Privacy Policy

IRIS Invigilation Privacy Policy

This page is a summary of how IRIS invigilation uses personal data. It is imperative that you read our Privacy Policy whilst you use our service so that there is a clear understanding about how information is used.

IRIS invigilation values the privacy of its users and is committed to handling their data responsibly and securely.

We will never sell any collected data to external parties. All recordings and personal information are solely used for invigilation purposes.

All staff and contractors working under IRIS invigilation must comply with Australia’s Privacy Act and this policy.

This policy explains how IRIS Invigilation gathers, manages, stores and discards all of the recordings and personal information through our browser extension and website.

 

What is IRIS?

IRIS invigilation is a software program that helps provide educations assurance of academic integrity during online and remote assessment. IRIS records audio, video, and computer screen activity for the duration of a test/exam. It analyses this information using machine learning and automatically flags potential academic dishonesty through displaying the data in an easy-to-use reporting dashboard.

IRIS allows students to take online assessment from their home in a secure online environment.

 

What information does IRIS collect?

1) User information requestion prior to the start of invigilation: When the extension is triggered upon accessing the online exam, the student will be required to enter details such as full name and student ID. This is for the assessor to be able to accurately identify if the correct student is sitting for the examination only. Microphone and webcam permissions are requested by the extension at this initial stage for the invigilation to be full performed, which is process on our servers to catch any suspicious activities and can be reviewed by assessors.

2) Proof of Identity: The photo is used to match against the person who is shown on the webcam to make sure no other person is sitting the exam in place of the student.

3) Screen Recording: As the invigilation commences, the extension will request to share the student’s screen, which it will start capturing. Throughout the online exam, the audio, webcam and screen will be recorded in accordance to the client institution’s examination regulations and uploaded to IRIS Invigilation’s AWS servers for processing and review.

4) Log data: This is also captured while the extension is running. Information such as IP address, which web browser and which version, timestamp and which errors have been encountered during the interaction. These details are only used for troubleshooting and maintenance purposes.

5) Activity and Usage Information: This is captured for academic honesty analysis. It includes the following;

       a) Websites visited during the assessment

       b) Biometric face and voice technology 

       c) AI Usage during the assessment

       d) Any information required for equality monitoring

 

Why do we collect your personal data?

Institutions implement IRIS to ensure that students are not breaching academic integrity standards when they are taking online tests and exams.

IRIS facilitates invigilation for online students during assessments, regardless of their location and helps to ensure greater invigilation equity between online and on campus modes of study.

We only use personal data necessary to fulfill process required by the organization utilizing the invigilation process for academic integrity.

We will not share any personal data with any third parties for marketing purposes.

 

Use of AI Technology

IRIS uses artificial intelligence technology to detect artificial intelligence usage from individual undertaking assessments. The only data it collects and processes are randomized screen captures to detect instances of Academic Misconduct through the use of unauthorized resources.

 

Student Rights

To the extent required by applicable law, we will provide you with the ability to access, rectify, erase, object to or restrict processing of your data, withdraw consent, be informed of the use and disclosure of your personal data, and to transfer information you have given us from one organization to another.

Please be advised you may have different rights in relation to your personal data dependent on your country of residence and the above rights may not apply or apply to the full extent in particular circumstances.

 

Who is the Controller of my Personal Data?

In most circumstances IRIS invigilated is the controlling entity. Please note, there are circumstances where the data controller will not be IRIS in the initial instance and could be your employer or academic institution, you will be informed of this during and prior to your use of the service.

 

 

Data Retention

All the student recordings are kept on the IRIS Invigilation storage servers for 1 year. Following this period, the client institution can decide to keep copies of the data for safe keeping. IRIS Invigilation will not be held responsible for any mishandling of the data once the recordings are collected by the institute.

 

IRIS Invigilation Security Policy

 Security

Enterprise grade security measures are in place to make sure the IRIS Invigilation servers are protected against data theft or accidental loss. All outgoing and incoming data is made via encrypted (HTTPS) protocol. Firewall and IPS protection have been implemented to prevent attacks, and root access to the servers are only permitted via AWS security groups.

Monitoring applications keeps logs on any suspicious activities and administrators are notified immediately once detected.

Daily snapshots of the servers are facilitated for disaster recoveries or any accidental deletion of data.

