Blocks that can be added to a user's profile page can contain a number of config settings for the instance. For example, the badges block where the user can specify the number of the number of badges to display.
For GDPR purposes, should these be considered personal data (user preferences by another name) in the same way the html block does?
Mark,
My answer would be generally no, since it is not per se personally identifiable or would be in combination with other obvious data.
However, if that data could be further used as part of a data set for profiling someone, then possibly the answer is yes.
GDPR Recital 24 discusses this issue where "potential subsequent use of personal data processing techniques which consist of profiling a natural person" would not be allowed.
So if you were to add up all the various personal settings of otherwise anonymized Moodle user, could that be used with other data you have to then be able to re-identify them?
To give an actual example, HTML5 Canvas fingerprinting in browsers works by collecting a combination of a number of hardware and software settings that at some point are sufficient to identify a user uniquely who then could be personally identified by combining that with other data. (Which is exactly the type of technique that Recital 24 is addressing.)
So, the answer depends not just on what data you have in Moodle, but what other data you have in your organization about someone and to what extent that could all be subsequently combined to identify someone.
I would have thought 'yes' as it is a bit of data pertaining to an individual's choice / decision. Different users will have different values, so unlike theme settings (mostly) where every user uses the same setting value and it relates to the configuration of the theme then this value does relate to an individual.
Gareth, yes, I think sometimes that is right, if you have it linked to the user and it is so specific that the setting itself could help lead you to infer who the user was. So, it will depend on what the "personal" nature of the setting. Your theme example is a good one, or settings that are basic on/off or yes/no and are really generic.
But just making a choice per se is not identifiable: it would depend on the context. I chose tacos for lunch today but so did millions of others around me. When I lived in India and had tacos for lunch, I was the only one among millions to do that.
I've read interpretations of GDPR that subjective data can count as personally identifiable - if you have enough of them to be able to assist in re-identifying the person, which is easier if the choices are contextually specific and you have lots of them. For instance, for profiling.
Is whether someone has Moodle forum emails as a digest or one at a time
personally identifiable? I'd say no by itself. But tags from user
profiles? Definitely on the personal side of things because it would be easier to infer a user based on the uniqueness of the combination.
Oh, I just wanted to clarify I was not thinking about cases of erasure, where if you have a userid connected to data, you erase it.
I am thinking about the more interesting case of anonymizing. For data integrity, I would prefer to anonymize anything I can before having to delete it. So, the question is, how far do you have to go to get something really anonymous?
Use case that actually came up in conversation: multiple institutions want to combine anonymized course data for the training of analytics. If it is anonymous, you don't need consent, and therefore you can use older historical data and continue to add year after year -- if and only if it is truly anonymous.
Is just changing the usernames and other obvious profile information sufficient? What user fields could you keep as is? Do you need to change enrollment settings, user forum subscription settings, other settings including the course settings that teachers might have made, not just students? Etc. So the question "is a setting personal data?" matters a lot in that case.
Thanks for your thoughts chaps. The whole fingerprinting thing is fascinating: No one thing uniquely identifies the individual, but the collection of all the data can uniquely identify someone.
I'm not particularly worried about most blocks, except for perhaps the accessibility block, because it has preferences which might indicate a visual impairment. But I was curious about what others thought.
Mark,
That's a great recommendation - accessibility user choices as potentially identifying. We will look into that.
Randy