The Alliance Standard for verification of online training

The Alliance Standard for Verification of Online Training

Acknowledgment

This document relies heavily on the past work  efforts of other organizations with specific interest and expertise relating  to the use of training in the prevention of workplace injuries and  fatalities. The following is a list of organizations that were referenced to  create this document.  

American National Standards Institute (ANSI)

A private, non-profit organization that administers and coordinates the U.S. voluntary standards and conformity assessment system. Founded in 1918, the Institute works in close collaboration with stakeholders from industry and government to identify and develop standards- and conformance-based solutions to national and global priorities.

The Canadian Association of Petroleum Producers (CAPP)

CAPP represents companies that explore for, develop, and produce natural gas and crude oil throughout Canada. Together CAPP's members and associate members are an important part of a national industry with revenues from oil and natural gas production of about $120 billion a year. CAPP’s mission, on behalf of the Canadian upstream oil and gas industry, is to advocate for and enable economic competitiveness and safe, environmentally, and socially responsible performance.

International Accreditors of Continuing Education and Training (IACET)

IACET uses the ANSI/IACET Standard, in-depth research on the learning process, and a global network of experts to inform further standards development. IACET’s mission is to assist continuing education and training providers to create a superior learning experience for adult learners.

Occupational Safety and Health Administration (OSHA)

With the Occupational Safety and Health Act of 1970, Congress created the Occupational Safety and Health Administration (OSHA) to ensure safe and healthful working conditions for workers by setting and enforcing standards and by providing training, outreach, education, and assistance. This document will reference OSHA materials but is not to be considered endorsement as OSHA explicitly state that they do “not approve, endorse, or promote the products or services of others”.

DISCLAIMER:

This publication is intended for organizations providing and utilizing online training with regulatory, legal, and mitigation intent. It is believed that the information contained herein is reliable. The authors do not guarantee accuracy. The use of this report or any information contained will be at the user’s sole risk, regardless of any fault or negligence of the authors or contributors.

Overview

Prior to the widespread use of the internet, almost all workforce training with regulatory, legal and mitigation intent, was conducted in a classroom environment, with trainers providing face-to-face instruction to a room of personnel. Times have changed, and today organizations offer online training as a viable alternative to traditional, classroom-based instructor-led training.

While online training offers benefits such as cost savings, convenience, and scalability, it has significant drawbacks if not implemented appropriately. Online training without the integrated ability to identify workers and verify their participation could be problematic in an industry that is subject to legal scrutiny.

This is especially important in high-risk industries, where safety training can mean the difference between life and death.  

  • Employers rely on proof of training to ensure they mitigate operational risk and protect their workforce and operations.
  • Regulators rely on proof of training to demonstrate the employer’s compliance with legislation.
  • Courts rely on proof of training to demonstrate an employer’s due diligence.

Any organization that relies on web-based safety training must ensure that workers receive the information and demonstrate the attainment of learning outcomes for the delivery of online course content to be considered “training” and for the workers involved to be considered “trained” 1. For the purposes of clarity, this document will refer to training that includes identity and participation verification as “verified training” and use the term “online content” for what some may refer to as training but where the identity and participation of the intended worker are unknown.

US Occupational Safety and Health Administration (OSHA)

#2254-09R
"Employers must be able to show both that the training was adequate, based on training content, and that the employee received the training.”

American National Standards Institute and American Society of Safety Engineers

ANSI+ASSE Z490.1
7.2.2
“Delivery records for each training event shall identify the trainee’s participation in the training

1. Introduction

The inherent challenge of delivering verified training is the difficulty of ensuring worker identity and participation is in accordance with the its intended purpose.

The most recent statistics available from the United States Bureau of Labor Statistics show more than 2.7 million workplace incidents occurred in 2020 alone2. Investigation of these incidents by OSHA focuses on key factors that may have prevented the incident from occurring and whether an employer demonstrated an appropriate level of due diligence, including providing and ensuring the completion of appropriate training. OSHA investigators are trained to ensure that workers “receive” adequate training not that the employer “provided” “training” access3.  

Attempts have been made to make delivery, utilization, and consumption of online, self-guided training easier, however, few ensure that the employee is actively engaged. Further, the general anonymity of unverified online training does not create a defensible record indicating who received the training and whether they were actively engaged during the training.

Without verifiable proof that training has been received by employees, companies providing the training cannot fully comply with regulatory and due diligence standards. Fortunately, technology now exists to verify online training without device, bandwidth, cost, and/or administrative constraints.

This guidance document was created to assist organizations endeavouring to use such technology as part of their online training program as well as organizations delivering awareness-level orientations through third-party training providers to those performing work in the high-hazard environments in which they operate.

