Security and privacy

EU General Data Protection Regulation (GDPR) compliance

 
Martin Dougiamas
EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersMoodle HQPlugin developersTesters

Next year it will become mandatory for online systems used in the EU to support the new GDPR laws:

I'm fully behind this, I think those laws are a great thing for privacy online and Europe is leading the world in this.

Moodle will be right there with it. 

To get there, we basically need to:

  1. Get together some legal experts who fully understand the new laws - PARTICULARLY IN THE CONTEXT OF EDUCATION.
  2. Analyse the distance between what Moodle does now and what GDPR requires and develop a clear spec.
  3. Do the work in Moodle code and documentation to make sure we are compliant. 
  4. Become certified in a way that any Moodle site can use to show their compliance.

I'm highlighting the education side because I think there are some tricky considerations in a school, university or workplace that may not be obvious.  For example, a person removing all their forum posts from a discussion will completely disrupt the learning environment for everyone else.

This is not just a job for Moodle HQ, we really need the whole community to help rally around this and make it happen soon.

Who wants to help?  

Who knows of any existing initiatives or even funding available for this?  

Let's start pooling info here!

Peace,
Martin martin

 
Average of ratings: Useful (11)
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin

Wouldn't it make sense to raise the subject in Mannheim at the Moodlemoot Germany? Since you are there as a keynote speaker, and Germany is affected by the EU General Data Protection Regulation, I think that this would be a good place to discuss the subject in depth.

Best,

Samuel

P.S: even though Switzerland is not in the EU, our data protection laws will be made compatible with the EU regulation, so we are affected too.

 
Average of ratings: Useful (2)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersMoodle HQPlugin developersTesters

Absolutely, let's make that happen (and French MoodleMoot also in June).  We should still also discuss it here though. smile

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hi Martin

thanks for the initiative here.  I'm preparing a  presentation at MoodleMoot Germany and we should add a workshop for these issues on the second day.

I can just add the first issues I identified:

  • withdraw of consent to store data. Withdrawing has to be as simple as acceptance is given: solution: user can  withdraw in profile, user account will be set to inactive, user will be logge out, notification to admin.
  • admin can see who accepted or withdrawed consent: neu site report with information about users, data of acceptance, date of withdrawal.
  • right to be forgotten: The requirements of documentation from the owner of the system has priority. Nobody can ask an university to delete all data. Same for corporates. There is a simple option: anonymise/delete  the account
  • right to get a report about all stored data: We have to define what data should be included: Idea: user profile with button to create a report as PDF. User profile, enrolled courses, course progress, course grades.
  • right to transfer data from one system to an other system: The report above can be given as XML or JSON file also.

Ralf Hilgenstock

 
Average of ratings: Useful (7)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Ralf, do the rules distinguish between personally identifying data and de-identified data for withdrawing consent or right to be forgotten? Would it be sufficient to de-identify all records of an individual (reassigning them to a unique identifier not linked to the individual), for example? This would allow learning analytics systems to continue to make predictions based on previous learner experiences, even if details of who the learner was are not still in the system.

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hello Elizabeth

good questions, but also complex questions. I think I can't answer them finaly.

At first the aspects are described in seperate articles. My personal opinion ist that it has to be understand from the general background of the GDPR.

The generals are:

  • People are the owner of their data.
  • They give permission to store this data and can withdraw this permission.
  • The people should be protected that the data are abused against the interest of the people
  • The institution that creates and edits that data should reduce the data to a minimum and delete the data if there is no reason to store them anymore.
  • The idea of protection is to protect against any type of abuse by private (commercial) or governmental institutions.
  • GDPR make differences between data and sensible data.

There is a seperate article in GDPR about anonymization of data.

Learning analytics discussion has not yet started intensive in education. I expect that this will start over next years.

I think its a question of purpose of learning analytics. There is a strong difference inteaching culture in different countries.  I.e. Years a go I was wondering when I saw 'thank you teacher cards' in UK. This is completely unknown here in Germany. I found that its common on UK that students and parents say thank you  to the teachers  at the end of the term that teachers supported the students to success.  In Germany there  is just an other culture of teaching: parents often feels teachers have to segregate between good and not so good students. In some schools its expected that the Gaussian distribution is reached. A teacher who leads all students to success is under critizism very often.  We also have  a strong discussion about individualization of the teaching process and the role of the teacher as individual learning coach.

Something similar happens in universities with lectures that 'should' reduce the number of students and its seen as normal when 50% or more of the students fails at the final exam.

In companies we see other paradigmas: mandatory training programs, training to prepare for a special job or task. Success is sometimes requirement for an internal job, sometimes nobody is interested in success and sometimes is part of control how good they do their job.

With this cultural differences in background we can discuss learning analytics purposes in detail. What is in a special context the intention of learning analytics?

  • summative evaluation to optimize a program for the next group of users
  • individual support and coaching of a single learner
  • control of the learner

Based on the different intention learning analytics will be accepted or critical. 

The discussion from the learner side will be different depending on the experience with the teaching process and culture in the institution. Years ago we ha  a discussion started from students at a German university that the use of the LMS should be completely anonym. They argued a professor should not be able to identify who did what on a platform. A professor could be influenced from a silly question in a forum by a student if he grades the final exam just from this student. This happens specially oif you see classes or lectures with 100-1500 students.

We also have universities with small groups and a much better relationship between professor and student.

Let me make this more complex as it is naturally.  European GDPR will be complemented by national law. In Germany  we have a state level and federal state level. On state level regulations for universities and schools are defined.  The system of insitutional data protection officers is completely independent. Because GDPR and most (federal) state laws are not defining concrete situations data protection officers can accept or deny the data processes.

My personal argumentation is:

  • learning analytics will be accepted when the teachers integrate it in their quality management programs
  • it will be accepted when it it is part of the teaching concepts and culture
  • it will be accepted if it is really used to support users to succeed
  • it will be denied if data are not used

I'm very interested in this discussion, because its a good opportunity to push teaching culture and quality management in eductional institutions. 


Ralf



 
Average of ratings: Useful (2)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Ralf,

Thank you for this thoughtful, comprehensive response. I see what you mean: if the purpose of analytics is to help ensure that a course design results in a Gaussian distribution with a 50% failure rate, a student is going to feel very differently about their personal data remaining in the system! We need to take that into account and provide a way to de-identify data the system needs on request. I think we can also make it clear to students how their data is being used by listing the models the system has enabled (a clear, natural language description, not computer code). I will incorporate these ideas into our working documents.

