The General Data Protection Regulation (GDPR) is coming into force in Europe in May. At the Open University in the UK we are using badges on two websites - OpenLearn and OpenLearn Create. We are aware that the community is working to make Moodle more compliant with this regulation, but haven't seen any details specifically about the badges. Would you please share what the plans for changes are.
We have two areas of concern
1. Badges are not currently deleted if delete a user from Moodle
2. The URL baked into an issued badge continues to work even if you delete a user - two issues here. One, currently this shows to a user that their data isn't really deleted. Two, if badges start to be deleted when you delete a user, this URL will stop working and badges can not be validated. So this is a tricky problem, a solution to it could be to store such URLs even after badges are deleted. If someone visits such URL to just tell them that the badge it came from was indeed issued by the site, but not provide anymore details.
Thanks for the question. There are really two pieces of functionality mentioned here; the current 'delete user' function, and new GDPR personal data deletion.
The existing 'delete user' functionality in Moodle will be unchanged when the GDPR changes land this release. This was a decision made to reduce risk, as making changes to this routine may have unforeseen consequences.
The new functionality, made available through a data privacy tool, is responsible for deletion (or nullification, where required) of all personal data under certain situations, such as when a user requests to be forgotten, or when the institution is obligated to remove all personal data for the user. This works the same for all components, including badges. Each plugin must advertise which areas of it's internal database structure, file systems, etc, store personal data, and each plugin is also responsible for the deletion of said personal data.
In the case of badges, any badge issued or manually awarded would be considered personal data of the recipient (awardee), and the personal data would, at a minimum, have to be nullified from any relevant award or backpack records. The problem I foresee here is that, strictly speaking, there is a legal requirement to remove things like the backpack email address of a user who has asked to be forgotten. This means that any badges that user has sent to backpacks (like open badges backpack for example) will no longer successfully validate because the hash in the assertion JSON will have changed when the email is nullified. Having a quick look at this, it seems this hash is generated on-the-fly, based on the backpack email, which will now be null. Nullification will however, stop other users who follow the criteria or evidence links from seeing the user's name and details, and this is a positive.
We're due to address badges in the coming days/weeks and will know for certain at that time, however, it does look like one outcome of the GDPR might be that any badge sent to a backpack will no longer validate for display elsewhere once a user has been forgotten from the issuing Moodle site.
I hope that helps to clarify the issue somewhat.
Good discussion of a complex issue, and I must state that I am no expert on GDPR, but I wanted to pass along some tidbits from the IMS Global Open Badges workgroup who has been discussing this issue briefly in recent meetings.
Would it be possible to give a user who has been issued badges by Moodle a choice? IMS supports an approach that gives the badge recipient an option to choose to have the institution retain the minimum badge-related data necessary to allow the institution to verify the Open Badge.
In an Open Badge, the recipient identifier may or may not be hashed. If a hashed recipient identifier is considered personal information and needs to be removed or nullified, then the badge would cease to be valid and verifiable.
As mentioned in earlier comments, Open Badges may contain information about the evidence used by the recipient to earn the badge. Evidence may be a URL pointing to information or artifacts hosted elsewhere (like in Moodle). If those artifacts are removed or nullified, the badge itself will not become invalid. In rare cases, evidence may be a text narrative embedded in the badge that potentially contains personally identifiable information.I'm happy to liaison with the workgroup as further questions arise.
Jeff Bohrer, IMS Global
Thanks for posting, Jeff. My apologies for the delayed response - I've been in a self-imposed communications black hole (holiday) the past few weeks.
Since my last post, the privacy provider (the class responsible for handling personal data export & deletion) for the badges subsystem has been written and, as I suspected, we're deleting any badge backpack records for the user who requested to be forgotten. The tracker issue can be viewed here if you wish.
With regard to the suggestion of this being the user's choice: We don't have the facility to allow a user to ask to be partially forgotten (i.e. leave some of their personal data behind, for cases like badge verification). This isn't to say that such an idea is impossible, it's just that it wasn't part of our MVP. Do you know of other systems using badges that has used this approach?
As it stands, approving a 'forget me' request will remove all personal data for the requesting user, and this includes the emails (and hashes) stored in their badge backpack. In fact, we remove all records that a badge was issued to that user at all. After a user is forgotten from the Moodle site, any badges exported elsewhere during their time there will no longer be verifiable.
This outcome really comes down to the fact that we have to be strict on what personal data can be kept. So far, there are only one or two cases in which we store personal data, and we do so only to provide evidence for GDPR auditing purposes, which is deemed acceptable.
Jake, thanks for the update. To my knowledge, no one has yet implemented features to inform (or provide options to) the user of implications to their badges when they request to be forgotten. I will pass along your update to members of the IMS Open Badges workgroup who I'm sure will be interested in hearing about other implementation decisions.