 

Network security and configurations to prevent or minimize possible cyber attacks 

AWS requires all resources to be assigned “security groups”. These are virtual firewalls that can control what instance ports are accessible, and who can access them. IRIS has a range of required ports open to facilitate the connections between the student, school administrator, and the back-end facilities such as the database, file server, and facial processing resource. This firewall has been fine-tuned by the IRIS technical team to ensure that only authorized IP addresses can access the appropriate resources. You can read more about AWS security groups here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html 

In addition to the above, all IRIS traffic is routed via HTTPS (TLS). This protocol is designed to provide a private and secure connection between both sites prior to transmitting data and maintains data integrity for all IRIS connections.  

 

Firewall management and Intrusion Prevention Systems (IPS) in place 

This area is similar to the above network security concern. AWS virtual firewall is already in place to restrict and mitigate any attempted intrusions. As an additional security measure, the IRIS management dashboard will only be accessible via the client’s IP address. 

Information security monitoring and logging 

IRIS has a series of alerts set up on the servers to indicate any unusual activity; these are facilitated via the AWS service CloudWatch which keeps a log of all traffic to assess what is defined as “unusual activity”. Non-repudiation is also key to ensuring a secure environment; IRIS implements logging on varying levels; the students, the administrators, and the servers. If required, we can facilitate an audit of any activity by a user or malicious entity. 

 

Virus protection measures 

As mentioned in the previous point, alerts are currently in place to automatically assess any malicious activity. As an additional security measure, we are in the process of implementing a comprehensive anti-virus platform that will scan and monitor all file activity within the servers. Any unusual activity will be identified, and server administrators will be notified to act accordingly.  

IRIS will not be liable for any viruses or malware on the end-user’s computer. The plugin is scanned consistently by the Google Chrome webstore to identify if any code within the IRIS extension installed on the end-user’s PC is malicious. With regards to the IRIS management dashboard, there are no functionalities that need files to be uploaded to the system. This ensures that no virus from the end-user’s system can be uploaded to the server and vice versa. 

All computers used by the organization are protected by industry-grade endpoint protection. Vulnerabilities are stopped as they are detected. The system administrator is also notified in real-time to assess that the situation has been properly rectified.  

Information back-up and recovery measures – Disaster Recovery Plans to ensure business continuity management 

For instant disaster recovery, IRIS takes daily AWS Snapshot backups. This enables the tech team to instantly restore to a previous day in the change of a major system disaster. Currently, IRIS only preserves a rolling 3 days’ worth of AWS snapshots, but we plan to eventually expand it to 7 days of retention. To further expand on this, we are also looking at avenues for institutes to download their student data in bulk. 

An option that clients can pursue is to have an AWS account they host to contain all the recordings and database records generated by IRIS. From there they can host their student data, while we host the actual IRIS software itself.  

 

Information security incident management 

In the unlikely event of getting hacked, we would lock down all ports, shut down any data flowing in and out of our servers, and conduct a forensic examination of the server to identify where a compromise or incident took place. Our chief of security would perform a thorough investigation and assess avenues to restore service as quickly as possible. We would also patch the system accordingly to ensure the reason for the incident doesn’t occur again.To minimize downtime, we would spin up a parallel cloned instance that is safe for the client to use. A thorough investigation will be done in the infected instance. 

If the breach is highly likely to compromise the rights of an individual, we will notify the affected individual immediately, and inform any relevant supervisory authority within 72 hours of becoming aware of the breach

 

Physical security controls and secure areas used to minimize possible unauthorized access to the information store into their system 

Physical security is facilitated by Amazon Web Services (AWS). AWS implements a range of comprehensive security initiatives to ensure that data is protected against external threats. You can read a full breakdown of the physical security measures in place here: https://aws.amazon.com/compliance/data-center/controls/ 

Reiterated from above, our strict IP whitelisting of IRIS services ensures that IRIS data can only be accessed within organization allowed locations.  

 

Protection of the privacy of the students – protection of personal information in line with the Data Protection Laws applicable to their country 

The privacy of students is mandated according to Australian privacy legislation and regulation. AWS is an international organization, but we use their Sydney hosting for all processing and storage of student data. IRIS does not sell or use any student assessment data; only IRIS technical administrators have access to this for maintenance and security purposes. 

Australian privacy restrictions are some of the most comprehensive and protective for students. We pride ourselves with stringent compliance to the legislative and regulatory bodies in Australia to ensure that both our students and administrators are protected against. 

Depending on the needs of your institute, we can work closely to assess any concerns and see if we can accommodate them. 

 

Measures over Disposal of ICT Assets to ensure that the information which was contained in those ICT assets is not compromised 

AWS facilitates this. We facilitate the disposal of recordings after a year. After a month of contract cancellation, we will wait a month, and then we will delete instance and all institute data. Upon request we can delete any outstanding data on the server.