Security and privacy

EU General Data Protection Regulation (GDPR) compliance

 
Martin Dougiamas
EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

Next year it will become mandatory for online systems used in the EU to support the new GDPR laws:

I'm fully behind this, I think those laws are a great thing for privacy online and Europe is leading the world in this.

Moodle will be right there with it. 

To get there, we basically need to:

  1. Get together some legal experts who fully understand the new laws - PARTICULARLY IN THE CONTEXT OF EDUCATION.
  2. Analyse the distance between what Moodle does now and what GDPR requires and develop a clear spec.
  3. Do the work in Moodle code and documentation to make sure we are compliant. 
  4. Become certified in a way that any Moodle site can use to show their compliance.

I'm highlighting the education side because I think there are some tricky considerations in a school, university or workplace that may not be obvious.  For example, a person removing all their forum posts from a discussion will completely disrupt the learning environment for everyone else.

This is not just a job for Moodle HQ, we really need the whole community to help rally around this and make it happen soon.

Who wants to help?  

Who knows of any existing initiatives or even funding available for this?  

Let's start pooling info here!

Peace,
Martin martin

 
Average of ratings: Useful (7)
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
Group Particularly helpful Moodlers

Hi Martin

Wouldn't it make sense to raise the subject in Mannheim at the Moodlemoot Germany? Since you are there as a keynote speaker, and Germany is affected by the EU General Data Protection Regulation, I think that this would be a good place to discuss the subject in depth.

Best,

Samuel

P.S: even though Switzerland is not in the EU, our data protection laws will be made compatible with the EU regulation, so we are affected too.

 
Average of ratings: Useful (1)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

Absolutely, let's make that happen (and French MoodleMoot also in June).  We should still also discuss it here though. smile

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Martin

thanks for the initiative here.  I'm preparing a  presentation at MoodleMoot Germany and we should add a workshop for these issues on the second day.

I can just add the first issues I identified:

  • withdraw of consent to store data. Withdrawing has to be as simple as acceptance is given: solution: user can  withdraw in profile, user account will be set to inactive, user will be logge out, notification to admin.
  • admin can see who accepted or withdrawed consent: neu site report with information about users, data of acceptance, date of withdrawal.
  • right to be forgotten: The requirements of documentation from the owner of the system has priority. Nobody can ask an university to delete all data. Same for corporates. There is a simple option: anonymise/delete  the account
  • right to get a report about all stored data: We have to define what data should be included: Idea: user profile with button to create a report as PDF. User profile, enrolled courses, course progress, course grades.
  • right to transfer data from one system to an other system: The report above can be given as XML or JSON file also.

Ralf Hilgenstock

 
Average of ratings: Useful (5)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Group Moodle HQGroup Particularly helpful MoodlersGroup Plugin developers

Ralf, do the rules distinguish between personally identifying data and de-identified data for withdrawing consent or right to be forgotten? Would it be sufficient to de-identify all records of an individual (reassigning them to a unique identifier not linked to the individual), for example? This would allow learning analytics systems to continue to make predictions based on previous learner experiences, even if details of who the learner was are not still in the system.

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hello Elizabeth

good questions, but also complex questions. I think I can't answer them finaly.

At first the aspects are described in seperate articles. My personal opinion ist that it has to be understand from the general background of the GDPR.

The generals are:

  • People are the owner of their data.
  • They give permission to store this data and can withdraw this permission.
  • The people should be protected that the data are abused against the interest of the people
  • The institution that creates and edits that data should reduce the data to a minimum and delete the data if there is no reason to store them anymore.
  • The idea of protection is to protect against any type of abuse by private (commercial) or governmental institutions.
  • GDPR make differences between data and sensible data.

There is a seperate article in GDPR about anonymization of data.

Learning analytics discussion has not yet started intensive in education. I expect that this will start over next years.