Thank you again,

Elizabeth 

 
Average of ratings: -
Picture of Ger Tielemans
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Ralf,

By law Dutch educational institutes have to save and store the personal educational results from their students for at least seven years, so...

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hello Martin

during German Moot we will have a presentation (in German) about the new situation and I suggest a working group on the second day with focus on discussion how to design the process:

- identifying the requirements on functional level and on process level for system owners

- defining working packages (draft).

It makes sense to follow up on this during french conference in the week after


Ralf

 
Average of ratings: -
Picture of koen roggemans
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersMoodle HQPlugin developersTranslators

The decision was made in May 2016 to become operational in May 2018 - a transition time of 2 years to comply.

By coincidence, I contacted a few days ago the ministry of education of Flanders (Dutch speaking part of Belgium) for education specific guidelines. The reply was that they are at the moment setting up a work group to investigate that. That didn't sound very hopeful to get anything done in time.

Since it's European matter and has nothing to do with the separate countries of the EU, I'm very keen to learn from the viewpoints of other countries.

 
Average of ratings: Useful (1)
Picture of Gemma Lesterhuis
Re: EU General Data Protection Regulation (GDPR) compliance
 
Average of ratings: Useful (1)
Picture of Centre e-learning HES-SO Cyberlearn
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin,


Some members of Cyberlearn (the E-Learning center for the University of Applied Sciences Western Switzerland) will be present at the French Moodle Moot in Lyon. We will be pleased to join the discussion of this issue.



 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hi Martin

the first link in your post goes to a private site. Its a lobby organization.  The official site of the European data protection supervisor is here:  https://edps.europa.eu/


Ralf

 
Average of ratings: Useful (4)
Picture of Ruth Horak
Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

Which versions of Moodle will be worked upon to ensure compliance with GDPR? 

 
Average of ratings: -
Picture of Helen Foster
Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersTestersTranslators

GDPR compliance plugins will be for Moodle 3.3 onwards. Please see Sander's post Moodle’s GDPR Approach and Plan for more details.

 
Average of ratings: Useful (1)
Picture of Tim Gildersleeve
Re: EU General Data Protection Regulation (GDPR) compliance
 

This is all very welcome news, this has been on my mind a lot lately.

I realise that this is just ramping up for discussions but do you think any code changes etc to support this are likely to be implemented for the November/December 2017 (3.4?) release? Or is it more likely to be in the May 2018 (3.5?) release?

On a side note - this will probably unify versions of all EU Moodle installations for the first time - everyone will have to be moving to this release to be compliant.

 
Average of ratings: Useful (2)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersMoodle HQPlugin developersTesters

It had not been included in the pre-planning for 3.4, but we'll see what can be done and needs to be done.

 
Average of ratings: -
Picture of Martin Greenaway
Re: EU General Data Protection Regulation (GDPR) compliance
 

Without wishing to unnecessarily bump a thread from some days ago, this is really good news, as a lot of (certainly public sector) organisations even in the UK are looking for GDPR plans when evaluating solutions.

Something that might be of interest in the European Moot discussions is this:  As you rightly point out Martin, removing a learner's contributions across the board can have significant impact on forum threads, but behind the scenes it has huge implications for things like learning analytics.  If large numbers of people withdraw, and furthermore choose to withdraw their data, is there a danger you could be losing a disproportionately important amount of data? After all, the data withdrawn would be exclusively that of people who disengage with their learning and ultimately withdraw from courses.

Some form of anonymisation of the user account (allowing the underlying scores, interactions, forum posts etc. to be retained for their normal lifecycle without being attributable) would be much more beneficial to institutions and subsequent learners...

If, of course, such a thing were compliant with the final form of GDPR!

 
Average of ratings: -
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
 

Some more resources for GDPR:

 
Average of ratings: -
Picture of Chris Nelson
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi all,

Apologies for the bump, but I haven't been able to find anything concerning the mentioned GDPR
discussion from the June Moodlemoots, so I was wondering how the discussion has
evolved in the last few weeks?

Here in the UK, we are still awaiting university-specific guidance from the Information Communication Office (ICO), so are planning system changes as best we can. The ICO has a good general GDPR overview document that is well worth reading though - it is being updated fairly often too.

I feel that I should flag that it is not always possible for education centres to adopt the absolute latest release of Moodle straight away - ensuring compatibility with other local systems etc. can take significant time. From such a point of view, the implementation of the majority of GDPR administration mechanisms for the November 2017 (/3.4) release would be preferential as that would give most places sufficient time to adopt Moodle 3.4 by the 25 May 2018 deadline. I daresay that later adopters may have some leniency if they can prove to the ICO (or equivalent) that they are in the process of adopting/making necessary changes, but that grace period would probably only be another month or so.

A big thanks to Martin for raising this in good time, and for all the other posters for the information shared so far!

 
Average of ratings: Useful (3)
Picture of Chris Nelson
Re: EU General Data Protection Regulation (GDPR) compliance
 

Just to add a link to JISC's online briefing about GDPR.

https://www.jisc.ac.uk/training/moving-toward-GDPR

It's a hour long, but well worth watching.

 
Average of ratings: Useful (1)
Me!
Re: EU General Data Protection Regulation (GDPR) compliance
 

Posting an update on what we (HQ) have been doing with regards to GDPR in Moodle.

Firstly - we recognise that there will be a lot of Moodle sites that are going to be running current or older Moodle versions at the time that the new GDPR laws become enforcable. I created a Moodle docs page with some practical advice on how start thinking about the obligations of a Moodle administrator under the new regulations.


http://docs.moodle.org/dev/GDPR_For_Administrators

This page can only be edited by administrators because we want to be cautious about any page that could be construed as legal advice. That is not the point of that page. If anyone would like to suggest improvements / changes - you can do that by replying in this forum discussion.


This is not intended to be a "magic document" that says Moodle complies with the regulations. It is up to each administrator of a Moodle site to ensure they are doing the right things. 


Further to this, there are some additional changes we have identified that we could make in Moodle to make it easier for sites to comply with the regulations. I have written up some tracker issues with user stories for these enhancements under: https://tracker.moodle.org/browse/MDL-59286


We have not started work on those issues yet - we will probably have time to tackle a few of the most important ones before 3.4 is released but I don't think we will get time to look at them all.

