Test administrator revises measures aimed at preventing exam fraud
PIPEDA Case Summary #2010-007
June 22, 2010
An individual filed a complaint with our Office regarding the collection of fingerprints and other personal information to confirm the identity of people writing the Medical College Admission Test (MCAT). He alleged that the collection of fingerprints was unnecessary and also expressed concern about the retention and safeguarding of the fingerprint information.
The OPC’s three investigations involving the collection of biometric information for college admissions examinations (the Law School Admission Test, or LSAT, the Graduate Management Admission Test, or GMAT, and the Medical College Admission Test, or MCAT), highlight the importance for organizations offering high-stakes exams to:
- Be able to demonstrate how the collection of personal information, including biometric information, is required to meet purposes such as preserving the integrity of the exam, guarding against exam fraud proxy testing, and investigating misconduct;
- Clearly notify test-takers of the organization’s personal information handling practices;
- Collect only what is needed to achieve stated purposes;
- Limit retention for only as long as is needed; and
- Properly safeguard personal information collected.
These three cases all deal with high stakes exams that have significant consequences for individuals seeking to enter a university to pursue a specific profession.
In these three cases, the organizations either succeeded, or not, in providing persuasive evidence to our Office’s satisfaction that there was a real and demonstrable problem of fraud that had to be addressed and that the nature and extent of personal information collected and used by the organization were required to effectively curb or reduce that fraud. For example, GMAC provided evidence that attempted illegal activity and fraud had occurred on numerous occasions in the past and that its use of palm-vein scanning was effective at authenticating test takers and helping to ensure that test-takers have not previously taken the GMAT under other names.
As well, the AAMC presented compelling evidence that a serious and significant risk of fraud existed in the context of the administration of the MCAT exam, including sophisticated means developed to assist exam takers cheat on the MCAT. AAMC provided specific examples and demonstrated to our Office that the collection of fingerprints was appropriate to counter the risk of fraudulent test taking.
In the LSAT complaint, the LSAC was unable to cite concrete examples where it was necessary to review test takers’ thumbprints. Based on a lack of demonstrable evidence of the existence and extent of fraud in the context of LSATs, the then-Assistant Commissioner was of the view that fingerprinting was not necessary for effectively meeting the organisations’ stated purpose of protecting the integrity of the LSAT, nor were the prints ever actually used for their intended purpose.
As such, the collection and use of personal information, including biometric information, in varying contexts or for different types of examinations may involve different considerations as to whether doing so is appropriate under PIPEDA.
The type of technology used and the biometric information collected by the organization was also a key consideration.
In the complaint involving GMAC, that organization opted for palm-vein scanning technology which involves retaining a non-reversible numerical template as opposed to the original biometric. While the AAMC converted fingerprint images to templates for its stated purposes, it also provided a strong justification for being able to safeguard and retain the actual fingerprint images.
Ultimately, organizations offering high stakes examinations need to demonstrate that they require the requested information to meet stated purposes, and need to ensure that they collect the minimal amount of personal information.
They also need to adequately safeguard personal information, and retain such information for a reasonable length of time.
The Association of American Medical Colleges (AAMC), which operates the examination, stated that the collection of fingerprints was necessary to ensure the integrity of the MCAT exam by preventing proxy test taking and other exam misconduct.
The AAMC, through a third-party contractor, collected digital fingerprints and other personal information from MCAT candidates. Although the fingerprints were converted into a digital template, the AAMC retained the actual fingerprint images to maintain the integrity of its fingerprint database.
Our investigation into the matter related to notification of purposes, collection, retention and safeguards.
Based on the information provided in the course of the investigation, the Assistant Commissioner was of the view that there were less privacy-invasive means to meet the AAMC’s purposes. As well, the Assistant Commissioner was of the view that the AAMC was retaining the information it collected for too long, and that the AAMC needed to maintain an information security program and continue to protect information through its contracts with third-party service providers.
In response to our Office’s Preliminary Report of Finding, the AAMC stated that it would make certain changes, including clarifying notices to test-takers about the collection of personal information. It also agreed to limit retention of the personal information it collected on test day to 5 years, and agreed with the OPC’s recommendations on the issue of safeguards.
However, it stated that it would not stop collecting fingerprints from candidates, their photographs, as well as a scan of their driver’s licenses. As well, it stated that the actual fingerprint images were needed in case the template became corrupted.
Our Office, therefore, concluded that the matter remained well founded with respect to the collection issue.
