Security and privacy

EU General Data Protection Regulation (GDPR) compliance

 
Martin Dougiamas
EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

Next year it will become mandatory for online systems used in the EU to support the new GDPR laws:

I'm fully behind this, I think those laws are a great thing for privacy online and Europe is leading the world in this.

Moodle will be right there with it. 

To get there, we basically need to:

  1. Get together some legal experts who fully understand the new laws - PARTICULARLY IN THE CONTEXT OF EDUCATION.
  2. Analyse the distance between what Moodle does now and what GDPR requires and develop a clear spec.
  3. Do the work in Moodle code and documentation to make sure we are compliant. 
  4. Become certified in a way that any Moodle site can use to show their compliance.

I'm highlighting the education side because I think there are some tricky considerations in a school, university or workplace that may not be obvious.  For example, a person removing all their forum posts from a discussion will completely disrupt the learning environment for everyone else.

This is not just a job for Moodle HQ, we really need the whole community to help rally around this and make it happen soon.

Who wants to help?  

Who knows of any existing initiatives or even funding available for this?  

Let's start pooling info here!

Peace,
Martin martin

 
Average of ratings: Useful (9)
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin

Wouldn't it make sense to raise the subject in Mannheim at the Moodlemoot Germany? Since you are there as a keynote speaker, and Germany is affected by the EU General Data Protection Regulation, I think that this would be a good place to discuss the subject in depth.

Best,

Samuel

P.S: even though Switzerland is not in the EU, our data protection laws will be made compatible with the EU regulation, so we are affected too.

 
Average of ratings: Useful (1)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

Absolutely, let's make that happen (and French MoodleMoot also in June).  We should still also discuss it here though. smile

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Martin

thanks for the initiative here.  I'm preparing a  presentation at MoodleMoot Germany and we should add a workshop for these issues on the second day.

I can just add the first issues I identified:

  • withdraw of consent to store data. Withdrawing has to be as simple as acceptance is given: solution: user can  withdraw in profile, user account will be set to inactive, user will be logge out, notification to admin.
  • admin can see who accepted or withdrawed consent: neu site report with information about users, data of acceptance, date of withdrawal.
  • right to be forgotten: The requirements of documentation from the owner of the system has priority. Nobody can ask an university to delete all data. Same for corporates. There is a simple option: anonymise/delete  the account
  • right to get a report about all stored data: We have to define what data should be included: Idea: user profile with button to create a report as PDF. User profile, enrolled courses, course progress, course grades.
  • right to transfer data from one system to an other system: The report above can be given as XML or JSON file also.

Ralf Hilgenstock

 
Average of ratings: Useful (7)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Group Moodle HQGroup Plugin developers

Ralf, do the rules distinguish between personally identifying data and de-identified data for withdrawing consent or right to be forgotten? Would it be sufficient to de-identify all records of an individual (reassigning them to a unique identifier not linked to the individual), for example? This would allow learning analytics systems to continue to make predictions based on previous learner experiences, even if details of who the learner was are not still in the system.

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hello Elizabeth

good questions, but also complex questions. I think I can't answer them finaly.

At first the aspects are described in seperate articles. My personal opinion ist that it has to be understand from the general background of the GDPR.

The generals are:

  • People are the owner of their data.
  • They give permission to store this data and can withdraw this permission.
  • The people should be protected that the data are abused against the interest of the people
  • The institution that creates and edits that data should reduce the data to a minimum and delete the data if there is no reason to store them anymore.
  • The idea of protection is to protect against any type of abuse by private (commercial) or governmental institutions.
  • GDPR make differences between data and sensible data.

There is a seperate article in GDPR about anonymization of data.

Learning analytics discussion has not yet started intensive in education. I expect that this will start over next years.