 
Average of ratings: Useful (6)
Ray Lawrence
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi,

Where should we be looking to see what work is being done? I can't see any activity on issue sin the tracker.

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hi Damyon,

like Ray I didn't found any information about progress. One issue was closed with notification: won't fix. none of the other issues is connected with a  developer.

Is anybody working on this in background?
Can we expect first improvements in 3.4?
What is planned for 3.5?

Can we help with developer ressources?


Ralf


 
Average of ratings: -
Me!
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi - unfortunately we did not get any time in the dev cycle for 3.4 to work on this. This is obviously important work, but the priorities for 3.5 have not been decided yet either. 

The changes described in that Epic are only really enhancements that will assist some people with their compliance obligations. There is nothing in Moodle that would prevent someone from complying with the new regulations. Regardless of the changes in Moodle - most of the work around compliance is non-technical and requires each site to understand their obligations and provide information to their users.

The information provided in:

https://docs.moodle.org/dev/GDPR_For_Administrators

was probably the most important piece in that it should give administrators the information they need to plan their own path to compliance. 

Anyone is free to pick up issues from that Epic and work on them and we will be happy to integrate their work.

Regards, Damyon

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hi

thanks for your quick response.

You are correct when you argue most of the GDPR definitions are organisational and not technical.  But these aspects are not new in European laws. I.e. most of them were identical in German laws that are replaced by GDPR now.

On the other hand there are other new regulations that have to be supported by technical solutions. This are specially 'right to be forgotten' (its more than deleting an account), report about stored data, export of stored data, etc.

In combination with very high penalities this is critical.

Ralf

 
Average of ratings: Useful (1)
Picture of Ruth Horak
Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

Denmark here. smile


I totally agree with Ralf. Technical solutions have to support organisational change. 

The GDPR has been a lot on my mind lately. 

In our organisation (language school for adults), we have to re-think personal data from scratch. One example: Our teachers have so far had the right to backup, download and restore their own courses. I guess this would be a GDPR breach as well (right to be forgotten >< user data stored on the teacher's pc)?


Thank you for the very helpful links. I have added them to my own admin moodle space for further use.


 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersTranslators

Hi Ruth

thanks for your post. I see several requirements that needs some development. Headquarter is aware  of this and planning several improvements. The aspect that you mention is not per se a problem.

In default settting teacher can't create backup including student data. So backup and restore is no problem from GDPR perspective. But teacher can download grades and students assignments. You can prohibit this by role management without any improvements in Moodle.

Its not generally a breach of GDPR if teacher can download students data if you've define what is allowed and what  is not allowed and how they have to handle such data, including. If a teacher takes a written classwork at home for correction or uses a paper based gradebook at home he also has personal data.

The right to be forgotten is limited by institutional interests or technical aspects in GDPR. This is an issue we have to make very clear for each user and in public.

You should generally define your internal policies for teachers how to handle such data. From my perspective teachers aren't external  third parties if they get access to personal data.

Ralf

 
Average of ratings: -
Picture of Ruth Horak
Ang: Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

Thank you for your advice and input! 

I must admit that I have only just started to read about the GPDR, as I have been appointed admin of our LMS only recently.

I think the biggest challenge we face is on the organisational level - we have to revisit all our practices, starting from taking written exams back home, printing sensitive data and leaving them somewhere, etcetera. 

Moodle seems actually the easiest place to start... smile 

Ruth 

 
Average of ratings: -
Picture of Ted Long
Re: Ang: Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

One issue I have raised in the tracker is that of security. For example, current administration accounts are fairly vulnerable as they’re only protected by a password. 


https://tracker.moodle.org/browse/MDL-60577


A large part of GDPR is being able to ensure data is protected and therefore it’s really important we’re able to at least protect the admin accounts in a more secure way. 

I’ve suggested two factor authentication as standard for administration accounts, and we could also consider IP locking etc. I’d appreciate any votes on the tracker as I think this is crucial to ensuring there’s no data breach. 


Currently, all a would be hacker needs is access to your password - there’s multiple ways the could get this, hack, phishing email, etc so it’s really crucial we secure admin accounts. 

 
Average of ratings: -
Picture of Dan Marsden
Re: Ang: Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle Course Creator Certificate holdersParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

You don't have to use manual accounts in Moodle for your admins - you could quite easily use a different authentication method that allows 2FA such as one of the Oauth providers. (On install Moodle will create a manual account but you can easily change this after install.)

 
Average of ratings: Useful (2)
Picture of Matteo Scaramuccia
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Hi Eddie,
if you want the Community to be involved by following MDL-60577, you should downgrade the security level down to "Could be a security issue" or to remove it at all, maybe after a first discussion there with the Owner of the Component in which you've raised the issue; otherwise, people "not invited" there won't see nothing of it.

HTH,
Matteo

 
Average of ratings: Useful (1)
Picture of Josiah Carberry
Re: EU General Data Protection Regulation (GDPR) compliance
 

It is pertinent to note that the EU considers two main criteria for the applicability of the regulations:

  • the location of the provider organization
  • the location of the users targeted by the provider

Thus, the EU considers that any organization based outside of the EU but providing goods or services to people residing within the EU are also subject to GDPR compliance.

What is more, some countries, such as Switzerland, have formally recognized the right of the EU to require such compliance.

Thus, depending on the nature of your organization's training and to whom it is offered, you might very well be expected to comply, even though you are not based in the EU:

 
Average of ratings: -
Picture of Paul Przemysław Polański
Re: EU General Data Protection Regulation (GDPR) compliance
 

Correct! It is, the so called "long arm" provision of GDPR. All service providers, whether located in the EU or outside of the EU, are expected to comply with the GDPR.

We shall consider the following GDPR requirements that should be of special interest to the community of Moodle developers:

  • the right to be forgotten (all user's data shall be easy to delete, incl. posts to forums).
  • the right to transfer data to other service provider (e.g. in XML format)
  • information requirements concerning e.g. the place where personal data are actually hosted and whether they are transferred to third-countries (i.e. countries that do not have special agreement with the EU Commission).
  • data breach notification.

This is only a tip of the iceberg, but I am happy to help a bit more with this challenge.

Regards,

Paul

 
Average of ratings: -
Picture of Josiah Carberry
Re: EU General Data Protection Regulation (GDPR) compliance
 

I wonder what the case will be if a site is located outside of the EU in a country that has not explicitly decided to comply with the EU regulations. Since the EU has no authority in that country, on what basis could it try to enforce compliance? Would it require EU ISPs to filter out traffic from that site? What else could it do?

