Columns Archive

LSAT Fingerprinting Tests The Limits of Privacy Law

Appeared in the Toronto Star on February 20, 2006 as Fingerprinting Reveals U.S. Patriot Act’s Long Reach

While law schools may differ, thousands of law students (and prospective law students) share at least one common experience – the Law School Aptitude Test.  The LSAT is a standardized test used by most North American law schools in their admission process to evaluate prospective candidates’ likelihood of law school success. 

While the predictive reliability of the test has been the subject of considerable controversy, in recent days the LSAT has attracted attention for a different reason.  As students file into testing centers throughout the U.S., Canada, Europe, Asia, and Africa, they must provide a thumbprint, which is used to crackdown on fraudulent test takers.  The biometric data is transferred to the United States and retained by the Law School Admissions Council, the organization that administers the test.

Test takers in British Columbia and Alberta have raised objections to the mandatory thumb-printing, expressing concern that this sensitive personal information could find its way into the hands of U.S. law enforcement.  Empowered by statutory provisions found in the USA Patriot Act, authorities could compel the LSAC to surrender the information.

USA Patriot Act fears stem from the secretive nature of the law since authorities can compel disclosures with minimal oversight and without any opportunity for the affected person to challenge the disclosure.  Critics also point the statute’ s potential misuse.  Those fears were exacerbated last week with reports that U.S. counter-terrorism databases contain an astonishing 325,000 names worldwide.

There has been swift reaction to the thumb-printing story, with the federal, British Columbia, and Alberta Privacy Commissioners joining forces in a combined privacy investigation.  Moreover, the Canadian Council of Law Deans, which represents law schools across the country, has expressed concern over the practice, acknowledging that the data could be subject to a USA Patriot Act request.  The Council raised questions about whether the practice might violate federal and provincial privacy statutes.

For its part, the LSAC has agreed to cooperate with the privacy investigations, even though it appeared somewhat surprised at the controversy.  It notes that it has collected thumbprints for 31 years, it only retains the data for five years, and the practice has not generated many objections in the past. 

In seeking to assuage fears over the USA Patriot Act issue, the LSAC reports that it has never disclosed thumbprint information in response to a subpoena.  While that may reassure some concerned students, the truth is that the law prohibits the LSAC from notifying any person that has had their personal information disclosed.  In other words, the LSAC is blocked from disclosing any disclosures they may have made.

Not only are the assurances subject to some doubt, the issue itself points to a series of concerns that extend far beyond just the LSAT.

First, the LSAT is not the only widely administered standardized test that collects biometric information such as thumbprints.  The GMAT and MCAT, used for business and medical school admissions both collect thumbprints (the GRE, a graduate school test, snaps a digital photograph of the test taker instead).  Together, more than 400,000 students worldwide take the LSAT, GMAT, and MCAT each year.

Second, while the standardized tests have garnered the lion share of attention, the schools have been reticent to admit that the full student records – including admission information, grades, papers, and other evaluations – could conceivably also be made subject to a USA Patriot Act request.

The U.S. courts have been willing to extend the reach of national law beyond their borders provided that the foreign entity maintains sufficient connections such that it meets a "personal jurisdiction" test.  In the case of many Canadian universities, the combination of exchange study programs, fundraising initiatives, and student recruitment drives could meet the jurisdiction test.  For Canadian students, this suggests that their data is already at risk – long after the LSAT, GMAT or MCAT has been forgotten.

If that were not problematic enough, in the bigger picture even more personal information could be the target of a USA Patriot Act request.  Financial information, much of which is already transferred to the United States for processing, may be caught, as is health data, such as prescription records, that are held by private sector companies with U.S. connections.

The Federal Privacy Commissioner considered this issue last year as part of an investigation into complaints against a major bank’ s practice of transferring its customer data to the United States.  The Commissioner concluded that the bank had complied with Canadian privacy laws, while conceding that the current statute is ill-equipped to deal with this emerging concern.

In order to address the issue, Canada would need to establish a "blocking statute" which creates a specific legal obligation that prevents an organization from complying with both U.S. and foreign law.  For example, Canada attempted to enact a blocking statute in response to the U.S. Helms-Burton law that established restrictions on conducting trade with Cuba.  The current privacy statute does not rise to the level of a blocking statute, but the addition of new penalties for non-compliance could change that.

The concern over the LSAT may ultimately result in reforms to the test taking procedures.  In the meantime, prospective Canadian law students are experiencing their first real law lesson months before setting foot in the classroom.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at or online at


Comments are closed.