Eve Goode, Digital Content Editor speaks with Dr James Gupta, CEO of Synap about the use of AI in online examinations.

Why is it now necessary to implement surveillance when students take online exams?

The simple answer to this, and one which I think everyone including students can rally behind, is that unsupervised online exams are not fair to students.

The incentive to cheat in exams has always been there, regardless if it’s paper or digital.

But the opportunity to cheat that AI provides represents a fundamental and permanent shift in the equation.

If an exam is important, then students will be more tempted to cheat.

However, if the exam is unmonitored, then there is no incentive not to, this penalises honest students and rewards dishonest ones.

It puts the honest students who are acting with the most integrity, at the greatest risk of failing, which is an absurd and inherently unfair situation.

Surveillance in online exams is also crucial because even in a scenario where no student uses AI to cheat, if this cannot be demonstrated with any degree of confidence, then the integrity of the exam is difficult to prove and the credential and institution as a whole is undermined.

Where should institutions draw the line between exam security and student privacy?

I think the level of security needs to be proportionate and justifiable.

The specific decision around the ‘correct’ or appropriate level of security will change depending on the exam and also, how AI and related technologies evolve, but there are certain principles and best practices which should always be adhered to.

The most important thing, in my opinion, is transparency.

Companies involved in delivering online exam security should be very up-front with institutions and candidates about how and why their data is being used, and who has access to it.

This is a widely accepted idea across most online platforms which was formalised with the adoption of the GDPR and similar laws in other countries, but I think when it comes to exams this importance of this cannot be overstated.

Institutions should really see GDPR as the minimum baseline and strongly consider going further to communicate this to students, because of the high-stakes nature of exam delivery and the kinds of sensitive data being collected and stored.

As a simple, but very practical suggestion, in addition to the standard and required legal documents such as Privacy Policy and Data Processing Agreements, I think companies operating in this space should publish a Candidate Guide, which explains in very simple, plain language how an online exam platform operates, what data it gathers and for whom.

This increases transparency and reassures students that they aren’t being unfairly monitored during an exam.

Are highly intrusive proctoring methods proportionate to the actual risks of online cheating, particularly when balanced against privacy, ethics and data protection concerns?

This is an important question which should be assessed on a case by case basis, taking into account the nature of the exam in question.

In the context of a high-stakes exam, even taking place in-person, students would generally be expected to consent to some temporary restrictions like handing in their phone, showing their ID, not talking or wearing headphones etc.

The same logic also applies to online exams. However, moving online often removes nuance and grey areas.

Suddenly, widely accepted security practices that we’ve been doing for years, need to become formalised.

I think we’re now going through that process of taking a complex process with different competing interests, and codifying those rules so they work safely in digital environments.

In terms of the ethics and data protection concerns, this is a very important question and I think the underlying principles of the GDPR are very relevant here, though given the unusually data-intensive and high-stakes nature of exams, vendors and institutions should go beyond this.

In the near future I believe the industry and sector as a whole will arrive at a set of generally agreed best practices and principles for balancing exam security and privacy which build on top of these more general data protection frameworks.

What does a layered security approach to online exams look like in practice?

Layered security in online environments involves looking at the exam in its entirety and then ‘baking in’ security measures and deterrents at different parts; accepting the fact that no single method can be 100% effective, but by combining multiple different security measures you can develop security models that are proportionate and much more effective than blanket surveillance.

Firstly, the questions themselves can be designed in a way to make cheating more difficult.

For example, questions can be highly contextual and based on case studies or scenarios which are specifically made for the exam.

Then in terms of assessment design, there are various ways in which questions or options can be pseudo randomised, which makes collaboration and answer-sharing among students more difficult.

Combining clever question design with lockdown applications, ensure that the candidate takes the exam whilst their device is under restricted conditions i.e., they cannot open other windows or access the internet to help them cheat.

And finally, proctoring, uses a variety of methods to record the student’s screen, webcam and microphone, and may use human or AI-assisted reviewers to monitor the footage.

Any one of these methods in isolation is far less effective than a strategy that combines several of them.

Most importantly, when these security methods are used together to create a layered model, institutions can demonstrate they are not reliant on surveillance alone to validate student results and maintain academic integrity.

With increasing amounts of data generated through online exam monitoring, how should institutions manage this sensitive student and biometric data responsibly?

Online exam platforms collect extremely sensitive data at scale, making them a highly lucrative target for hackers. Therefore, institutions and vendors need to be extremely diligent in how that data is managed.

There are two areas which I think need particular attention.

The first is around who has access to the data, and ensuring that it is as selective as possible.

Institutions and vendors should conduct careful, regular reviews of their sub-processors to ensure each is granted only the minimum permissions required to perform their tasks.

The second is, in some sense, more challenging as it is not solely a technical question: how long should the data be retained for?

A university, for example, may have a valid justification for retaining assessment records indefinitely.

But, I think there’s a very strong argument to be made that there is a huge difference between assessment records (who achieved what grade) and the associated proctoring footage.

Accumulating years worth of biometric data seems inherently risky and I don’t think it would stand the test of proportionality and it could raise compliance issues if new legislations are introduced.

Ultimately, institutions will need to consider their data retention periods for such footage and be prepared to adopt different retention policies for different kinds of data, even if they pertain to the same underlying assessment.

How do you see online exam security evolving in the UK as technology and regulations continue to advance?

I think we will move beyond a binary “closed vs open book” assessment framework, and instead see a rise in hybrid assessments where students are allowed to use some external resources, but under restricted or supervised conditions.

Traditionally we have categorised assessments as ‘closed’ or ‘open’ books but I think with AI it creates a significant need for a type of assessment where students have access to some, but not all, online materials.

In order for this to happen, institutions will need a rethink of how these assessments are designed, what skills are being assessed and what security measures they are going to implement.

On the technological side, we’ll need to see assessment platforms which can create an effective sandbox where students are monitored, have access to a range of materials but others are blocked.

As a part of this we may see more emphasis being placed on not just the output of an exam, but the process and conditions in which the student took to deliver it.

While student privacy concerns and data management laws continue to evolve, the fundamental principle for education leaders remains the same and that should be to deliver secure online exams with the minimum level of surveillance.

This framework is not only fairer for students but also represents a more legally compliant, future-proofed exam strategy.