We have some questions about the new GDPR plugins and I'm hoping someone can help! We are running 3.4.2 as a test in preparation to upgrade our live instance.
The first question is about the emails which are sent when a data request/contact with the DPO is made through Moodle. At the moment these are going to all site admin and are not going to the DPO. I've been unable to find any information about why this is happening, is anyone able to advise on settings that need to be altered so notifications don't go to site admin but to the DPO role holders instead?
A second question is about setting the Policies to show different policies for different user roles. At the moment the user consent options are for all users, authenticated users and guests. Our instance has both under and over 16's, and we would like to be able to have different policies for those two groups which we could differentiate using roles. Is this something that is possible, and if so I should add as a request in the Tracker? I can happily admit to never having used the Tracker before so any guidance would be very welcome.
Similarly, there is no option to do anything except view a request from the Contact DPO. It can't be completed so remains as pending in the request list. Am I missing something obvious that we can use to clear these?
The Data Privacy plugin description mentions a process to retrieve user information from several plugins. We haven't been able to see how to do that, and there is no reference in the documentation on how to do this. Is this something that is coming soon and I am being too eager?
We are also a little confused by how the data registry works, as it seems to identify data based on activities and not the user. Is this correct? Is the retention period for the activity itself, or the data in the plugin that has been submitted before that time period has elapsed? We are not a cohort driven provider, so our users enrol at any time of year and a user enrolling now would access the same activities in a course as one enrolling 18 months ago. If a retention period expiring would lead to the activity disappearing that would be highly problematic for us.