I'm working through the plugins to better understand the process flow and the configurations so I can demonstrate it and the options to my department.
I'm struggling to understand the Data Registry part. In particular, I don't understand what "Category" does. It seems to me to be just a label and a description. Is its use something specific that comes out of the GDPR regulations or just a way of organising, that I don't understand?
On "Purpose", my working assumption is that it's a reason for setting a particular retention period for some thing, for example, a University regulation that states that a user's details can't be deleted from Moodle for 3 years after they have left. Is that right?
Following on from that, I've been through the deletion request process on my dev server, and even though a retention period has been set, a user can still make a request for deletion, and the DPO can still authorise the deletion. But nothing happens until the retention period has passed. Is that right? From a user's POV, it looks like the request has been accepted, but nothing happens, and there's nothing telling them why.
How is that final deletion process managed? Is there a deletion queue, or is it calculated from the requests table on a cron run?
Category is part of the GDPR regulations https://gdpr-info.eu/art-23-gdpr/
Your definition of Purpose would be the same as I would see it.
But for the best defininations the only good advice I can give is to consult legal department.
As for the deltion request proces, I am very curious like you and I hope we can get a swift answer.
It is very difficult to give examples on this point, since it is for every organization different on how to implement this part.
The idea behind the Data registry is that a DPO can set purposes (why the organisation is processing data) with retention periods en categories for data stored in Moodle in the data registry.
By example you make a category Identifcation data with the purpose student administration.
Please bare in mind - this is an example - which does not necessary counts for your organization.
If you get stuck on this part, the only and best advice someone can give you is to contact yoru organizations IT depertmant or specialist on GDPR.
For this example see: https://docs.moodle.org/34/en/Data_privacy_plugin
And you might already have read: https://docs.moodle.org/34/en/GDPR_for_administrators
I appreciate the explanation. I will of course be speaking to our DPO soon, so no doubt they'd have something to add. I guess the bit I'm a bit fixated about is "what does it do in Moodle?"
As far as I can tell, the category is just a label and a description that is only seen by the DPO and has no function in code. i.e. The requestee doesn't see it, and it's not adding anything to the processing of requests within Moodle - as far as I can tell atm.
"Purpose" at least contributes a retention period and a setting to determine if this trumps a requestee's right to be forgotten. So it's not so much the legislation I'm concerned with as Moodle processing.
The category is not associated with any processing in Moodle.
I'm not a lawyer, but my understanding is that this category is part of the requirement that all user data should have an explanation as to why it is being processed, and the type of personal data and the categories of data subjects. The idea is that this registry forms part of a report to be displayed to the Data Protection Officer in an audit, to display compliance by the institution. This category is linked to the user data, but no further processing is done.
I would highly recommend seeking professional advice as to how this information should be filled in to make sure that you site is compliant.