The UOC will appeal before the contentious-administrative jurisdiction the penalty of 20,000 euros that the Catalan Data Protection Authority (APDCat) of the Generalitat has imposed on it for using a facial recognition system to authenticate the identity of the student in final exams and will request its precautionary suspension in order to continue using it until the courts decide whether or not this practice violates data protection regulations.

“The university is convinced that the system it uses to ensure that there are no identity thefts is in line with current data protection legislation, because a person is not identified, but rather it is authenticated that the person enrolled in the studies is the being examined, the one in front of the camera”, says Pere Fabra, the UOC’s general secretary.

The APDCat, however, ensures in its sanctioning resolution that it cannot differentiate between authentication and identification when it comes to collecting biometric data, and that the fact that the Spanish Agency for Data Protection (AEPD) does make this distinction does not condition its criterion because “there is no relationship of subordination” .

“This is a legal discrepancy on the part of the Catalan Data Protection Agency, a matter of legal finesse that the courts will have to resolve, because the authentication process that we use is similar to that done in face-to-face exams: the The student shows the DNI so that the teacher can verify that he is the one who is enrolled and that it visually matches the person in front of him; in our case, it is done through the computer: the student provides the DNI when registering, loads it when registering at the exam, and the system verifies that it is the same person who is in front of the camera being examined”, explains Fabra.

And it details that the images are kept only for the time necessary in case there is any claim about the exam or suspicion of fraud, and a maximum of three months.

He stresses that, in addition, the university reports the use of this exam system when the student enrolls “and of the thousands of students who have already gone through it since January 2021 (about 30,000 each semester), we have only had 5 complaints, because the student council is happy with this way of ensuring that no fraud takes place.”

On the other hand, those responsible for the APDCat consider that it is not enough for the university to inform the university students that a facial recognition system will be used in the exams at the time of enrolment, but that it should request their explicit and signed consent in order to collect biometric data and should offer alternatives in case they reject it, such as a face-to-face or synchronous oral evaluation.

The body in charge of ensuring data protection of the Generalitat began the sanctioning procedure against the UOC in June of last year after in November 2021 a person denounced the facial recognition method applied to be able to take the exams. Subsequently, four other complaints were filed in the same vein, the last in May 2022.

The UOC has always argued that it is a system to prevent academic fraud, that it is applied to less than half of the students because most subjects are passed without final exams, that the data is treated confidentially, ensuring its security and custody, eliminating them after three months, and without assigning them to third parties unless it is by legal obligation.

Fabra trusts that the contentious-administrative courts will suspend the sanction and resolve these discrepancies endorsing the UOC’s facial recognition identification system. Otherwise, he points out that they would choose to replace the automated recognition system with the direct and individual verification of each student’s identity by a teacher or group of teachers.