respondus tools to monitor students during remote exams.
Respondus offers two different modules: Lockdown browser and Respondus Monitor. The former prevents a student from using their computer as usual, meaning that the person for example cannot open other programs. Respondus Monitor checks that the person in front of the screen is the one that should be taking the exam, in order to prevent someone else from replacing the student or passing notes. To do this, the software uses algorithms that analyse the biometric data of the person’s face in order to confirm their presence and it also records keystrokes, mouse movements and the duration of the exam. After processing the data, the software sends the professor a report showing the student’s image for identification purposes and alerts of any anomalies, with details on the reason for the alert.
The University initially tried to walk back from what they stated in their own privacy policy, claiming that no biometric data was processed given that the only identification happening was the one concerning the initial picture taken by the software and used by an operator (in this case the professor) to confirm the identity of the student. Something that didn’t match the real functioning of the system. In fact, in their decision, the DPA says that Respondus declared that their software creates a biometric template to monitor the presence of the same person in front of the screen throughout the exam. For this reason, the “software performs a specific technical processing of a physical characteristic of the persons,” says the DPA and, currently, in Italy there is no legal provision expressly authorising the processing of biometric data for the purposes of verifying the regularity of exams. The DPA highlights also that, considering that the processing was carried out by the University for the purpose of issuing degrees with legal value and the specific imbalance in the position of students with respect to the University, consent does not constitute the legal basis of the processing nor can it be considered as freely given.
In addition, the DPA considers the functionalities of the ‘Respondus Monitor’ component as a “partially automated processing operation for the analysis of the behaviour of the data subjects, in relation to the subsequent assessment by the teacher,” and this “gives rise to the ‘profiling’ of the students.”
This processing of personal data, according to the DPA, may have an impact on the emotional and psychological sphere of the persons concerned which “may also derive from the specific functionalities of the supervision system, such as, in this case, facial recognition and behavioural profiling, with possible repercussions on the accuracy of the anomalies detected by the algorithm and therefore, indirectly, also on the overall outcome of the test.”
Bocconi is not the only Italian University using proctoring software. In June 2020 in Italy there were at least ten Universities using (or planning to use) similar tools such as Proctorio, ProctorExam, and Safe Exam Browser. This Authority’s decision would prohibit other Italian Universities from using software similar to Respondus that collect and process students’ biometric data.
Despite this push back on student monitoring, this decision also reminds us that biometric surveillance is increasingly expanding into every sphere of our lives and the only solution is to call for a ban on these technologies.
Contribution by: Laura Carrer, Research and Advocacy at Digital Rights Unit, Hermes Center & Riccardo Coluccini, Reclaim Your Face national campaign contributor.