As a result, the Privacy Commissioner initiated a Federal Court application seeking an Order directing the AAMC to find less privacy-intrusive means to ensure the integrity of the examination.
During the course of the application and during mediation discussions, the AAMC presented further evidence and arguments related the extent of the problem of proxy test-taking and other types of exam misconduct, and the need for measures to reduce the risk of fraud.
The Privacy Commissioner was ultimately satisfied that the evidence showed that a serious and significant risk of fraud existed in the context of the administration of the MCAT exam, requiring that the AAMC be permitted to collect and use a limited amount of personal information for the purposes of protecting the integrity of the MCAT, guarding against proxy testing, and investigating misconduct during the MCAT exam.
Following court supervised mediation discussions, the Privacy Commissioner and the AAMC agreed to a resolution that resulted in a settlement of the issues raised in the application.
The AAMC agreed to limit the personal information it collects. In particular, the organization agreed it would stop recording information from government identification documents presented to confirm a test taker’s identity. It may continue to validate an identification document using an electronic swipe to confirm that the document conforms to known templates.
The AAMC also agreed it will only collect and retain this fingerprint information in digital format. All digital fingerprint images collected will be converted into unique digital templates composed of a string of alpha/numeric characters and will be held securely.
The personal information collected from test takers will be retained for a maximum of five years.
The Commissioner was satisfied that this outcome effectively addressed concerns with respect to both privacy and AAMC’s need to protect the integrity of the high-stakes MCAT exam.
In recent years, the Office of the Privacy Commissioner has also conducted investigations involving the collection of the personal information of people taking two other well-known college admission tests.
The investigations examined complaints about the collection of personal information from people taking both the Law School Admission Test (LSAT) and the Graduate Management Admission Test (GMAT).
LSAC Investigation (2008)
A complainant objected to the requirement that students enrolled at Canadian universities be fingerprinted in order to write the LSAT.
The test’s creator, the U.S.-based Law School Admission Council (LSAC), stated that the purpose for collecting thumbprints was to assure the authenticity of test scores and to protect the integrity of the testing process.
It acknowledged, however, that its primary purpose was to deter proxy test-taking. Although the company stated that it would use the prints in cases of suspected impersonation, it acknowledged that there had been no cases in which it was necessary to review a test taker’s thumbprints.
The OPC was of the view that fingerprinting did not effectively meet the stated purpose, nor were the prints ever actually used for its intended purpose. This had the effect of making the loss of privacy greater than the benefit gained.
We recommended that LSAC stop collecting fingerprints from students in Canada. The company agreed to do so, but stated that it would instead collect photos of test takers. Moreover, it reserved the right to reinstate its fingerprint policy at any time.
Our Office concluded that collecting photographs was less privacy intrusive than collecting fingerprints, and, in this case, did not contravene PIPEDA. As a result, the matter was considered resolved.
GMAC Investigation (2011)
A woman objected to having her palm scanned before writing the Graduate Management Admission Test (GMAT) and filed a complaint with the OPC.
The Graduate Management Admission Council (GMAC) is the owner and administrator of the GMAT. Via a third party contractor, GMAC authenticates test-takers using palm-vein scanners that identify the vein patterns beneath the skin of an individual's hand. Using this technology, palm vein scans are immediately encrypted into numerical templates which are securely stored separately from any other identifying information. These templates cannot be reversed and no raw biometric data is retained in GMAC’s records.
GMAC said it began looking for an alternative to a previously used digital fingerprint identification system in 2006, in response to concerns about fingerprinting expressed by students, data-protection authorities and some test centre personnel.
As well, the organization maintained that checking identification cards is not fully reliable because fraudsters will go to considerable lengths to physically resemble and impersonate others.
GMAC persuasively demonstrated that, in the context of GMAT test-taking, attempted illegal activity and fraud had occurred on numerous occasions in the past, particularly involving “professional test takers” who would take the GMAT several times under various names. Our Office also found that GMAC’s use of palm vein scanning technology was effective in authenticating test takers and by extension routing out fraudsters, was not overly privacy-invasive, and was proportionate to the benefits gained.
Our Office concluded that the complaint was not well founded.
*Note: This case summary was previously published in an anonymized form in the OPC’s 2011 Annual Report on PIPEDA.
For further information about the investigations related to the LSAT and GMAT exams, please see:
- PIPEDA Case Summary #2008-389: Law School Admission Council Investigation
- PIPEDA Case summary #2011-012: GMAT Test-taker Objects to Palm-Vein Scanning
- Date modified: