Dr. James Gupta argues the legitimacy of digital assessment now depends on proportionality. Blanket surveillance can harm accessibility, candidate trust and legal defensibility, especially under current GDPR expectations. A risk-based model specifies controls to exam stakes, using privacy-by-design and transparency to protect integrity while avoiding unnecessary intrusion and reputational exposure.
The legitimacy of digital assessment is becoming a defining issue for organisations operating in regulated and skills-driven environments. As online exams become embedded across education and workforce certification, ethical scrutiny is intensifying, shifting the conversation from technical delivery towards broader questions of governance, trust and accountability.
Applying maximum surveillance across all exam types risks unintended consequences
Secure assessment environments rely on identity verification, browser controls and behavioural monitoring to protect integrity, yet not every assessment carries the same level of risk. Applying maximum surveillance across all exam types risks unintended consequences. Intrusive controls can increase friction, create barriers to access and shift cognitive focus away from demonstrating knowledge.
At a certain point, more exam surveillance does not necessarily create more integrity, in many cases, it simply introduces more risk. Excessive controls can undermine accessibility, damage candidate trust and raise legitimate concerns around privacy and proportionality, particularly when considered against GDPR requirements and wider data protection principles.
When surveillance undermines legitimacy
There is increasing legal and regulatory scrutiny around surveillance and AI technologies in assessment, particularly where such monitoring is considered disproportionate to the level of risk. In recent years, courts and regulators have challenged overly intrusive remote monitoring; such as a French ruling that found continuous video and audio surveillance of students to be excessive and unjustified. European data protection principles emphasise that any data processing must be strictly necessary and proportionate, with clear justification.
Parallel debates are developing in the United States, shaped by evolving interpretations of the Fourth Amendment’s protection against unreasonable searches. In Carpenter v. United States, the Supreme Court ruled that accessing cell-phone location data without a warrant violates an individual’s reasonable expectation of privacy, signalling a broader shift towards stricter scrutiny of digital surveillance practices.
Assessment systems are no longer judged solely on their ability to prevent misconduct, but also on whether they are legally and ethically acceptable to regulators, candidates and wider stakeholders. Where monitoring is perceived as excessive or unjustified, it can shift the focus from integrity to intrusion.
As a result, more surveillance does not necessarily equate to greater integrity and, in some cases, can erode trust while exposing organisations to legal and reputational risk. Assessment legitimacy depends not only on preventing misconduct, but on demonstrating that processes are fair, transparent and proportionate and where surveillance exceeds what is necessary, it can undermine confidence in both process and outcomes.
Classifying assessment risk in a digital environment
Effective ethical design begins with recognising that not all assessments are equal, requiring organisations to classify exams based on stakes, regulatory exposure and impact rather than applying uniform controls.
High-stakes assessments, such as professional certifications or compliance-critical workforce exams, carry significant operational and legal risk and therefore justify stronger controls, including identity verification, secure browser environments and targeted monitoring supported by online exam software.
In contrast, lower-stakes assessments such as formative testing or internal knowledge checks present far less exposure and can often be delivered with lighter controls. This risk-based classification ensures that security measures are aligned to the consequences of failure, avoiding a blanket approach that prioritises consistency over fairness and weakening both candidate experience and assessment credibility.
What proportionate security looks like in practice
Proportionate security is not about reducing safeguards, it is about applying the right level and combination of controls for the level of risk, rather than defaulting to maximum surveillance.
Ultimately, this shift towards privacy-by-design, where security is embedded into the assessment structure rather than imposed through monitoring technologies, reduces the need for intrusive data collection while maintaining control over assessment conditions. By aligning with GDPR principles of data minimisation and proportionality, this approach ensures that only the data necessary to manage risk is collected, helping organisations protect integrity without exposing themselves to unnecessary privacy, legal or reputational risk.
Transparency, trust and candidate experience
Transparency plays a critical role in maintaining trust, as candidates are more likely to accept controls when they understand why they are in place, how data will be used and what safeguards protect their privacy.
Clear communication around assessment conditions, monitoring practices and data handling is essential, including what is recorded, how long it is retained and who has access, ensuring that controls delivered through digital assessment platforms are not perceived as excessive.
Without this transparency, even proportionate controls can feel intrusive, particularly in remote environments, where perceptions of surveillance can impact candidate wellbeing and performance, raising questions around fairness and validity.
Towards ethical, risk-based assessment design
The future of online exams lies in layered, risk-based systems that balance integrity with fairness, requiring organisations to move beyond one-size-fits-all approaches and adopt governance-led frameworks that consider assessment stakes, candidate experience and regulatory obligations.
By combining proportionate controls, privacy-by-design principles and clear oversight, organisations can build secure exam delivery environments that are both defensible and trusted, ensuring integrity without compromising accessibility or fairness.
Ultimately, proportionality is no longer optional, it is central to credible digital assessment, enabling organisations to protect integrity, meet regulatory expectations and deliver outcomes that withstand scrutiny in increasingly complex environments.
Dr. James Gupta is CEO and Founder of Synap