 
Average of ratings: -
Picture of Paul Przemysław Polański
Re: EU General Data Protection Regulation (GDPR) compliance
 

Well, the GDPR contains the so called long-arm provision, which essentially means that the regulation is also applicable to all entities that process personal data at a distance. This, at least in theory, means that the regulation could be used against any business located outside of the EU to enforce compliance.

Possible sanctions? Well, in case of EU companies the law is clear and sets out a number of enforcement mechanisms e.g. financial fines up to 4% of global turnover or 20 mln euro. 

In the case of non-EU companies the situation is a lot more complicated and the mechanism of sanctions is yet to be clarified. The situation might be different in case of third countries that signed special agreements with the EU in order to comply with the GDPR (e.g. the US and the Privacy Shield (sic!)) and countries that do not have such arrangements in place. 

In short, EU companies or companies that comply with the GDPR won't be able to cooperate (exchange data) with company that does not comply with the GDPR. Possible fines are possible if such company cooperates with the EU business that is obliged to comply with the GDPR (then it would hit the EU business and could result in reciprocal charges). Blocking or filtering traffic would be another option that shall be taken into account. 

 
Average of ratings: -
Picture of Roger H
Re: EU General Data Protection Regulation (GDPR) compliance
 

Presumably, in the limited scope of Moodle use within universities, enforcement would be on the universities who use such services for using non-compliant services rather than against Moodle itself?

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

@Roger H Responsibilities are defined between processors and controllers. A hosting company might be deemed a processor and an educational institution might be a controller. However, if you host your own moodle, then you are both.

 
Average of ratings: -
Picture of Claudio Visa
Re: EU General Data Protection Regulation (GDPR) compliance
 

Buenas tardes, una pregunta en la argentina  tambien se tendra en cuenta la Normativa General de Protección de Datos de la UE (GDPR)?

Yo tengo el Moodle en una Universidad Privada y me gustaria implementar esta normativa


Saludos

 
Average of ratings: -
Randy Thornton
Re: EU General Data Protection Regulation (GDPR) compliance
Documentation writers

Claudio,

La respuesta es que cualquier empresa o institución o organización que procese datos personales sobre ciudadanos de la EU está obligada a su observancia, no importa donde está. 

Por eso si su universidad tiene usuarios, como alumnos o profesores, los cuales son ciudadanos de la EU, entonces tiene que cumplirlo. Esto no sólo pertenece a datos de Moodle sino que a todos sistemas.  

Yo no sé las detalles para Argentina o otros países sudamericanos pero esto es lo que el reglamento general manda.

Sugiero que se debería de comenzar un hilo sobre esta tema en los foros hispanohablantes. Ahí hay unas personas enteradas sobre esto o por lo menos tendrá la misma pregunta.

Salud,

Randy

 
Average of ratings: Useful (1)
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Hello,

It's great that Moodle are putting together a Privacy API, what I'm currently struggling with pertains to the definition of 'personal data' from a GDPR legal standpoint to know and understand what data in my plugins needs to comply.  So with reference to https://moodle.org/mod/forum/discuss.php?d=365857#p1475972 - as administrators are users who are people then clearly the data they enter would be covered when attributed to (and logged as an event) then they have a right to be forgotten to.

As 'personal data' is defined in GDPR as 'means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;'.  So clearly the 'user id' is such, but what about other data associated with it?  Is the whole aspect here to determine if a bit of data can directly or indirectly be tracked back to a given user then it needs to have the rights of: knowing of it, knowing its value and to be deleted.

Take the scenario of an administrator setting the colour of a theme, then if the theme does not associate a user id with that colour value via any storage mechanism then possibly no need to worry about GDPR.  But what if the action is logged?  Then given one element of data being the colour setting value then you could indirectly track back to the administrator who set it.  Thus they would have the right for the data to be deleted and the defaults set.

Another scenario is the developers rights, as we are people too.  So if I were to remove a plugin from the Moodle.org database then I could request under GDPR that everyone delete that plugin as the PHP files have my name and contact details = personal identification of a user with data stored on a computer.  If valid, how would this scenario be handled?

What about course format options (https://github.com/moodle/moodle/blob/MOODLE_34_STABLE/course/format/lib.php#L563) that can be defined for a course in a course format (contributed)?  Is it possible for events / logs to be activated when an editing teacher changes a course setting?  If so, is that 'personal data'?

Also in Andrew Nicols document (https://docs.google.com/document/d/1Y7n4Qkez4Tl83rWArOQPQCpE2NeSA2bUa8gOR2r_JFE) there is the mention of 'Additionally, any free text field which allows the user to enter information must also be considered to be the personal data of that user.' on page 6, so does that imply that all free text fields need to be validated to ensure that they contain the type of data required (like CSS) and not personal data?  And how can a developer ever truly validate that when there is the CSS 'content' attribute?  But.... as the controller under GDPR (I believe) is responsible then where does blame lie when things go wrong?

Thus then, does GPLv3 protect developers from violations of GDPR?

Also, if I have a 'mind that bus, what bus? Splat' moment, would I have the right (being in the UK under EU law before Brexit when GDPR comes in) after I'm gone for all my posts on Moodle.org to be removed?  Not that really I'd want to because of the informational value I consider it gives as a benefit to the community.  But what would happen?

So what are people's thoughts out there please?  Are there any lawyers in the community whom can answer what does and does not constitute 'personal data' and other points I've raised please?

Cheers and happy head scratching,

Gareth

 
Average of ratings: Useful (1)
Picture of Josiah Carberry
Re: EU General Data Protection Regulation (GDPR) compliance
 

I should think that the right to be forgotten needs to be distinguished from other rights, such as the right to know what personal data is being held. Suppose a student at a university fails a course miserably and the teacher records comments about the student's performance. The student could hardly demand that those comments be deleted, thanks to a right to be forgotten. Similarly, someone buys an item online and pays for it. Those transactions must appear in the accounts of the vendor and cannot be deleted simply because the customer would prefer that there be no trace of the purchase.

The big issue I see concerns the distinction between data that is related to a person, but is not used by the operator to identify that person and the same data, often used together with other data, that together could be used, and is indeed being used, to attempt to identify the person. For example, suppose knowing which browser version is used by a person is of little use in identifying that person, but is nonetheless often used by the system for various other purposes. However, the browser version in combination with a variety of other elements (OS version, IP address, etc. etc.) is regularly being used by some organizations to try to identify individuals and track their behavior. So, outside of the cases where data is obviously used to identify people (names, ID numbers and such), what is the deciding factor for compliance requirements: the fact that the data could conceivably be used as personal data, or the fact that the operator is using the data as personal data?

