I'm interested in setting up Data Privacy purpose which has a non-GDPR specification. How does one specify a non-GDPR lawful basis that can be chosen when creating a Data Privacy purpose?
I've created a Tracker issue for this: https://tracker.moodle.org/browse/MDL-75451.
If you are referring to the "purpose" sections of the Data registry, you can put whatever purpose you need which is the basis for processing the data and its retention.
It is not specific to GDPR - or any other particular law or regulation. Under GDPR you of course would want to put the standard purposes, but even there you may have local laws or other regulations that differ by country or jurisdiction or institution etc. The purposes could be whatever you need for your situation as long as you know they align to something which justifies the retention and deletion. That should really be the guide here since the Data deletion tool depends on those retention periods to remove data or not.
Erik,
Ah, my bad there for being on the other screen, as Howard points out. Yes, when creating the Purpose itself you are stuck with only the GDPR terms, which is clearly a mistake by Moodle to assume GDPR is global.
What I do is just pick the closest one that fits. Ignore the GDPR specifics and most of the categories work: is this contractual? is this a legal or regulatory requirement? and so forth. After all, the purpose is just for you to indicate on what basis you are retaining the data.
Legal language aside, the GDPR categories are pretty sensible and comprehensive and will work for most situations outside the EU too. Canada does have partial legal EU adequacy (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/) - and therefore there is at least some pretty close alignment between Canada law and GDPR and many of the items in the list will be similar.
If this is really an issue and you need to change the language to match Canadian legal terminology, you can also edit these strings using the Language customisation tool. The strings for the items in this list can be found by looking for the string component tool_dataprivacy and especially the strings with names starting with gdpr_art. You can reword those for the pull down list that way.
Of course, that won't help you if you have users in multiple countries and you do want to track the legal basis from more than one source
For example, if need both the GDPR ones and Canadian ones, you are stuck since you can't expand the list, only reword it. But if you only need to reword the entries, that can help you out.
Ah, my bad there for being on the other screen, as Howard points out. Yes, when creating the Purpose itself you are stuck with only the GDPR terms, which is clearly a mistake by Moodle to assume GDPR is global.
What I do is just pick the closest one that fits. Ignore the GDPR specifics and most of the categories work: is this contractual? is this a legal or regulatory requirement? and so forth. After all, the purpose is just for you to indicate on what basis you are retaining the data.
Legal language aside, the GDPR categories are pretty sensible and comprehensive and will work for most situations outside the EU too. Canada does have partial legal EU adequacy (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en/) - and therefore there is at least some pretty close alignment between Canada law and GDPR and many of the items in the list will be similar.
If this is really an issue and you need to change the language to match Canadian legal terminology, you can also edit these strings using the Language customisation tool. The strings for the items in this list can be found by looking for the string component tool_dataprivacy and especially the strings with names starting with gdpr_art. You can reword those for the pull down list that way.
Of course, that won't help you if you have users in multiple countries and you do want to track the legal basis from more than one source
What we really need here is the ability for an admin to designate the legal basis for one or more of the countries they have users from. Or for countries where there is no national or other applicable data privacy (eg. the United States), then a way to make up their own list. This has been requested: https://tracker.moodle.org/browse/MDL-75451 but no one is working on it.
According to your profile - Canada - therefore whatever Canadian Privacy policy/legislation/etc would really apply.
Maybe:
'SoS', Ken