1.1 Legal Disclaimer

This guidance document is not intended to constitute legal advice. It is intended to be used as a guideline or best practice for organizations using or considering verification methods in conjunction with online training as part of their education and training requirements. The specific laws with respect to the environment, Occupational Health and Safety (OHS), and privacy vary from jurisdiction to jurisdiction. Legal matters are often complicated and highly dependent on the specific circumstances of each case.

Organizations should seek legal advice based on specific circumstances from a lawyer knowledgeable of the area of law in question.

Organizations should also consider that, like all technology the application or use of identity and participation verification can be both easily and diligently applied or it can be applied haphazardly and create legal exposure (e.g., room scans violating 4th amendment, use of biometric data, excessive data collection/retention/distribution).

1.2 Scope

The training activities referred herein take place on computers, tablets, or smart phones with access to the internet and a forward-facing camera. This training typically involves a variety of multimedia elements such as animations, graphics, voice-over narration, and videos, all used to deliver course material on a specific topic.

This document applies to training that is delivered without an instructor present and with the intent to:

  • mitigate risk by providing individuals with specific information that will assist them to understand corporate values, develop hazard perception/recognition, and control selection/application.
  • demonstrate regulatory compliance i.e., to address requirements for an “employer to ensure” workers are trained and/or competent (and training is one element of demonstrating how competency was developed/assessed).  
  • demonstrate due diligence to the courts in the event of an incident including verification of worker identity and participation.

2. Defenitions

Due Diligence Defense is a legal defense available to an organization or person charged with a strict liability offence. Most regulatory offences are strict liability offences, which includes most environmental and Occupational Health and Safety offences. The defense is available even when a breach of a strict liability offense has occurred. It provides the defendant with an opportunity to defend against charges by proving it was duly diligent in preventing the breach. The defense requires the defendant to prove on a balance of probabilities that all reasonable care was exercised in the circumstances. This often means organizations must prove a proper system was established to prevent the breach and that reasonable steps were taken to ensure the effective operation of the system.

Identity Verification is the confirmation of an individual's identity through a comparison of the provided name and their facial characteristics in a digital image compared with a credible form of photographic identification or a previously confirmed digital image.

e Verification is the use of web-enabled technology to verify the identify and participation of a learner during the training or an assessment. Participation observations of assessments are to identify any departure from a communicated standard of conduct that could affect the integrity of the assessment process.

Web-enabled means any software or application that relies on or runs within a web browser without the need for additional download or installation on the receiving device.

Participation Verification means the participant was visibly engaged throughout the duration of the session (i.e. present, awake, attentive).

3. Legacy Practices

Legacy processes typically require workers to use a user login and password to access training through internal or third-party learning management systems (LMS). This practice can limit user access but does not confirm worker identity or participation in training activities just as the password to access a cellular phone does not restrict or verify who is using it. Verified training varies from legacy practices because the identity and participation of the worker during the event is demonstrable and thus able to be presented as evidence of an employer’s regulatory compliance and/or due diligence.

3.1 E Verification

Employers using electronic verification (e Verification)for regulatory compliance and/or due diligence reasons need to ensure not onlythe identity of an individual but also the active participation of theindividual. Regulatory compliance requires that workers be “trained” and morespecifically that the training content has been “received”1. eVerification can provide this through systems of identity verification, videomonitoring.

4.1 Use of E Verification

Organizations are typically obligated to comply with the rules that govern their activities. These rules may be in the form of policies or laws and may be enforced by industry regulators. For example, some organizations are required to comply with Occupational Health and Safety and Environmental regulations. The consequences of an individual and/or organization breaching regulatory requirements can be severe and can result in fatalities, lifelong disablement, property damage, environmental contamination, extreme financial penalties, lawsuits, criminal liability, and potentially, the insolvency of the organization.

Therefore, organizations must ensure that their representatives (e.g., employees, contractors, subcontractors, vendors, agents, volunteers, or members) have the knowledge to meet obligations and avoid breaches. Given the significant risks involved, organizational use of e Verification can be a critical element in discharging the burden on an organization to prove individuals received the information required to receive the necessary knowledge.

Figure 1.0 below provides the decision-making process of how e Verification should be applied based on the purpose/outcome of training.

Figure 1.0 – Verification Need Based onTraining Objective

4.2 Due Diligence

An organization potentially in breach of a strict liability offense may rely on a due diligence defense to avoid liability for the breach. Once the breach is proven by the prosecution, the burden of proof shifts to the organization to establish, amongst other things, that a formal system was adopted and the organization took reasonable steps to ensure the effective operation of the system. If the organization fails to discharge its burden of proof, then a conviction will result.

Courts and prosecutors will assess the actions and omissions taken by an organization to prevent an incident in terms of what is “reasonable” in the circumstances.  If technological advancements are economical and readily available and an organization does not use them, then the defense of due diligence is weakened and the organization is exposed to liability.