I think its a question of purpose of learning analytics. There is a strong difference inteaching culture in different countries.  I.e. Years a go I was wondering when I saw 'thank you teacher cards' in UK. This is completely unknown here in Germany. I found that its common on UK that students and parents say thank you  to the teachers  at the end of the term that teachers supported the students to success.  In Germany there  is just an other culture of teaching: parents often feels teachers have to segregate between good and not so good students. In some schools its expected that the Gaussian distribution is reached. A teacher who leads all students to success is under critizism very often.  We also have  a strong discussion about individualization of the teaching process and the role of the teacher as individual learning coach.

Something similar happens in universities with lectures that 'should' reduce the number of students and its seen as normal when 50% or more of the students fails at the final exam.

In companies we see other paradigmas: mandatory training programs, training to prepare for a special job or task. Success is sometimes requirement for an internal job, sometimes nobody is interested in success and sometimes is part of control how good they do their job.

With this cultural differences in background we can discuss learning analytics purposes in detail. What is in a special context the intention of learning analytics?

  • summative evaluation to optimize a program for the next group of users
  • individual support and coaching of a single learner
  • control of the learner

Based on the different intention learning analytics will be accepted or critical. 

The discussion from the learner side will be different depending on the experience with the teaching process and culture in the institution. Years ago we ha  a discussion started from students at a German university that the use of the LMS should be completely anonym. They argued a professor should not be able to identify who did what on a platform. A professor could be influenced from a silly question in a forum by a student if he grades the final exam just from this student. This happens specially oif you see classes or lectures with 100-1500 students.

We also have universities with small groups and a much better relationship between professor and student.

Let me make this more complex as it is naturally.  European GDPR will be complemented by national law. In Germany  we have a state level and federal state level. On state level regulations for universities and schools are defined.  The system of insitutional data protection officers is completely independent. Because GDPR and most (federal) state laws are not defining concrete situations data protection officers can accept or deny the data processes.

My personal argumentation is:

  • learning analytics will be accepted when the teachers integrate it in their quality management programs
  • it will be accepted when it it is part of the teaching concepts and culture
  • it will be accepted if it is really used to support users to succeed
  • it will be denied if data are not used

I'm very interested in this discussion, because its a good opportunity to push teaching culture and quality management in eductional institutions. 


Ralf



 
Average of ratings: Useful (2)
Picture of Elizabeth Dalton
Re: EU General Data Protection Regulation (GDPR) compliance
Group Moodle HQGroup Particularly helpful MoodlersGroup Plugin developers

Ralf,

Thank you for this thoughtful, comprehensive response. I see what you mean: if the purpose of analytics is to help ensure that a course design results in a Gaussian distribution with a 50% failure rate, a student is going to feel very differently about their personal data remaining in the system! We need to take that into account and provide a way to de-identify data the system needs on request. I think we can also make it clear to students how their data is being used by listing the models the system has enabled (a clear, natural language description, not computer code). I will incorporate these ideas into our working documents.

Thank you again,

Elizabeth 

 
Average of ratings: -
Picture of Ger Tielemans
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Ralf,

By law Dutch educational institutes have to save and store the personal educational results from their students for at least seven years, so...

 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hello Martin

during German Moot we will have a presentation (in German) about the new situation and I suggest a working group on the second day with focus on discussion how to design the process:

- identifying the requirements on functional level and on process level for system owners

- defining working packages (draft).

It makes sense to follow up on this during french conference in the week after


Ralf

 
Average of ratings: -
Picture of koen roggemans
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Particularly helpful MoodlersGroup Plugin developersGroup Translators

The decision was made in May 2016 to become operational in May 2018 - a transition time of 2 years to comply.

By coincidence, I contacted a few days ago the ministry of education of Flanders (Dutch speaking part of Belgium) for education specific guidelines. The reply was that they are at the moment setting up a work group to investigate that. That didn't sound very hopeful to get anything done in time.

Since it's European matter and has nothing to do with the separate countries of the EU, I'm very keen to learn from the viewpoints of other countries.

