There is a reflex in exam security to treat privacy and rigour as a trade-off: the more invasive the identity check, the more secure it must be. Collect the face scan, the ID photo, the keystroke biometrics, the room recording — surely all that data makes fraud harder.

Often it does the opposite. A pile of sensitive data is a liability you now have to defend, and the invasive check is frequently the lazy one — a substitute for thinking about what you actually need to confirm.

Separate the question from the method

The question is narrow: is the person sitting this exam the person enrolled in it? That is it. It does not require a permanent biometric profile. It requires enough confidence, at the right moments, that the enrolled human is the one present.

Once you frame it that way, a lot of data collection reveals itself as scope creep. You do not need to keep a candidate's face on file for years to confirm they showed up today. You need a check at the start, perhaps a quiet re-check or two during, and a way to prove later what you relied on.

Minimise on purpose

Data you never collected cannot leak, cannot be subpoenaed, and cannot be repurposed by a future product manager who thinks it would be "useful for analytics." Regulators have made this an expectation, not a nicety — data minimisation is a core principle of the GDPR, and biometric identifiers carry extra obligations under guidance like the UK ICO's. Treat every field you store as something you will one day have to justify, secure, and eventually delete.

The most defensible identity system is not the one that knows the most about a candidate. It is the one that kept only what it could explain.

Proportionate beats maximal

Match the check to the stakes. A low-stakes quiz might need nothing more than an authenticated login. A licensure exam that gates a career justifies a documented identity step and a re-check during the session. The mistake is applying maximum surveillance everywhere — it desensitises everyone, buries the signal that matters, and trains your honest candidates to expect intrusion as the price of participation.

And remember the false-positive cost we keep coming back to in what the proctor actually sees: an over-eager identity model that flags a tired candidate for "not matching" their own ID photo creates exactly the kind of unfair dispute that erodes trust in the whole programme.

Build it as a deliberate layer

Identity verification works best as an explicit, well-scoped stage rather than a feature smeared across a proctoring product — which is how we approach it in our identity verification work, alongside the delivery integrity of OroLink. Decide what you must confirm, collect the minimum that confirms it, keep an auditable record of what you relied on, and delete the rest on a schedule. That is more secure and more respectful — and those two goals were never actually in tension.