I think its a question of purpose of learning analytics. There is a strong difference inteaching culture in different countries.  I.e. Years a go I was wondering when I saw 'thank you teacher cards' in UK. This is completely unknown here in Germany. I found that its common on UK that students and parents say thank you  to the teachers  at the end of the term that teachers supported the students to success.  In Germany there  is just an other culture of teaching: parents often feels teachers have to segregate between good and not so good students. In some schools its expected that the Gaussian distribution is reached. A teacher who leads all students to success is under critizism very often.  We also have  a strong discussion about individualization of the teaching process and the role of the teacher as individual learning coach.

Something similar happens in universities with lectures that 'should' reduce the number of students and its seen as normal when 50% or more of the students fails at the final exam.

In companies we see other paradigmas: mandatory training programs, training to prepare for a special job or task. Success is sometimes requirement for an internal job, sometimes nobody is interested in success and sometimes is part of control how good they do their job.

With this cultural differences in background we can discuss learning analytics purposes in detail. What is in a special context the intention of learning analytics?

  • summative evaluation to optimize a program for the next group of users
  • individual support and coaching of a single learner
  • control of the learner

Based on the different intention learning analytics will be accepted or critical. 

The discussion from the learner side will be different depending on the experience with the teaching process and culture in the institution. Years ago we ha  a discussion started from students at a German university that the use of the LMS should be completely anonym. They argued a professor should not be able to identify who did what on a platform. A professor could be influenced from a silly question in a forum by a student if he grades the final exam just from this student. This happens specially oif you see classes or lectures with 100-1500 students.

We also have universities with small groups and a much better relationship between professor and student.

Let me make this more complex as it is naturally.  European GDPR will be complemented by national law. In Germany  we have a state level and federal state level. On state level regulations for universities and schools are defined.  The system of insitutional data protection officers is completely independent. Because GDPR and most (federal) state laws are not defining concrete situations data protection officers can accept or deny the data processes.

My personal argumentation is:

  • learning analytics will be accepted when the teachers integrate it in their quality management programs
  • it will be accepted when it it is part of the teaching concepts and culture
  • it will be accepted if it is really used to support users to succeed
  • it will be denied if data are not used

I'm very interested in this discussion, because its a good opportunity to push teaching culture and quality management in eductional institutions. 


Ralf



 
Average of ratings: Useful (2)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Group Moodle HQGroup Plugin developers

Ralf,

Thank you for this thoughtful, comprehensive response. I see what you mean: if the purpose of analytics is to help ensure that a course design results in a Gaussian distribution with a 50% failure rate, a student is going to feel very differently about their personal data remaining in the system! We need to take that into account and provide a way to de-identify data the system needs on request. I think we can also make it clear to students how their data is being used by listing the models the system has enabled (a clear, natural language description, not computer code). I will incorporate these ideas into our working documents.

Thank you again,

Elizabeth 

 
Average of ratings: -
Picture of Ger Tielemans
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Ralf,

By law Dutch educational institutes have to save and store the personal educational results from their students for at least seven years, so...

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hello Martin

during German Moot we will have a presentation (in German) about the new situation and I suggest a working group on the second day with focus on discussion how to design the process:

- identifying the requirements on functional level and on process level for system owners

- defining working packages (draft).

It makes sense to follow up on this during french conference in the week after


Ralf

 
Average of ratings: -
Picture of koen roggemans
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Translators

The decision was made in May 2016 to become operational in May 2018 - a transition time of 2 years to comply.

By coincidence, I contacted a few days ago the ministry of education of Flanders (Dutch speaking part of Belgium) for education specific guidelines. The reply was that they are at the moment setting up a work group to investigate that. That didn't sound very hopeful to get anything done in time.

Since it's European matter and has nothing to do with the separate countries of the EU, I'm very keen to learn from the viewpoints of other countries.

 
Average of ratings: Useful (1)
Picture of Gemma Lesterhuis
Re: EU General Data Protection Regulation (GDPR) compliance
 
Average of ratings: Useful (1)
Picture of Centre e-learning HES-SO Cyberlearn
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin,


Some members of Cyberlearn (the E-Learning center for the University of Applied Sciences Western Switzerland) will be present at the French Moodle Moot in Lyon. We will be pleased to join the discussion of this issue.



