Hello,
It's great that Moodle are putting together a Privacy API, what I'm currently struggling with pertains to the definition of 'personal data' from a GDPR legal standpoint to know and understand what data in my plugins needs to comply. So with reference to https://moodle.org/mod/forum/discuss.php?d=365857#p1475972 - as administrators are users who are people then clearly the data they enter would be covered when attributed to (and logged as an event) then they have a right to be forgotten to.
As 'personal data' is defined in GDPR as 'means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;'. So clearly the 'user id' is such, but what about other data associated with it? Is the whole aspect here to determine if a bit of data can directly or indirectly be tracked back to a given user then it needs to have the rights of: knowing of it, knowing its value and to be deleted.
Take the scenario of an administrator setting the colour of a theme, then if the theme does not associate a user id with that colour value via any storage mechanism then possibly no need to worry about GDPR. But what if the action is logged? Then given one element of data being the colour setting value then you could indirectly track back to the administrator who set it. Thus they would have the right for the data to be deleted and the defaults set.
Another scenario is the developers rights, as we are people too. So if I were to remove a plugin from the Moodle.org database then I could request under GDPR that everyone delete that plugin as the PHP files have my name and contact details = personal identification of a user with data stored on a computer. If valid, how would this scenario be handled?
What about course format options (https://github.com/moodle/moodle/blob/MOODLE_34_STABLE/course/format/lib.php#L563) that can be defined for a course in a course format (contributed)? Is it possible for events / logs to be activated when an editing teacher changes a course setting? If so, is that 'personal data'?
Also in Andrew Nicols document (https://docs.google.com/document/d/1Y7n4Qkez4Tl83rWArOQPQCpE2NeSA2bUa8gOR2r_JFE) there is the mention of 'Additionally, any free text field which allows the user to enter information must also be considered to be the personal data of that user.' on page 6, so does that imply that all free text fields need to be validated to ensure that they contain the type of data required (like CSS) and not personal data? And how can a developer ever truly validate that when there is the CSS 'content' attribute? But.... as the controller under GDPR (I believe) is responsible then where does blame lie when things go wrong?
Thus then, does GPLv3 protect developers from violations of GDPR?
Also, if I have a 'mind that bus, what bus? Splat' moment, would I have the right (being in the UK under EU law before Brexit when GDPR comes in) after I'm gone for all my posts on Moodle.org to be removed? Not that really I'd want to because of the informational value I consider it gives as a benefit to the community. But what would happen?
So what are people's thoughts out there please? Are there any lawyers in the community whom can answer what does and does not constitute 'personal data' and other points I've raised please?
Cheers and happy head scratching,
Gareth