 
Average of ratings: -
Randy Thornton
Re: EU General Data Protection Regulation (GDPR) compliance
Documentation writers


Gareth,

Some good questions here.

Some of those scenarios have been provided for. There's a very important difference between the data itself and the metadata, the fact that it is set by a particular person and what is set. 

The GDPR defines personal data pretty clearly and it covers basically "all the means likely reasonably to be used either by the controller or by any other person to identify the said person.”  

So, if an admin sets a color in a theme, that fact that they set it at a particular place and time may be a personally identifiable fact about them because the event is logged with a userid. But the setting per se is not a personally identifiable fact (certainly not "reasonably"). 

So, to comply I would remove the personally identifying fact by changing the username to de-identify the admin but I am not changing the setting. 

Likewise for code or content: I may need to de-identify or remove your name or email from the copyright statement in the code in your plugin to comply, but I am not uninstalling the plugin. As copyright holder you licensed it already under GPL and removing  your personally identifying information doesn't change that. 

The admin situation complies because it has become "pseudonymous data" since simply de-identifying a person is sufficient in many situations. There's sections in the GDPR to cover this (eg Recital 26, 28, 29) and how to do it (e.g using tokens.)

Plus of course, the right to erasure is not unlimited or general: there are very specific grounds required to invoke this as set out in Article 17. And even in many of those cases, the data can remain as long as it is de-identified. 

Admins, as for HR staff and Data Privacy Officers, often view and manage personal data of others as part of their duties. So, some of what an admin does as part of their job may need to be kept for compliance itself. That's one reason for using de-identification through pseudonymisation.

Personally, I would take the conversative approach that I would never simply delete any admin's personal data from Moodle but I would de-identify through pseudonymisation instead. That's a decision for the DPO to make in any case, not the admin. There's whole buckets of rules about this, and local laws have an influence too, and that's why there's a DPO.


 
Average of ratings: Useful (1)
Randy Thornton
Re: EU General Data Protection Regulation (GDPR) compliance
Documentation writers

I thought a bit about the issue of the GPL and GDPR, in the hypothetical case where a developer requests removal of their name from code under the right of erasure provision of GDPR. I said before, I would not remove the code, but I may remove the attribution. On reflection, I think I would not remove even that.

If you submitted a request to me under right to erasure for removing your copyright information from code, I would reject it under Article 17.3(e). 

It states that right to erasure does not apply when processing is necessary "for the establishment, exercise or defence of legal claims."

Since the GPL is a license, and as licensee I have the right to the legal protection of the license and that means knowing who the copyright holder is to defend my claim to the use the license. 

The copyright statement is required in the GPL along with the full text of the license, which makes complete sense since only the actual copyright holder has the right to make the license. As GPL 3 puts it, ".... Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software ..."  If you are a copyright holder, you have to assert that in the license. GPL requires it and Moodle requires it.

If you just want to get your copyright out of the code, you could, if your country allows and not all do, transfer your copyright to another person, or also to an organization or company (which are not covered under right to erasure anyway).

Now, there might be cases where the right of erasure request is valid. For instance, if you weren't actually the copyright holder. Say someone had falsely put your copyright into some malicious code, had gotten caught, and you were trying to correct that to clear up your reputation, I imagine that would fall under the right of erasure. I didn't actually license it from you, as it turns out. So, the reason for the request is important because the DPO has to make sure the request meets the criteria for erasure.



 
Average of ratings: Useful (1)
Picture of Tim Gildersleeve
Re: EU General Data Protection Regulation (GDPR) compliance
 

There are many cases were the "right to erasure" does not apply.   This makes sense really when you consider its original intent.  It was written to protect people from things like old index entries in search engines.    For example someone accused of a crime and reported in papers but later exonerated - they can request that google (for example) remove links to the reports of their suspected guilt.   The right to erasure wasn't designed for someone just wanting their stuff removed for no reason.

 
Average of ratings: -
Picture of Memet Ødegaard Cataltepe
Svar: Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi!

I've read the page http://docs.moodle.org/dev/GDPR_For_Administrators and it's explaining a lot! Thnx

One thing (out of many) I'm unsure about

We operate with one admin user that is being used when helping our customers. Since a person has the right to know who that was logged in and viewed their user information, would our practice with the admin user be legal? OR do each person that should have admin privileges have their own admin user so we can track who did what? 

 
Average of ratings: -
Ray Lawrence
Re: Svar: Re: EU General Data Protection Regulation (GDPR) compliance
 

Only your own legal adviser can give you a meaningful answer to that question.

 
Average of ratings: -
Picture of Tim Gildersleeve
Re: Svar: Re: EU General Data Protection Regulation (GDPR) compliance
 

Regardless of legal requirements for GDPR, I would strongly advise having a separate account for everyone that has admin access.   For audit tracking this is really needed.   Quite apart from GDPR if someone makes a claim against someone with admin access - you need to be able to track down who that was.   If an admin user abuses their power - you need to know who it was.  Even if they use their power to "logon as" another user - that will be logged as user and effective user.  You need that audit trail for protection of your own people in my opinion.


 
Average of ratings: -
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

Hi all

With a less than three months to go, at the time of writing, until GDPR becomes law, my compliance manager is asking questions about this. 

Do we have any timeframe for when the plugins will be released? Looking at the tracker, there seems to be lots of work going on, but I'm not clear on when there'll be something to look at: https://tracker.moodle.org/browse/MDL-59286

Thanks

Chris

 
Average of ratings: -
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

... I also have some questions around deleting user data. According to  https://docs.moodle.org/34/en/Browse_list_of_users#Deleting_an_account - deleting a user doesn't remove their data from the database - so how can an admin do that? It doesn't look like any of the plugins in development actually do that. Just wondering if anyone's addressed this issue. There was some discussion in the tracker on that, but I'm not sure what the outcome was.

Thanks

Chris

 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Chris,

We are releasing a new Privacy API which all components will have have to adhere to.

This API is designed to handle both Subject Access Requests, and Deletion requests.

The body of work in MDL-61306 handles these changes and we expect the first part of that work to part of the next point release due to be released in the next week or so.

