Security and privacy

User deletion not GDPR compliant : personal data not deleted (lastip)

 
Picture of Dorel Manolescu
User deletion not GDPR compliant : personal data not deleted (lastip)
Plugin developers

Hi

When deleting a user from user interface (probably for web-service also) not all the personal data is deleted or scrambled. (example lastip, phone, address ...). This is not GDPR compliant.

Steps to reproduce:

1) create a user with personal data like phone, address, url

2) login as that user - lastip will be stored

3) delete the user

4) email and username are scrambled, but the other personal data is still there. 

Affected versions : probably all. (I tested in 3.5, 3.4, 3.3)

Tracker issue created:  https://tracker.moodle.org/browse/MDL-62830 and code added.

Regards


 
Average of ratings: -
Davo
Re: User deletion not GDPR compliant : personal data not deleted (lastip)
Core developersParticularly helpful MoodlersPlugin developers

There is a question around whether or not this is personally identifiable data, if the username (and first/last name?) has already been removed? For instance, I would point out that the webserver logs almost certainly still include a list of IP addresses that have accessed the site, but that wouldn't be considered personal data (or would it?)

I could also imagine good reasons why you might want to store the last IP address that a particular user account used, in order to perform security audits (which might be a required part of due-diligence and keeping the data on the site secure; which is, of itself, a part of the GDPR).


 
Average of ratings: -
Picture of Dorel Manolescu
Re: User deletion not GDPR compliant : personal data not deleted (lastip)
Plugin developers

Hi Davo,

Reading here: https://docs.moodle.org/dev/Privacy_API#Personal_data_in_Moodle

seems to me that IP is also personal data.

By the way first/last name are not removed also in this moment.

Regards

 
Average of ratings: -
Picture of Adrian Greeve
Re: User deletion not GDPR compliant : personal data not deleted (lastip)
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hello,

The process to exercise the user's right to be forgotten (The user requests to have their personal data deleted) and privacy by design (user information is only kept for as long as it is needed) in Moodle are not done by just going to the user administration screen and deleting them.

A request needs to be be made. This can be done from the user's profile, of if an admin, from the data requests page (Site administration > Users > Privacy and policies > Data requests). The reason for this process is to clean all of the student's data from the site.

Most of the user's information is removed apart from critical information needed to prove in an audit that all data requests were complied with.

The last IP address is not critical and so is deleted.

 
Average of ratings: -