SMOWL data protection

Data protection in business environments is carried out for a dual purpose: to comply with privacy regulations and to keep the brand reputation intact, taking care of sensitive customer information.

At Smowltech, it is clear to us that responsibility, protection, and transparency are the basic pillars of our activity since we became part of the new educational technologies. These three principles have always conditioned the design of our SMOWL proctoring tool and subsequent improvements. 

With each development, we aim to achieve:

• Be an effective and unobtrusive online assessment tool without collecting biometric or sensitive data. 
• Comply with Spanish and European data protection. 

What is data protection?

According to the Bussiness Cambridge Dictionary, data protection is: 

“methods and rules by which personal or official data (= information) that is provided to organizations, etc. is prevented from being wrongly used or made public” and also the “laws and regulations that make it illegal to store or share some types of information about people without their knowledge or permission.”

This definition leads us to current issues such as the processing of information or the right of access, rectification, and cancellation of data. 

What is our data protection protocol?

The technical and legal requirements must satisfy customers (universities, training centers, and companies) and users (students and employees). We do this with seven steps:

1. We comply with the law

Of the fundamental rights in the matter at hand, two legislative references that we comply with SMOWL following our geographical scope are echoed:

• Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016.
• The Organic Law 3/2018 of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights in Spain. 

Both regulations ensure the protection of citizens’ private information.

2. We conduct an impact assessment

As indicated by the Data Protection Regulation (GDPR) in Article 35, we carry out an impact assessment and monitoring on the protection of the small data we handle during supervision. 

3. We assign a data protection officer

Our delegate fulfills all the functions stipulated by the RGPD. He is a Computer Engineer with a Master’s Degree in Information and Communications Technology Security. In addition, he has legal training in data protection.

4. We are transparent

We comply with the requirements of clarity of information with customers and, if necessary, with the users of proctoring following articles 12 and 13 of the GDPR. 

In this way, we inform about which essential data we process, the data’s purpose, and how our IT system works.

5. We preserve users’ rights

We do it based on the premise that the technology must respect the principles of legality, necessity, proportionality, and data minimization.

6. We record the activities and the processing of information

We collect the purpose, type and length of time we keep the minimum data, which, in the case of the student, is anonymous because it is associated with an alphanumeric code and not with their nominative identity. 

7. We reinforce security in an extra way

Following the principles of Amazon Web Services (AWS) and keeping an annual external audit to ensure online data protection.

We comply with everything and everyone

With the SMOWL proctoring system, we achieve three objectives at the same time:

• To provide an educational solution in distance assessments. 
• Generate a positive user experience. 
• To guarantee regulatory legality and information transparency.

In this way, we follow a data protection and privacy protocol that keeps these points in harmony, thus putting in front an effective software for the training entity and usable for the student while complying with state regulations. 

And we do this with different types of monitoring.  

Webcam monitoring

Our system does not capture videos but rather spot images used to verify the student with the “one-to-one” system through artificial intelligence. 

What does this mean? According to the Spanish Data Protection Agency (AEPD), in report 0036/2020, facial recognition techniques with biometric identification are a particular category in the case of biometric identification (one-to-many) but not in the case of biometric verification or authentication (one-to-one).

Our software performs facial recognition to verify that the person in front of the camera is the same person who initiated the test. Consequently, the system does not identify the individual at any time compared to other identities (one to many). 

In this way, with SMOWL’s data protection protocol, we guarantee what we stated at the beginning of this post:

• Do not store biometric or sensitive data.
• Comply with users’ rights through an algorithm that detects the incidence (without human mediation). 

Desktop monitoring

We review the user’s actions on the computer only for the test duration and without the need to access private information on the user’s device. In this way, we maintain online data protection.

Audio capture

If our system detects an unusual sound, it automatically registers it as a possible incident for the educational entity to evaluate. In no case is it our responsibility to do this. 

Conclusion

Technology is advancing by leaps and bounds and can sometimes conflict with individuals’ rights and data protection. For this reason, vigilance is necessary to ensure that new online tools and the fundamental rights of citizens coexist in harmony. 

Human control is responsible for this. We are referring to computer scientists, legislators, and delegates, who create advanced tools and, at the same time, control mechanisms for these tools to ensure compliance with legal rights. 

This shows that the use and responsibility of people is and will be fundamental in the face of the sieves that technical innovation sometimes has.