Andrew

 
Average of ratings: Useful (1)
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

Hi Andrew

That's very useful - thanks. Will these updates be deployed to any of the demo sites: https://moodle.org/demo/ - that would be very useful for compliance people in my company - and elsewhere - to take a look.

Thanks again

Chris

 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

I'm currently in the process of building up our prototype site and hope to have it ready in the next few hours.

The API currently supports Subject Access Requests, the right to be forgotten, and privacy by design and this will be implemented by a number of the core Moodle plugins.

The tool we are writing currently only supports Subject Access Requests, and the Right to be forgotten and is not yet complete. We will be building on the tool to finish off these two components, as well as adding the data registry, and to support privacy by design over the next few weeks.

Once the prototype site is up we will comment with the details.

Andrew

 
Average of ratings: Useful (1)
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Chris,

We're actively working on the various implementations.  The first parts of this new functionality will be part fo the next point release, which is due in the next week.  The Subject Access Request, and Right to be Forgotten are covered under MDL-61306 which is an extremely active issue.

I hope to push a prototype site covering SAR by the end of this week.

Andrew

 
Average of ratings: Useful (1)
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

... and will the 'soft' database delete be fixed? 

 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters
Sorry, but can you explain what you mean by the ‘soft’ delete? I don’t understand that terminology.

Andrew
 
Average of ratings: -
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

I guess that @adam is referring to the fact that currently 'delete' doesn't really delete all user data from the database - just from admin view - that's what I understand by the term 'soft delete'.

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

Chris - you're absolutely right - by soft delete, I mean that the link to the data is removed, but the actual data is still in the database (and can be reactivated).


As far as I understand it, a soft-delete won't meet the requirements for GDPR, as you shouldn't hold data for data-subjects when there is no legitimate need to. We would require a hard-delete - i.e.  the entry will no longer exist in the database. I've spent the most of the last couple of months working for my company on getting ready for GDPR, and our lead developer mentioned this about moodle right of the bat. I'm interested to hear the developers approach to this.

 
Average of ratings: Useful (1)
Picture of Matteo Scaramuccia
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Hi Adam,
I'm absolutely new to GDPR so apologize in advance if I'll be wrong:

i.e.  the entry will no longer exist in the database

Could the data still remain in the database but the relation with the user "removed" via an anonymization process?

TIA,
Matteo

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

No, the data cannot remain in the database. According to the GDPR guidelines, you can only hold data when you have a legitimate reason to do so. If someone wishes to stop using your instance of moodle, then you no longer have a reason to hold data about that person.

 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

You can only hold personally identifiable information.

Sometimes, the correct response to a deletion request is to anonymise the data, rather than delete it.

E.g. suppose I sell you a Moodle plugin for €100, then you ask me to delete all the information I have about you. Well, the record of that €100 must be keep in my accounts, so that I can accurately report my income at the end of the year. However, presumably I do have to delete the information that the person that sale was to was called Adam.

(Hypothetical example. I have never charged for a Moodle plugin.)

 
Average of ratings: -
Picture of Rick Jerz
Re: EU General Data Protection Regulation (GDPR) compliance
Particularly helpful Moodlers

Might "anonymize the data" be a simple name change?  Or has this already been discussed, and not allowed?

 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

You need to eliminiate all 'personally identifiable information', and what that phrase means is defined in the legislation.

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

Anonymisation is a good way around it and would be something we are keen to track.

 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

The 'soft delete' is entirely unrelated and we are not treating it the same at this time.

 
Average of ratings: -
Picture of Ian MacKinnon
Re: EU General Data Protection Regulation (GDPR) compliance
 

Do you mean you're treating full user data deletion as entirely unrelated to GDPR requirements?

 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Ian,

Yes. We are treating them entirely separately, and we have to do so for a number of reasons, but the main one is that we are applying the GDPR changes to Moodle 3.3, and Moodle 3.4. These have already been released and we have very strict policies about not making any kind of potentially breaking change. If we were to change the standard user deletion from the current soft-delete to a hard delete this would constitute a breaking change.

It may be that, in a future Moodle version, we could switch look at having the existing delete infrastructure perform a hard delete using the new privacy API, but this is not part of our current focus.

Andrew

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 
I don't see it as 'entirely unrelated' as one of the GDPR 'rights' is right to erasure. How is that unrelated?

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

How do you think this is going to employ a 'breaking change'. I understand that a soft delete fix isn't going to make the next release, but could it be in place before May 25 2018? This is the real issue as that is when people would really need to be compliant.
 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Adam,

Although we won’t be changing the existing deletion mechanism at this time, we will be providing the ability for users to be forgotten via a different means.

It is a breaking change as it is a change in behaviour. There are two main issues:

1) some institutions may have made customisation a around this deletion (unlikely); and

2) We cannot simply delete the data because we do not control all of the data.
Moodle plug-ins themselves do not understand the concept of deletion and the core does not know how they store their user data, or where that data is.

If a single module hasn’t implemented the new api, and we were to outright delete the main user record itself we could break the site in various ways - ie a non-compliant module tries to get user info for a user who does not exist and does handle that missing data well.

We have written a new api which facilitates the deletion of user data - both on a per-user basis, and also in a rolling fashion where retention periods have expired.

There may still be cases where we are unable to delete all data because he plugin has not implemented the new apis yet. In those cases we intend to delete all data that can be deleted, anonymise the core data which is still required in order to. It break the site, and then reattempt deletion again at a later time.

I hope that clarified the issue a little more,

Andrew

 
Average of ratings: -
Ray Lawrence
Re: EU General Data Protection Regulation (GDPR) compliance
 

Andrew may not be aware of the full extent of the GDPR work underway. The person in charge, Sander Bagma has confirmed to me:

We are implementing a GDPR compliant function to allow user to invoke their 'Right to erasure', which will leverage the new plugin API we are building and will go through all plugins to delete the data also from the DB.


 
Average of ratings: -
Picture of Sander Bangma
Re: EU General Data Protection Regulation (GDPR) compliance
Moodle HQParticularly helpful MoodlersPlugin developers

Hi Ray,

I think some of this may have got lost 'in translation' here on this forum. To avoid any further confusion I'll clarify:

  1. The current user deletion function will remain; this is where the user is deleted but the data stay in the DB. This is existing functionality within Moodle and we are currently not intending to remove this.
  2. in addition to this we are implementing a GDPR compliant function to allow user to invoke their 'Right to erasure', which will leverage the new plugin API we are building and will go through all plugins to delete the data also from the DB.

