The Generalitat fines 20,000 euros for facial recognition for UOC exams

  • More than 31,000 university students used this system during the exams of the first semester of the last academic year in 2022

The Catalan Data Protection Authority (APDCat) of the Generalitat has sanctioned with 20,000 euros to the Open University of Catalonia (UOC) for using a facial recognition system in final exams. According to the resolution of the sanction published on the APDCat website, the treatment of the biometric data of the students is not included in any of the exceptions of the data protection regulation. The system would have used it more than 31,000 university students in the exams of the first semester of the last academic yearin January 2022. The university claims that the system is proportional and adequate to verify the identity of students.

On November 4, 2021 a person reported to the APDCat the facial recognition method for UOC exams. The system, mandatory to be able to take the exams, required that the student will capture an image of their face to then compare it with that of your ID. The photo was also used to compare it with the images that are captured while the student is taking the exam. Subsequently, and until May 2022, orafter four people filed similar complaints.

In the first instance, the UOC responded that this system helped prevent and detect possible academic fraud and that students, upon enrolling at the UOC, already knew that the exams were virtual and that these methods were used. The university also claimed that most subjects are passed without final exams and without facial recognition identification. The first time this system was used was on January 8, 2022and of the 75,000 university students enrolledless than half, 31,500 took the final exams with facial recognition.

Consent and Alternatives

Related news

The APDCat initiated a disciplinary procedure in June of last year and the university presented allegations again in July and October. The disciplinary procedure proposed a fine of 20,000 euros, in December. Data Protection has published the sanction once the reversal appeal presented by the university has been resolved, which will now resort to the contentious-administrative judicial process. In addition to the sanction, the APDCat asks the UOC to the system is not mandatory and? students are informed and offered an alternative such as face-to-face evaluation or synchronous oral evaluation. For university students who accept facial recognition, the APDCat requires that they be made to sign a explicit consent document.

The UOC says that the system is legal and confidential

The university defends the legality of this system. “This model is equivalent to teaching the DNI in the face-to-face environment,” says the university. “We don’t identify one person among many,” she adds. The data is also deleted three months after the end of the virtual tests, which are carried out once for each of the two quarters of each academic year. The university ensures that it treats the data confidentially, and that it has implemented ” adequate technical and organizational measures to guarantee its security and to prevent its destruction, loss, access or unlawful alteration”. In addition, the data is not transferred to third parties unless it is by legal obligation.