 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Martin

the first link in your post goes to a private site. Its a lobby organization.  The official site of the European data protection supervisor is here:  https://edps.europa.eu/


Ralf

 
Average of ratings: Useful (4)
Picture of Tim Gildersleeve
Re: EU General Data Protection Regulation (GDPR) compliance
 

This is all very welcome news, this has been on my mind a lot lately.

I realise that this is just ramping up for discussions but do you think any code changes etc to support this are likely to be implemented for the November/December 2017 (3.4?) release? Or is it more likely to be in the May 2018 (3.5?) release?

On a side note - this will probably unify versions of all EU Moodle installations for the first time - everyone will have to be moving to this release to be compliant.

 
Average of ratings: Useful (2)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

It had not been included in the pre-planning for 3.4, but we'll see what can be done and needs to be done.

 
Average of ratings: -
Picture of Martin Greenaway
Re: EU General Data Protection Regulation (GDPR) compliance
 

Without wishing to unnecessarily bump a thread from some days ago, this is really good news, as a lot of (certainly public sector) organisations even in the UK are looking for GDPR plans when evaluating solutions.

Something that might be of interest in the European Moot discussions is this:  As you rightly point out Martin, removing a learner's contributions across the board can have significant impact on forum threads, but behind the scenes it has huge implications for things like learning analytics.  If large numbers of people withdraw, and furthermore choose to withdraw their data, is there a danger you could be losing a disproportionately important amount of data? After all, the data withdrawn would be exclusively that of people who disengage with their learning and ultimately withdraw from courses.

Some form of anonymisation of the user account (allowing the underlying scores, interactions, forum posts etc. to be retained for their normal lifecycle without being attributable) would be much more beneficial to institutions and subsequent learners...

If, of course, such a thing were compliant with the final form of GDPR!

 
Average of ratings: -
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
 

Some more resources for GDPR:

 
Average of ratings: -
Picture of Chris Nelson
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi all,

Apologies for the bump, but I haven't been able to find anything concerning the mentioned GDPR
discussion from the June Moodlemoots, so I was wondering how the discussion has
evolved in the last few weeks?

Here in the UK, we are still awaiting university-specific guidance from the Information Communication Office (ICO), so are planning system changes as best we can. The ICO has a good general GDPR overview document that is well worth reading though - it is being updated fairly often too.

I feel that I should flag that it is not always possible for education centres to adopt the absolute latest release of Moodle straight away - ensuring compatibility with other local systems etc. can take significant time. From such a point of view, the implementation of the majority of GDPR administration mechanisms for the November 2017 (/3.4) release would be preferential as that would give most places sufficient time to adopt Moodle 3.4 by the 25 May 2018 deadline. I daresay that later adopters may have some leniency if they can prove to the ICO (or equivalent) that they are in the process of adopting/making necessary changes, but that grace period would probably only be another month or so.

A big thanks to Martin for raising this in good time, and for all the other posters for the information shared so far!

 
Average of ratings: Useful (3)
Picture of Chris Nelson
Re: EU General Data Protection Regulation (GDPR) compliance
 

Just to add a link to JISC's online briefing about GDPR.

https://www.jisc.ac.uk/training/moving-toward-GDPR

It's a hour long, but well worth watching.

 
Average of ratings: -
Me!
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Testers

Posting an update on what we (HQ) have been doing with regards to GDPR in Moodle.

Firstly - we recognise that there will be a lot of Moodle sites that are going to be running current or older Moodle versions at the time that the new GDPR laws become enforcable. I created a Moodle docs page with some practical advice on how start thinking about the obligations of a Moodle administrator under the new regulations.


http://docs.moodle.org/dev/GDPR_For_Administrators

This page can only be edited by administrators because we want to be cautious about any page that could be construed as legal advice. That is not the point of that page. If anyone would like to suggest improvements / changes - you can do that by replying in this forum discussion.


This is not intended to be a "magic document" that says Moodle complies with the regulations. It is up to each administrator of a Moodle site to ensure they are doing the right things. 