Andrew and several others in the team are currently working on the implementation of the GDPR right to erasure.


 
Average of ratings: Useful (2)
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

@Sander - thank you for the clarity and thank you and all the devs for the work put in to the code. I'm looking forward to the next release. The company I work for have sat on an older version of moodle for some time and they are looking forward to having a newer version - GDPR has been a good motivator for us to move forward with moodle.

 
Average of ratings: Useful (2)
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

Hi all

Thanks for all the work that's going into this.

I have a question on how the new 'Right to erasure' tools will impact the back end data. Specifically, if I need to analyse my data for, say, number of students over the last 5 years, students completing X number of courses, etc - aggregate data, not PII (personally identifiable information) - how will that aggregate data be impacted by these erasures? (I'm using the term 'erase' rather than 'delete' to distinguish between just deleting from the admin interface, and a full GDPR compliant erasure). Will the new tool have the ability to configure the way it works?

I'm looking forward to seeing the prototype site, @Andrew Nicols

I'll be aiming to use 3.3 - looking  will the tools be released for 3.3, 3.4 and 3.5 together?

Thanks again

Chris in Hong Kong smile

 
Average of ratings: -
Picture of Ted Long
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi everyone

This is a really great piece of work and looking forward to seeing it in action!

I keep getting two very specific requests around GDPR and how this will affect Moodle, so I'd be grateful if anyone can assist?

1. Encryption - I've raised a post discussing encryption for our particular set-up here but, is there a reason encryption of the user data within the database is not as standard? Here in the UK, the Information Commissioner's Office (the regulator) has maintained that encryption is highly recommended (see bullets below).  I'm not sure about the technical requirements this might have, but it does make sense on the face of it for this to be a feature - given that we are all dealing with large amounts of personal data.

  • "...implement measures to mitigate those risks, such as encryption." (P51. (83))
  • "...appropriate safeguards, which may include encryption" (P121 (4.e))
  • "...including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data." (P160 (1a))
  • "...unintelligible to any person who is not authorised to access it, such as encryption" (P163 (3a)

2. Two-factor Authentication

I've seen that there is some work to incorporate 2FA but at the moment, this appears to only be via Moodle contributors, not as an official part of Moodle (but perhaps I am wrong).  Given the increased onus on security as part of GDPR and how crucial 2FA can be to that (particularily for Admin accounts who are able to log-in via the main portal and have unrestricted access to all personal data with just a password), is 2FA not advisable (for admin accounts at least)?  I understand that we may already be able to implement via a third-party plug-in, but this carries risks to it given that these might not be maintained?

Kind regards

Ted


 
Average of ratings: Useful (1)
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Ted,

As far as I understand GDPR, encryption is not mandatory, but is recommended. We are planning to get around this through encrypting the whole database (instead of having each individual field encrypted). The database will sit on an encrypted file-system.

In terms of 2FA - again, this isn't directly related to GDPR, but is advisable. This isn't something we are planning to implement at the moment, as we have other pressing issues that are higher in the priority for compliance with GDPR legislation.

I hope this helps,


Adam

 
Average of ratings: Useful (1)
Picture of Ted Long
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Adam

Many thanks for the very quick response.  Just to clarify - is the encryption of the whole database something that is being worked upon as part of the GDPR piece of work or separately?  Just curious in terms of timelines of implementation.

Kind regards

Eddie

 
Average of ratings: -
Picture of Martin Greenaway
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Eddie, 

Not wanting to answer for Adam, but encryption of the database is something that your DBMS or your hosting provider may support; it should be independent of the Moodle code base.

Regards,

Martin

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin -  your reply supports what we are planning to do. Thank you for adding to Eddie's query.


Adam

 
Average of ratings: -
Picture of Ted Long
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi all - so, to confirm - if encryption something we could look at doing now or should we wait for this as part of the development process? I'm slightly confused!

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 
Hi Ted,



you can start looking at it now - I think it will be something Moodle will

not be planning to implement - encryption is more of a server thing (or web

hosting solution), instead of Moodle doing that.



Adam



On 19 March 2018 at 13:28, Ted Long (via Moodle.org) <noreply@moodle.org>
 
Average of ratings: -
Picture of Martin Greenaway
Re: EU General Data Protection Regulation (GDPR) compliance
 

Yes, you can (should?) look at doing this now.  To ensure that data is encrypted at rest, you have two options.

  1. Encryption of the disk on which you store your Moodle database (this can be a separate volume than the one you're booting the system from, or storing the Moodle web files on), or
  2. Encryption of the stored data within the database using a function supported by the DBMS (MySQL, SQL Server or whatever it is you use).  For MySQL, though, I think encryption of data at rest is supported only on the Enterprise edition, so you may find that for other database systems there are also licencing constraints.

Cloud hosting providers should be able to allow you both of these options - for instance, they are both available in Amazon AWS (EBS volumes can be encrypted individually, and Amazon RDS provides encryption options).

In either case, there are still risks as these options are not a complete security solution on their own. If the user is on the machine in question with a user that has appropriate read privileges, then they can read the files on an encrypted volume.  If they have a password for the database server and/or are on the machine with a user that has privileges to (for example) execute PHP code on the machine, then they can still access encrypted data in the database.  The encryption of data at rest is to guard against the theft of the database by unauthorised users. If a hacker gains access to an authorised user account (whether on the server or the database), then they will have all of the access that authorised user *should* have.

People do say that data security is like an onion with many layers, but in fact it's more like a chain with many links; you have to do all of the parts of it *well enough* otherwise the chain will break.

 
Average of ratings: -
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Hello,

I know I've mentioned this before - https://moodle.org/mod/forum/discuss.php?d=352538#p1476115 - but another scenario has been mooted to me.

What if there is a data breach under GDPR and the operator is fined as such.  Would parts 15 and 16 of GPLv3 - https://www.gnu.org/licenses/gpl-3.0.html - protect the developer (or Moodle HQ for that matter) from having a civil law suit for damages against them by the operator that was fined?  What about other bits of code that are not GPLv3 like the JS?  Would other open source licenses protect you, like MIT?

If so then if there was a suit against me and I then was using the user preference API, could I then suit Moodle HQ?

Gareth

 
Average of ratings: -
Ray Lawrence
Re: EU General Data Protection Regulation (GDPR) compliance
 
Gareth,


My advice to you is pay for some specific advice from a GDPR specialist lawyer.

