Contacts tab in messaging provides list of all users (GDPR issue?)

Contacts tab in messaging provides list of all users (GDPR issue?)

by Craig Hunter -
Number of replies: 8

Hi,

We have a flagged GDPR issue and I can't find a clean solution. Please help.

It involves every user being able to see every user on the system via searching from the Contacts tab in the messaging area.

All that is available is the list of names. They can't view profles etc and all non-manager roles have had messaging permissions removed. However, the list alone is a problem for us.

The quick solution is obviously to disable messaging altogether, but the staff use it to communicate to users and we often use it via bulk user actions. We have limited access to it. However, it is not 100% watertight as a user could get to the messaging area via a linkback or technically via adding /message/ to the URL.

Is there no way to remove the Contacts tab or to restrict the user list? I have checked every possible permission setting, but perhaps I've missed it. We could also maybe erase it with CSS or editing the code, but our Moodle instance is incredibly restricted in such changes and it probably wouldn't be approved.

I know Moodle should be all about communication, but I was quite surprised to find that there is a free for all list of all registered users that can't be removed without disabling all messaging.

I would appreciate any help at all! Thank you.

Attachment contacts.png
Average of ratings: Useful (1)
In reply to Craig Hunter

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Craig Hunter -

Hi,

I apologise for bumping my own post, but after further investigating there really appears to be no way to control the contacts list.

Is this really not a GDPR concern? That a list of all registered users is available to all users? Or that you must sacrifice/disable messaging to fix it?

My own personal issue is that those higher up simply don't believe me that this is the case.

Average of ratings: -
In reply to Craig Hunter

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Sander Bangma -

Hi Craig,

This is something we're working on addressing for Moodle 3.6 in the new features we're adding for messaging.  We're expanding messaging to be able to have group conversations and building in extra levels of privacy controls. 

The admin can enable or disable site wide messaging and users will be able to set whether they can be messaged only by their contacts, by anyone in their course, or by anyone on the site.

Here is the link to the group messaging epic in tracker:

https://tracker.moodle.org/browse/MDL-57272

By default the contacts list will show only the user's existing contacts, but the user can search for people they are in a course with.

Average of ratings: Useful (3)
In reply to Sander Bangma

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Craig Hunter -

Hi Sander,

Thank you very much for the reply and feedback (as well as tracker link). It's very much appreciated.

Average of ratings: -
In reply to Sander Bangma

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Ralf Hilgenstock -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Translators

Hi Sander

this is very helpfull.

This issue is interesting because there are completely different expectations in several areas of education.  Schools and universities often want to limit the access.  Corporates are interested that employees can contact and communicate over the boundaries of courses, departments,  cities and countries.

Making it configurable is a good initiative.

Ralf

Average of ratings: -
In reply to Sander Bangma

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Kerstin Namuth -

Thanks to Craig for bringing up the issue and to Sander for the reply.
This is exactly what we've been wishing for! 


Average of ratings: -
In reply to Sander Bangma

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Gemma Lesterhuis -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

Hi Sander,

I just tested Moodle 3.6 and I do realize it is not all finished up yet - and I am really happy with the changes in the course overview. But I am trying to understand the working for the messaging systm in context of this post. 

And it could be because it is not finished yet, but wondering. 
 
It is considered a GDPR issue that users can be found in the messaging contact list all over the site (profile picture + Name). Since my organisation is really hoping this will be changed in 3.6 - since they would not like to see the messaging system to be turned completly off - I am testing 3.6 already for them. 


At the moment I have the option to:  unabled "Allow messages from anyone on the site" (advanced setting). 

When I log in as a student user 1 and navigated at Message Prefences. 

I noticed I have 2 options as a user:

 Accept messages from:

1. My contacts only

1. My contacts and anyone in my course. 


I logg on to a different student account (student 2) that is NOT a contact OR in the SAME course as student 1. 
And I noticed that the student 2 can still FIND student 1 in the message contact list. 
Though when student 1 sends a message to student 2, it will show a notification that student 1 cannot send a message since the  message preferences of student 2. 


This is actually nice, but what I would had expected due to the GDPR that Student 1 would not appear in the contact search list at all.
Is this still work in progress or am I missing a setting? 


Thank you 

Gemma


Average of ratings: -
In reply to Gemma Lesterhuis

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Sander Bangma -

Hi Gemma,

We're finalising the messaging and group messages project work.

These visibility issues will be resolved as part of:

https://tracker.moodle.org/browse/MDL-63282 and https://tracker.moodle.org/browse/MDL-63288

Average of ratings: -
In reply to Sander Bangma

Re: Contacts tab in messaging provides list of all users (GDPR issue?)

by Gemma Lesterhuis -
Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers

Hi Sander,


Thank you for your reply. 
I was too fast wink

Gemma

Average of ratings: -