 
Average of ratings: Useful (1)
Picture of Gemma Lesterhuis
Re: EU General Data Protection Regulation (GDPR) compliance
 
Average of ratings: Useful (1)
Picture of Centre e-learning HES-SO Cyberlearn
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi Martin,


Some members of Cyberlearn (the E-Learning center for the University of Applied Sciences Western Switzerland) will be present at the French Moodle Moot in Lyon. We will be pleased to join the discussion of this issue.



 
Average of ratings: -
Picture of Ralf Hilgenstock
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Particularly helpful MoodlersGroup Translators

Hi Martin

the first link in your post goes to a private site. Its a lobby organization.  The official site of the European data protection supervisor is here:  https://edps.europa.eu/


Ralf

 
Average of ratings: Useful (3)
Picture of Tim Gildersleeve
Re: EU General Data Protection Regulation (GDPR) compliance
 

This is all very welcome news, this has been on my mind a lot lately.

I realise that this is just ramping up for discussions but do you think any code changes etc to support this are likely to be implemented for the November/December 2017 (3.4?) release? Or is it more likely to be in the May 2018 (3.5?) release?

On a side note - this will probably unify versions of all EU Moodle installations for the first time - everyone will have to be moving to this release to be compliant.

 
Average of ratings: Useful (2)
Martin Dougiamas
Re: EU General Data Protection Regulation (GDPR) compliance
Group Core developersGroup Documentation writersGroup Moodle HQGroup Plugin developersGroup Testers

It had not been included in the pre-planning for 3.4, but we'll see what can be done and needs to be done.

 
Average of ratings: -
Picture of Martin Greenaway
Re: EU General Data Protection Regulation (GDPR) compliance
 

Without wishing to unnecessarily bump a thread from some days ago, this is really good news, as a lot of (certainly public sector) organisations even in the UK are looking for GDPR plans when evaluating solutions.

Something that might be of interest in the European Moot discussions is this:  As you rightly point out Martin, removing a learner's contributions across the board can have significant impact on forum threads, but behind the scenes it has huge implications for things like learning analytics.  If large numbers of people withdraw, and furthermore choose to withdraw their data, is there a danger you could be losing a disproportionately important amount of data? After all, the data withdrawn would be exclusively that of people who disengage with their learning and ultimately withdraw from courses.

Some form of anonymisation of the user account (allowing the underlying scores, interactions, forum posts etc. to be retained for their normal lifecycle without being attributable) would be much more beneficial to institutions and subsequent learners...

If, of course, such a thing were compliant with the final form of GDPR!

 
Average of ratings: -
Picture of Samuel Witzig
Re: EU General Data Protection Regulation (GDPR) compliance
Group Particularly helpful Moodlers

Some more resources for GDPR:

 
Average of ratings: -
Picture of Chris Nelson
Re: EU General Data Protection Regulation (GDPR) compliance
 

Hi all,

Apologies for the bump, but I haven't been able to find anything concerning the mentioned GDPR
discussion from the June Moodlemoots, so I was wondering how the discussion has
evolved in the last few weeks?

Here in the UK, we are still awaiting university-specific guidance from the Information Communication Office (ICO), so are planning system changes as best we can. The ICO has a good general GDPR overview document that is well worth reading though - it is being updated fairly often too.

I feel that I should flag that it is not always possible for education centres to adopt the absolute latest release of Moodle straight away - ensuring compatibility with other local systems etc. can take significant time. From such a point of view, the implementation of the majority of GDPR administration mechanisms for the November 2017 (/3.4) release would be preferential as that would give most places sufficient time to adopt Moodle 3.4 by the 25 May 2018 deadline. I daresay that later adopters may have some leniency if they can prove to the ICO (or equivalent) that they are in the process of adopting/making necessary changes, but that grace period would probably only be another month or so.

A big thanks to Martin for raising this in good time, and for all the other posters for the information shared so far!

 
Average of ratings: Useful (2)