 
Average of ratings: Useful (1)
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Thank you Ray, I will consider that but going to do more reading and see what other advise is out there first.

 
Average of ratings: -
Picture of Visvanath Ratnaweera
Re: EU General Data Protection Regulation (GDPR) compliance
Particularly helpful Moodlers
So more laws, more lawyers!
sad

Although GPDR is not a bad thing, it is the only powerful opposition to the tech giants, we are still at the beginning. Should take example in the development of the GPL: understand what is happening and take a stand!
 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi @Gareth - software suppliers are rarely involved in an claim against them. The earliest spreadsheets, written by Lotus, way back, had clauses that exonerated them from any claim you might have had (say an engineer used it to help build a bridge that eventually fell down).

Open source software is exactly the same. You have no claim and they accept no responsibility. if you use it, and it breaks, and you are liable, then the liability stops with you.

I am not a lawyer, and as a result, I'm not accepting any liability for anything I've said here. You should seek your own legal advice if you are really unsure and want your legal responsibility to be water tight.

 
Average of ratings: Useful (1)
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Thank you for your reply and information Adam.

I don't think anything is truly clear cut, but it does seem with GPLv3 that it is a good licence.  I need to think more.

 
Average of ratings: -
Picture of Chris Baldwin
Re: EU General Data Protection Regulation (GDPR) compliance
Testers

Hi all

Thanks for all of the hard work that's going on with this.

I have a few questions with regards to the right to be forgotten/erasure. 

I understand that the standard 'delete' in Moodle is not GDPR compliant as it leaves user data in the database. The new privacy API provides a way for plugins to delete user data. How will this actually work from a Moodle admin perspective? If I hit 'delete' will the API be called and I can be confident that all the user data has actually been deleted - assuming that all my plugins use the new API (which I know won't happen for a while)?

Also, when a user's data is deleted (either manually or by retention policy), how will that impact underlying statistical data? Is there a way to preserve aggregate data while deleting personally identifiable data?

Thanks in advance.

Chris

 
Average of ratings: -
Retro Drive
Re: EU General Data Protection Regulation (GDPR) compliance
 

I'm also keen to hear how this has been implemented.

 
Average of ratings: -
Picture of Alicia Wallace
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi - sorry to jump in on this thread. About this point: "also in a rolling fashion where retention periods have expired" - I have all kinds of questions which I imagine are already being discussed. Is there a separate place where there is more in depth discussion on how retention periods are managed?

Thanks, Alicia

 
Average of ratings: -
Picture of Kerry Watt
Re: EU General Data Protection Regulation (GDPR) compliance
 

I'm really interested in the retention periods and how they work as well. Does an expired retention period on an activity mean the whole activity is deleted? Or only the data inside it which has been stored for that long? Or neither and it just waits for us to act on the retention period expiry?


I haven't been able to see how to set a retention period on user data yet, only on activities and courses. Any advice on this would be great.

 
Average of ratings: Useful (1)
Picture of Urpo Karhula
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hello,

Users can return files and different file types in many activities in Moodle, will these be included in the export.zip in alongside the data.json files?

At the moment they do not exist in the export.zip file.

Users can submit files at least to these activities/ways:

  • Assignement
  • Database
  • Forum
  • Folder-resource (if given special permissions)
  • Glossary
  • Wiki
  • Workshop
  • Quiz
  • Anywhere where text editor is available since they can make link out of text -> then upload a file with file picker to this link form their computers.

Tested on fresh install of Moodle 3.3.5+ (Build: 20180421) & tool_dataprivacy 33.2.0 (2017051507)

https://tracker.moodle.org/browse/MDL-62187


 
Average of ratings: -
Picture of Andrew Nicols
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hi Urpo,

As I have already mentioned, we are actively working on completing all components within Moodle. Once complete, all personal data should be exported from these modules, and others.

Some of these are already implemented, whilst others are still in progress. In some we are not able to identify which user created the content -- for example the Folder (mod_resource) does not store the identity of the user who created a file.

Andrew

 
Average of ratings: Useful (1)
Picture of Kerry Watt
Re: EU General Data Protection Regulation (GDPR) compliance
 

Is there an estimate for when the Moodle versions will be stable and no longer updated weekly? We have been working with 3.4.2 and did not realise that the new plugins would cease to work with this version as they were refined and would instead require a further update. The plugin information in the database says they should be compatible with 3.4.2 which they aren't.

 
Average of ratings: -
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

lHi Kerry,

M3.4.2 is a stable version.  Are you talking about contributed plugins?  If so then:

  • The Moodle database does not allow developers to state to use M3.4.2 instead of M3.4 - MDLSITE-5390.
  • A plugin (say for M3.4.2) implementing the privacy API will still work on M3.4 but no privacy functionality working.
  • If you want to check plugins that implement the privacy API then install the Data Privacy tool (https://moodle.org/plugins/tool_dataprivacy) and use the 'Plugin privacy compliance registry' functionality.

Gareth

 
Average of ratings: Useful (1)
Picture of Kerry Watt
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Gareth


Although 3.4.2 is a stable version, the new releases of the Data Privacy plugin are not compatible with it and we've been unable to get them installed in my Moodle as a result. I notice the description of the Data Privacy tool has been updated to reflect this now, but it didn't say this last week. 


Are further changes in the pipeline and is there a timescale on these? Realistically we can't upgrade our live instance using the privacy implementations if there will still be key weekly fixes requiring a new Moodle install.

 
Average of ratings: -
Gareth J Barnard
Re: EU General Data Protection Regulation (GDPR) compliance
Core developersParticularly helpful MoodlersPlugin developers

Fair enough.  And I don't know about any further changes.  I just go with the flow.  Do you follow the tracker? Like MDL-59286?

 
Average of ratings: -
Picture of Ewan McGhee
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hello all,

I'm late to this discussion but can't see the information I need anywhere in the thread.

Does anybody know where the setting is to perform a hard delete of a user or obfuscate a user record via a Data Request? I'm using 3.5 with all the GDPR stuff, but when I test it, it just marks the record as deleted and obfuscates the email address - which isn't good enough. The user name field could have the email address in it and that is isn't obfuscated, neither are the first and second names of the user.

Also, there shouldn't be any option in my view, it should either hard delete, or obfuscate everything  - it's not GDPR-compliant to have user identifying information after a request to delete. This is making me question whether Moodle is actually GDPR-compliant.

Can anybody shed any light?

Thanks,

Ewan

 
Average of ratings: -