There has been a massive shift to online learning over the past decade – for everything from worker health and safety training to post-secondary student exams, and that has led to increasing use of remote monitoring. When not managed well, the use of tools to monitor trainees and students has raised a host of privacy concerns.
To ensure learners are actually taking the training and are engaged, industry leaders are using processes or technology that can verify identity and monitor their participation.
In a typical remote monitoring process, the learner accepts a privacy agreement, authorizing use of the camera and/or microphone on their computer. The learner is asked to accept the privacy agreement to ensure they understand what data is being collected and why.
Test-takers hold government-issued ID up to their computer camera and allow their face to be photographed. Then the entire time a person is taking a course or test, the camera is used to ensure, among other things, that it’s still the same person in the same location, and that they’re not being coached by someone else.
This helps confirm training/testing standards are met, but critics fear there’s potential for abuse. Insecurely stored data could be shared, stolen and monetized.
“How does a person know their information is being protected?” asks Edmonton-based lawyer Samantha Kernahan, who points to federal privacy legislation.
“Any exposure of that data to a third party outside of the person who collected it engages our privacy statutes in Canada,” Kernahan said.
But Canada’s standard of privacy protection is well below that of the European Union, experts say. The EU has taken world leadership in the protection of personal privacy, says Ann Cavoukian, expert-in-residence at Ryerson University’s Privacy By Design Centre of Excellence. Cavoukian created the concept of “privacy of design” (PbD) at her kitchen table 20 years ago and she’s pleased to see the idea incorporated into EU regulations.
The EU’s General Data Protection Regulation (GDPR), which came into effect in 2018, “raised the bar so high, countries around the world are scrambling to catch up,” she said. It’s far ahead of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect in 2000 and is in serious need of an overhaul.
One of the GDPR requirements that’s challenging organizations is the concept of “privacy as a default setting.” This concept posits that an individual should not need to take measures on their own to protect their privacy – the privacy protection is built into the system, as the default.
Here are two examples of training organizations using different approaches to address these privacy concerns:
Smart Serve Ontario is a not-for-profit organization that provides training and certification for anyone serving alcohol in a business.
It validates online training participants by using a third-party service provider. This third party doesn’t provide Smart Serve access to the government-issued ID of learners that’s used to validate learner identity, nor any video or images of learners, so long as the learners comply with participation standards.
The third party keeps the limited data it has on Canadian servers. It immediately deletes the ID image and all video/imagery of compliant learners after the training or testing is complete. The approach is very much line with the concept of “privacy as a default setting.”
Energy Safety Canada (ESC), a non-profit safety organization for the oil and gas industry in Canada, offers a variety of online courses for workers. Much of the training ESC provides is a job requirement.
The third-party technology provider that ESC uses also captures ID and participation of online learners. But – unlike Smart Serve’s provider – it then shares this information with ESC through server transfers. The problem is that servers they use are in the United States and thus could be accessed legally by the U.S. government under authority of the Patriot Act.
Users seeking to protect their privacy would need to make a formal demand to ESC to have their data deleted from ESC servers. They would also need to make a similar demand to the third-party technology provider.
Like a number of other companies, ESC relies on learner verification/monitoring companies that operate in countries with privacy standards well below the EU’s. Those countries range from the United States to Asia and even Eastern Europe.
ESC CEO Murray Elliott confirmed that Proctorio is the third-party firm that monitors the organization’s online courses where monitoring is required. Proctorio has offices in the U.S., Germany and Serbia.
Elliott says the test-taker’s personal information stays with ESC and Proctorio “doesn’t store any information.”
“At the discretion of the exam administrator, this may include a scan of your surroundings and computer display,” it states.” The company advises, “To use the Services, however, we may be required to collect personally identifiable information, such as your name, email address, phone number, and institution.”
Proctorio advises learners who are taking training for employment purposes: “If you do not wish for your Personally Identifiable Information to be used as described in this Section, you should not use the Services.”
Cavoukian could not comment on a specific company and was unaware of Energy Safety Canada’s practices. But she said any circumstance in which a trainee is required to take training to retain or gain employment should not force a learner to give up privacy rights.
“That’s appalling,” says Cavoukain. “They shouldn’t have to forego their privacy to take an exam.”
Elliott says that if an employee opts out of a proctored ESC course or test, they can go to one of their provincial locations and take the course in class. In some cases, however, such travel is costly or logistically difficult to arrange.
Dan MacDonald is head of BIS Training Solutions, a company that provides online and in-class learning and compliance health and training courses for dozens of major companies. He says BIS uses Integrity Advocate, a third-party technology provider that verifies learner identity and participation while ensuring learning privacy is protected.
Integrity Advocate uses a process similar to that used by PayPal and states: “We only get the information we absolutely require and for the majority of learners that comply with participation standards that is only one image of the user’s face,” said MacDonald.
Integrity Advocate’s solution was built on the privacy by design principles and complies with GDPR standards. The company stores data in Canada and immediately destroys all data collected during a compliant learner’s session, except one image.
To Cavoukian, anyone who submits to online monitoring that doesn’t meet or exceed the EU’s GDPR standards won’t be protected. She says upgrades to Canadian privacy laws are needed and were promised by the Liberal government. But the initiative has been sidelined with an imminent federal election.
Until those changes come about, the onus is on individual training providers to show they’re taking the necessary steps to protect the privacy of learners.