LSAT Fingerprinting Tests the Limits of Privacy Law

My weekly Law Bytes column (Toronto Star version, homepage version) examines the growing controversy over the mandatory fingerprinting of students taking the LSAT.  There has been swift reaction to the thumb-printing story, with the federal, British Columbia, and Alberta Privacy Commissioners joining forces in a combined privacy investigation.  Moreover, the Canadian Council of Law Deans, which represents law schools across the country, has expressed concern over the practice, acknowledging that the data could be subject to a USA Patriot Act request.  The Council raised questions about whether the practice might violate federal and provincial privacy statutes.

I argue that the story is much bigger than just the LSAT.  First, the LSAT is not the only widely administered standardized test that collects biometric information such as thumbprints.  The GMAT and MCAT, used for business and medical school admissions both collect thumbprints (the GRE, a graduate school test, snaps a digital photograph of the test taker instead).  Together, more than 400,000 students worldwide take the LSAT, GMAT, and MCAT each year.

Second, while the standardized tests have garnered the lion share of attention, the schools have been reticent to admit that the full student records – including admission information, grades, papers, and other evaluations – could conceivably also be made subject to a USA Patriot Act request.

The U.S. courts have been willing to extend the reach of national law beyond their borders provided that the foreign entity maintains sufficient connections such that it meets a "personal jurisdiction" test.  In the case of many Canadian universities, the combination of exchange study programs, fundraising initiatives, and student recruitment drives could meet the jurisdiction test.  For Canadian students, this suggests that their data is already at risk – long after the LSAT, GMAT or MCAT has been forgotten.

If that were not problematic enough, in the bigger picture even more personal information could be the target of a USA Patriot Act request.  Financial information, much of which is already transferred to the United States for processing, may be caught, as is health data, such as prescription records, that are held by private sector companies with U.S. connections.

The Federal Privacy Commissioner considered this issue last year as part of an investigation into complaints against a major bank' s practice of transferring its customer data to the United States.  The Commissioner concluded that the bank had complied with Canadian privacy laws, while conceding that the current statute is ill-equipped to deal with this emerging concern.

In order to address the issue, Canada would need to establish a "blocking statute" which creates a specific legal obligation that prevents an organization from complying with both U.S. and foreign law.  For example, Canada attempted to enact a blocking statute in response to the U.S. Helms-Burton law that established restrictions on conducting trade with Cuba.  The current privacy statute does not rise to the level of a blocking statute, but the addition of new penalties for non-compliance could change that.

The concern over the LSAT may ultimately result in reforms to the test taking procedures.  In the meantime, prospective Canadian law students are experiencing their first real law lesson months before setting foot in the classroom.


  1. 1L from Dalhousie
    While I can understand LSAC’s motivation for collecting thumbprints, I agree that this policy is needlessly invasive. Kudos to both you and the CCLD for bringing this to light.

    The broader implications you’ve outlined for student data in general should raise the ire of every SU and LSS in the country. I know I’ll be raising it next week when Dal’s LSS reconvenes.

  2. Invasive?
    I don’t get it. What is “needlessly invasive” about asking test-takers to provide a reliable and non-falsifiable form of identification, in order to deter fraudulent impersonation? What is the potential harm entailed in the almost entirely theoretical possibility that a US law enforcement agency, in the context of a national security-related investigation, might – gasp! – obtain a copy of someome’s thumbprint?

  3. Yes, Invasive!
    It is “needlessly” invasive precisely because there are other forms of verification available that do not require the submission of biometric data.

    I wouldn’t give them my thumbprint for the exact same reason I wouldn’t give them my ATM PIN. It’s personal and they don’t need it to deter others from falsifying the test. LSAC already takes handwriting samples on the LSAT for this exact purpose.

    On the second point, I’m a Canadian citizen and subject to Canadian laws. I have no desire -nor should I be forced- to abrogate my rights for scrutiny subject to interests of American “national security”. I have no idea what that amorphous concept entails, nor it seems does the US government (see Maher Arar, NSA wiretapping etc.).

    Lastly, I have no idea what the governing practices of LSAC are. I don’t know who has access to that sensitive data not where it goes after I give it to them. Identity theft is a real concern and prudence calls for caution with any personal disclosure.

    So there you have both principle and potential harm. Nevertheless, wouldn’t you agree that it should be on both LSAC & the United States to prove why they need my thumbprint? (Gasp)

  4. “Biometric data”
    I suppose providing a photograph would not be acceptable, as that would amount to biometric data?

    Your pin allows access to your private data. Your thumbprint simply identifies you. I still do not see the potential harm in the almost entirely theoretical possibility that the US Department of Justice might access a thumbprint that establishes that your thumb participated in an exam sitting.

  5. Establish justification before moving to
    You’ve illustrated my point Dan. How long before a thumbprint provides access to more sensitive personal data? Fingerprint technology is already available for the home PC user. You can walk into any Future Shop and buy a scanner yourself.

    On your second point, I would also object to a photograph for the same reasons I’ve mentioned before. They don’t need it to accomplish their purpose and its on them to provide a good reason to require it. They already have several other means of ascertaining my unique identity. Or hey, why not let them scan your retina too?

    I should also state, that the Patriot Act allows for this information to be the subject of subpoena + permanent retention by US authorities. Do CDN law schools really want to assist the US government in building dossiers about young lawyers?

    Furthermore, such a request may not be as focused as you would expect. The US government is currently in litigation against Google to cough up its entire page index under the guise of “national security”. Should we really be forced to trust the noble intentions of the US government with our personal data in order to attend law school?