Not sure if this is the right place - but I couldn't see a forum that is more appropriate.
In the UK we have a data protection act (http://www.informationcommissioner.gov.uk/eventual.aspx?id=87) which deals with how personal information can be moved or stored, and where it can be stored.
I'm wondering if anyone in the UK has had any thoughts about how they make their Moodle sites DPA compliant (or even if they need to be) in particular those which are hosted outside the European Union (EU) - the USA especially is not seen as a good place to keep personal data.
I don't believe that the data protection act is an issue as we are not collecting data.
We already know the names of our pupils/students; we should already have their contact info/email addresses. Most likely these are already stored electronically in schools and colleges.
However, security of this data is an issue (which I have raised previously) - because we have a duty to protect our pupils; teachers are expected to ensure that their pupils personal information (in any format) is secure.
For instance, I ensure that email addresses of students are never visible to other users. This does reduce the ability to communicate, but greatly improves security.
I had to 'tweak' the code in Moodle to achieve this - it would be nice if extra security measures were available as standard options ........
I'm not sure I agree with your statement: "I don't believe that the data protection act is an issue as we are not collecting data."
In my understanding the DPA is concerned with where data is stored and processed. So the fact the Moodle is storing contact details counts. Also, Moodle is continually collecting assessment data about students - doesn't that count as personal data.
It's a tricky one, as I don't think there have been many (if any) test cases to define the law. So everyone in this field seems to be trying to be as careful as possible.
On a similar note, has anyone tried to set up any bits of Moodle to work over SSL? Eg. the login page?
All the best,
I can't really see the difference between holding the data (personal details/grades) on a server internally or within Moodle.
The data protection act relates to all electronically held data and is there to safeguard the data from misuse. You must obviously have security in place, but instrinsically the situations are the same.
At least, I don't have any sleepless nights over it. Maybe there will be a test case one day - but there is a lot of deliberate misuse out there and that is what I believe the DPA is mostly about.
I agree with Mark, the key issue appears to be whether you are a data processor - a data processor may not necessarily collect information from the individuals about whom data relates to (as I understand it).
I'm currently getting my thoughts together on a site open to public subscribers and had a quick look at the Information Commissioners site yesterday, followed by a very interesting telephone discussion with one of the staff there. It seems that (apart from other legislation which may impact on record keeping e.g. FSMA 2000) the impact of Privacy and Electronic Communications (EC Directive) Regulations 2003 needs to be considered in addition to the Data Protection Act.
I found this link which may be of interest (even if you are outside the UK)http://www.informationcommissioner.gov.uk/cms/DocumentUploads/Website%20FAQ.pdf.
Hi - interesting subject regarding DPA - firstly we do have a test moodle site on campus and it is working with SSL and authenticating with our MS Active directory. Waiting for a full test on this. Regarding DPA I thought it was more to do with information on the data subject, what you are storing and why. Also preventing missues. That is why I was concerned about running moodle over SSL and also authenticating to an existing source. Certainly I believe our registration would cover the use of moodle as most of it is held at a higher level in our MIS core systems. I am interested on further thoughts though prior to going live.
From my (albeit limited) knowledge of the DPA I don't believe it's necessary to register for each area of use, provided all aspects of the use of data are covered.
Another thing which came up in my discussion with the member of staff in the IC office was having a policy on deleting information and justification for any term over which it is kept. I'm not anticipating major issues with this but it's another thing to think through.
The OECD offer a privacy statement generator but the link is dead - any suggestions on an alternative would be appreciated.
How does allowing pupils to edit and manage there data affect the dpa.
Pupils would then have the option to hide data.
They can also use ficticious data eg town if they want. As a school we only need their names and their enrolement to courses and staff access to the pupil e-mail addresses and this could be through pupils beimg subscribed to forums.
Surely we are then only looking at the security of the data, eg unauthorised access.