I've been having a play with Moodle's Privacy framework for the GDPR (it's looking good BTW) and have a question that has come up that I've not been able to answer either through the tracker issues or the Google Doc (https://docs.google.com/document/d/1Y7n4Qkez4Tl83rWArOQPQCpE2NeSA2bUa8gOR2r_JFE/) about it.
It's a self-service model, so a Data Subject can make the request to a DPO, who will approve / deny it (or a DPO can make a request on behalf of someone else).
In the case of an export, it looks like the data is emailed to the DS and can be downloaded via the My Requests page.
However I can't find evidence of the data being made available to a DPO user.
In our scenario all DP requests are to be fielded by our central Data Protection Office, so they should be routed the request (the SAR should work nicely for this), collect the data (again nicely handled by the approve / deny option) but then they would want to control the return of the resulting data set to the Data Subject, typically to set it in context to the request.
In addition the SAR may *not* come through Moodle as we have a complex IT environment and Moodle may only be 1 part of the SAR target, so the DPO ability to make a request on someone else's behalf works nicely, but DP Office needs to be in control of the release of the materials (separate from the assembly of the materials) or the collation of all of the pertinent materials together.
This would suggest that there should be:
- a mechanism to prevent the automatic distribution of the exported data to the Data Subject.
- a "Download Option" on the DPO actions,
- a "refresh/re-export" mechanism.
Any way just my 2 cents, I think for covering GDPR requirements in a simple context the implementation is looking really good.