IRIS Invigilation Privacy Policy
IRIS invigilation values the privacy of its users and is committed to handling their data responsibly and securely.
We will never sell any collected data to external parties. All recordings and personal information are solely used for invigilation purposes.
All staff and contractors working under IRIS invigilation must comply with Australia’s Privacy Act and this policy.
This policy explains how IRIS Invigilation gathers, manages, stores and discards all of the recordings and personal information through our browser extension and website.
Information We Collect
User information request prior to start of invigilation: When the extension is triggered upon accessing the online exam, the student will be required to enter details such as full name and student ID. This is for the assessor to be able to identify if the correct student is sitting for the examination only. Microphone and webcam permissions are requested by the extension at this initial state for the invigilation to be fully performed, which is processed on our servers to catch any suspicious activities and can be reviewed by the assessors.
A photo of the student’s ID is also taken at the next step. The photo is used to match against the person who is shown on the webcam to make sure no other person is sitting the exam in place of the student.
As the invigilation commences, the extension will request to share the student’s screen, which it will start capturing. Throughout the online exam, the audio, webcam and screen will be recorded in accordance to the client institution’s examination regulations and uploaded to IRIS Invigilation’s AWS servers for processing and review.
Log Data is also captured while the extension is running. Information such as IP address, which web browser and which version, timestamp and which errors have been encountered during the interaction. These details are only used for troubleshooting and maintenance purposes.
Other hosting regions for data are available for a client upon request, but by default all data is stored and processed in Sydney, Australia.
Data Retention
All the student recordings are kept on the IRIS Invigilation storage servers for 1 year. Following this period, the client institution can decide to keep copies of the data for safe keeping. IRIS Invigilation will not be held responsible for any mishandling of the data once the recordings are collected by the institute.
Security
Enterprise grade security measures are in place to make sure the IRIS Invigilation servers are protected against data theft or accidental loss. All outgoing and incoming data is made via encrypted (HTTPS) protocol. Firewall and IPS protection have been implemented to prevent attacks, and root access to the servers are only permitted via AWS security groups.
Monitoring applications keeps logs on any suspicious activities and administrators are notified immediately once detected.
Daily snapshots of the servers are facilitated for disaster recoveries or any accidental deletion of data.
IRIS Invigilation Security Policy
Network security and configurations to prevent or minimize possible cyber attacks
AWS requires all resources to be assigned “security groups”. These are virtual firewalls that can control what instance ports are accessible, and who can access them. IRIS has a range of required ports open to facilitate the connections between the student, school administrator, and the back-end facilities such as the database, file server, and facial processing resource. This firewall has been fine-tuned by the IRIS technical team to ensure that only authorized IP addresses can access the appropriate resources. You can read more about AWS security groups here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
In addition to the above, all IRIS traffic is routed via HTTPS (TLS). This protocol is designed to provide a private and secure connection between both sites prior to transmitting data and maintains data integrity for all IRIS connections.
Firewall management and Intrusion Prevention Systems (IPS) in place
This area is similar to the above network security concern. AWS virtual firewall is already in place to restrict and mitigate any attempted intrusions. As an additional security measure, the IRIS management dashboard will only be accessible via the client’s IP address.
Information security monitoring and logging
IRIS has a series of alerts set up on the servers to indicate any unusual activity; these are facilitated via the AWS service CloudWatch which keeps a log of all traffic to assess what is defined as “unusual activity”. Non-repudiation is also key to ensuring a secure environment; IRIS implements logging on varying levels; the students, the administrators, and the servers. If required, we can facilitate an audit of any activity by a user or malicious entity.
Virus protection measures
As mentioned in the previous point, alerts are currently in place to automatically assess any malicious activity. As an additional security measure, we are in the process of implementing a comprehensive anti-virus platform that will scan and monitor all file activity within the servers. Any unusual activity will be identified, and server administrators will be notified to act accordingly.
IRIS will not be liable for any viruses or malware on the end-user’s computer. The plugin is scanned consistently by the Google Chrome webstore to identify if any code within the IRIS extension installed on the end-user’s PC is malicious. With regards to the IRIS management dashboard, there are no functionalities that need files to be uploaded to the system. This ensures that no virus from the end-user’s system can be uploaded to the server and vice versa.
All computers used by the organization are protected by industry-grade endpoint protection. Vulnerabilities are stopped as they are detected. The system administrator is also notified in real-time to assess that the situation has been properly rectified.
Information back-up and recovery measures – Disaster Recovery Plans to ensure business continuity management
For instant disaster recovery, IRIS takes daily AWS Snapshot backups. This enables the tech team to instantly restore to a previous day in the change of a major system disaster. Currently, IRIS only preserves a rolling 3 days’ worth of AWS snapshots, but we plan to eventually expand it to 7 days of retention. To further expand on this, we are also looking at avenues for institutes to download their student data in bulk.
An option that clients can pursue is to have an AWS account they host to contain all the recordings and database records generated by IRIS. From there they can host their student data, while we host the actual IRIS software itself.
Information security incident management
In the unlikely event of getting hacked, we would lock down all ports, shut down any data flowing in and out of our servers, and conduct a forensic examination of the server to identify where a compromise or incident took place. Our chief of security would perform a thorough investigation and assess avenues to restore service as quickly as possible. We would also patch the system accordingly to ensure the reason for the incident doesn’t occur again. To minimize downtime, we would spin up a parallel cloned instance that is safe for the client to use. A thorough investigation will be done in the infected instance.
Physical security controls and secure areas used to minimize possible unauthorized access to the information store into their system
Physical security is facilitated by Amazon Web Services (AWS). AWS implements a range of comprehensive security initiatives to ensure that data is protected against external threats. You can read a full breakdown of the physical security measures in place here: https://aws.amazon.com/compliance/data-center/controls/
Reiterated from above, our strict IP whitelisting of IRIS services ensures that IRIS data can only be accessed within organization allowed locations.
Protection of the privacy of the students – protection of personal information in line with the Data Protection Laws applicable to their country
The privacy of students is mandated according to Australian privacy legislation and regulation. AWS is an international organization, but we use their Sydney hosting for all processing and storage of student data. IRIS does not sell or use any student assessment data; only IRIS technical administrators have access to this for maintenance and security purposes.
Australian privacy restrictions are some of the most comprehensive and protective for students. We pride ourselves with stringent compliance to the legislative and regulatory bodies in Australia to ensure that both our students and administrators are protected against.
Depending on the needs of your institute, we can work closely to assess any concerns and see if we can accommodate them.
Measures over Disposal of ICT Assets to ensure that the information which was contained in those ICT assets is not compromised
AWS facilitates this. We facilitate the disposal of recordings after a year. After a month of contract cancellation, we will wait a month, and then we will delete instance and all institute data. Upon request we can delete any outstanding data on the server.