Security and privacy

User deletion not GDPR compliant : personal data not deleted (lastip)

 
Picture of Adrian Greeve
Re: User deletion not GDPR compliant : personal data not deleted (lastip)
Core developersMoodle HQParticularly helpful MoodlersPlugin developersTesters

Hello,

The process to exercise the user's right to be forgotten (The user requests to have their personal data deleted) and privacy by design (user information is only kept for as long as it is needed) in Moodle are not done by just going to the user administration screen and deleting them.

A request needs to be be made. This can be done from the user's profile, of if an admin, from the data requests page (Site administration > Users > Privacy and policies > Data requests). The reason for this process is to clean all of the student's data from the site.

Most of the user's information is removed apart from critical information needed to prove in an audit that all data requests were complied with.

The last IP address is not critical and so is deleted.

 
Average of ratings: -