With respect to e Verification, the past technological limitations that may have reduced the reasonableness of its use no longer exist as the technology is now widely available and accessible even through a mobile phone.

4.3. Privacy Considerations

In addition to compliance with jurisdictionally specific privacy requirements, international privacy compliance must be attained as the very nature of web-based access to educational material creates the opportunity for utilization across multiple jurisdictions4.

Where e Verification is integrated into an online training/assessment process, specific privacy considerations must be addressed.

Appropriate Limitations to Prevent Invasive Monitoring: There are a variety of e Verification technology/services available that can assist and monitor online training, but many of them have proven to be excessive in the eyes of the courts and privacy commissions. Specifically, the use of room scans has been deemed a violation of the United States' fourth amendment regarding illegal search5.

Information Collection/Segregation: If media is captured of an individual’s government-issued identification and in what may be a home environment, this information should not be retained by or accessible to any individual who also has access to other personal information about that person, i.e. media of interior of home/family with the address of the home.

Media images of Government Identification and Participant: Individuals who provided reasonable access to their image for the purpose of identity verification may also be inadvertently providing personal and protected information about themselves. To eliminate an impact on employment relationships, all media should be kept inaccessible to the employer, employer associations and agents and deleted within twenty-four hours of collection if not required by law or to demonstrate possible non-compliance.

Additional privacy requirements for e Verification should include:

  1. Persons subject to e Verification must be provided with the privacy policy and instructions for use in a language they understand.
  2. The information must not be used or disclosed for a secondary purpose unless required by law or the individual consents to the use or disclosure.
  3. The information retained and used for the basis of e Verification decisions should be provided and/or readily accessible to the learner.

Provider Independence: The e Verification provider must not have a financial interest in the provider of the educational material as this is due to the potential degradation of the integrity of e Verification results, i.e., the provider of educational materials may have a financial incentive to minimize the impact of the e Verification so higher volumes of educational materials can be delivered with less restrictions.

The goal of e Verification is to eliminate hardware needs beyond those that are standard to computers/tablets/phones such as microphones, speakers, and video cameras.  

Peripheral devices: Additional peripheral devices, which monitor biometrics (fingerprint scanners, heartbeat monitors, or retina scanners), can provide alternative methods of identity verification but are not widely available and as such not recommended.

The utilization of additional peripheral devices creates technological barriers that limit the ability of organizations to cost effectively ensure an adequate due diligence defense.

Invasive Software: Any requirement for learners to install software (programs, plugins and/or extensions, apps) creates a risk of viruses and installation restrictions (where employees do not have administrative access to their device. e Verification should be accessible through the web browser and not require any software installation to operate.

Insecure Browser Detection: An insecure browser jeopardizes the privacy of the information transmitted when a user logs into a training content site, submits photo identification and gives access to their web-camera/desktop. As the security provided by the browser is based on it being up to date, the eVerification technology should check the browser version and restrict access to out-of-date browser access.          

Biometrics: Biometrics are measurements and calculations related to human characteristics that can be used to identify an individual. As far as where biometric technology is used as part of e Verification, it must be restricted to the user’s device and no biometric signatures/measurements should be collected, stored and/or distributed at any point in the e Verification process.

The new era of online training is here to stay. No longer will constraints such as personnel, space, schedules, and/or travel restrictions hinder an organization’s ability to deliver verified training. The Alliance Standard is a publication offering guidance and education for organizations to approach online training in a verified manner. Organizations who take reasonable care to deliver verified training will meet the scrutiny of due diligence through a regulatory lens. Furthermore, maintaining the integrity of safety training is simply the right and responsible thing to do.  

It is not the belief of the authors or contributors that due diligence should be burdensome or prohibitively expensive. Care for the learner’s privacy, rights, and experience should always take priority. The training utilization rationale should guide organizations to reduce any undue burden of applying unnecessary restrictions to the verification criteria.

Training providers should not be incentivized to minimize training units failing to meet the verification criteria.

Questions or comments concerning the publication can be directed at verifiedtraining@alliancesafetycouncil.org or robert@integrityadvocate.com

1. American National Standards Institute and American Society of Safety Engineers ANSI+ASSE Z490.1 7.2.2

2. https://www.bls.gov/news.release/pdf/osh.pdf

3. US Occupational Safety and Health Administration (OSHA) #2254-09R

4. Data Protection & Privacy 2014, Published by Law Business Research Ltd, London, UK, ISSN 2051-1280

5. https://www.govinfo.gov/content/pkg/USCOURTS-ohnd-1_21-cv-00500/pdf/USCOURTS-ohnd-1_21-cv-00500-0.pdf