report

AI and privacy

Nov 5, 2024 2 MIN READ
Download PDF

Table of contents


Privacy Jurisprudence Review

McMaster University (Re), 2024 CanLII 17583 (ON IPC)

Read the case details

Facts

The case concerns McMaster University’s use of Respondus Monitor, an AI-enabled software for online exam proctoring, and Respondus LockDown Browser, a software which limits what students can access on their computers during an examination. McMaster adopted this technology during the COVID-19 pandemic to maintain academic integrity in a remote learning environment. 

The Information and Privacy Commissioner of Ontario (IPC) investigated the university’s compliance with the Freedom of Information and Protection of Privacy Act (the Act), particularly regarding the collection, use, and disclosure of students’ personal information by Respondus Monitor.

Decision

The IPC found that Respondus LockDown Browser collected little personal information, and only collected and used what it needed to function.  On the other hand, the IPC found that Respondus Monitor collected more sensitive personal information, including biometric information, and used artificial intelligence (AI) technology, which carried heightened concerns.

While the collection was authorized under subsection 38(2) of the Act, the IPC found that the university did not provide adequate notice for its collection of personal information as required by subsection 39(2) of the Act, and also found that the use of students’ personal information through Respondus Monitor was not in compliance with subsection 41(1).

Moreover, the IPC concluded that the contractual arrangement between the university and Respondus was contrary to subsection 41(1) of the Act as it did not adequately protect all personal information collected, and because it allowed Respondus to use personal information for system improvement purposes without the consent of students.

The IPC made several recommendations for the university to bring itself into compliance with the Act and recommended that the university adopt additional guardrails around its use of Respondus Monitor and incorporate stronger protections into its ongoing use of the software and any future agreement with Respondus.


Key Takeaway

Institutions using software such as Respondus Monitor must ensure that adequate notice is provided to data subjects when their information is being collected. They must also ensure that contracts with third-party service providers adequately protect the personal information collected, and prohibit any uses of the personal information by the service provider absent the consent of the data subjects.