Further to this, there are some additional changes we have identified that we could make in Moodle to make it easier for sites to comply with the regulations. I have written up some tracker issues with user stories for these enhancements under: https://tracker.moodle.org/browse/MDL-59286


We have not started work on those issues yet - we will probably have time to tackle a few of the most important ones before 3.4 is released but I don't think we will get time to look at them all.

 
Average of ratings: Useful (6)
Ray Lawrence
Re: EU General Data Protection Regulation (GDPR) compliance
Group Particularly helpful Moodlers

Hi,

Where should we be looking to see what work is being done? I can't see any activity on issue sin the tracker.

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Damyon,

like Ray I didn't found any information about progress. One issue was closed with notification: won't fix. none of the other issues is connected with a  developer.

Is anybody working on this in background?
Can we expect first improvements in 3.4?
What is planned for 3.5?

Can we help with developer ressources?


Ralf


 
Average of ratings: -
Me!
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Testers

Hi - unfortunately we did not get any time in the dev cycle for 3.4 to work on this. This is obviously important work, but the priorities for 3.5 have not been decided yet either. 

The changes described in that Epic are only really enhancements that will assist some people with their compliance obligations. There is nothing in Moodle that would prevent someone from complying with the new regulations. Regardless of the changes in Moodle - most of the work around compliance is non-technical and requires each site to understand their obligations and provide information to their users.

The information provided in:

https://docs.moodle.org/dev/GDPR_For_Administrators

was probably the most important piece in that it should give administrators the information they need to plan their own path to compliance. 

Anyone is free to pick up issues from that Epic and work on them and we will be happy to integrate their work.

Regards, Damyon

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi

thanks for your quick response.

You are correct when you argue most of the GDPR definitions are organisational and not technical.  But these aspects are not new in European laws. I.e. most of them were identical in German laws that are replaced by GDPR now.

On the other hand there are other new regulations that have to be supported by technical solutions. This are specially 'right to be forgotten' (its more than deleting an account), report about stored data, export of stored data, etc.

In combination with very high penalities this is critical.

Ralf

 
Average of ratings: Useful (1)
Picture of Ruth Horak
Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

Denmark here. smile


I totally agree with Ralf. Technical solutions have to support organisational change. 

The GDPR has been a lot on my mind lately. 

In our organisation (language school for adults), we have to re-think personal data from scratch. One example: Our teachers have so far had the right to backup, download and restore their own courses. I guess this would be a GDPR breach as well (right to be forgotten >< user data stored on the teacher's pc)?


Thank you for the very helpful links. I have added them to my own admin moodle space for further use.


 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Ruth

thanks for your post. I see several requirements that needs some development. Headquarter is aware  of this and planning several improvements. The aspect that you mention is not per se a problem.

In default settting teacher can't create backup including student data. So backup and restore is no problem from GDPR perspective. But teacher can download grades and students assignments. You can prohibit this by role management without any improvements in Moodle.

Its not generally a breach of GDPR if teacher can download students data if you've define what is allowed and what  is not allowed and how they have to handle such data, including. If a teacher takes a written classwork at home for correction or uses a paper based gradebook at home he also has personal data.

The right to be forgotten is limited by institutional interests or technical aspects in GDPR. This is an issue we have to make very clear for each user and in public.

You should generally define your internal policies for teachers how to handle such data. From my perspective teachers aren't external  third parties if they get access to personal data.

Ralf

 
Average of ratings: -
Picture of Ruth Horak
Ang: Re: Ang: Re: EU General Data Protection Regulation (GDPR) compliance
 

Thank you for your advice and input! 

I must admit that I have only just started to read about the GPDR, as I have been appointed admin of our LMS only recently.

I think the biggest challenge we face is on the organisational level - we have to revisit all our practices, starting from taking written exams back home, printing sensitive data and leaving them somewhere, etcetera. 

Moodle seems actually the easiest place to start... smile 

Ruth 

 
Average of ratings: -