I've been looking with interest at the new privacy plugin and it is a great step forward. However we will not be able to use it in its current form and I wonder if we are alone in this (and to be honest - wonder how others are not in the same position).
I think the way it works: user making request, request approved by DPO role, user downloading data is very easy for an end users point of view but we still cant use it and will have to disable this on our live Moodle.
Why? Simply because the data the student gets direct from the database has not been looked at to see if there is anything that needs to be redacted. A user quoting another user for example, a user who may happen to write on a forum post personal data about someone else etc.
I have heard some arguments that suggest forum data does not need to be treated the same way, that something a user posts is their own data even if it includes data of others as this data was in the public domain. I have not found any evidence to support this or similar views however so I am left with the position of forum posts that may need to be redacted. When a student takes their download from Moodle - we may be actually giving them someone else's data along with their own.
Even if this isn't the legal problem I believe it is, our college policy is to go through data and redact where it does not apply to the data requested and legally entitled to, so we will have to do this regardless.
What are others thoughts on this? I can't believe I am the only one to think of this - but I have not heard any one else mention this issue?
Because of this I am going to have to have a "close to live as I can make it" MIS system that these requests are processed on - when the college receives a DSAR that I can then download myself and pass on to the DPO do deal with accordingly. I ill have to disable the functionality in our live Moodle.
It would be great to get some views on this matter from the community.