Our Committment to Privacy

Legislative Requirements

Both the United States and the European Union have strong data privacy protection laws, especially for students and minors.

In the European Union, Directive 95/46/EC refers to anonymisation in Recital 26 to exclude anonymised data from the scope of data protection legislation:

”Whereas the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; whereas codes of conduct within the meaning of Article 27 may be a useful instrument for providing guidance as to the ways in which data may be rendered anonymous and retained in a form in which identification of the data subject is no longer possible;”

In the United States, studies involving student data fall under FERPA.

FERPA (34 CFR §99.31(b)(2)) allows an educational agency or institution, or a party that has received education records or information from education records, such as a State educational authority, to release de-identified student-level data (microdata) from education records for the purpose of educational research by attaching a code to each record that may allow the researcher to match information received from the same source under the specified conditions. These conditions require that the coded de-identified microdata are used only for educational research purposes, that the party receiving the data is not allowed any access to the information about how the descriptor is generated and assigned, and that the code cannot be used to identify the student or to match the information from education records with data from any other source. Furthermore, a record descriptor may not be based on a student's social security number or other personal information.

This project is exempt from the requirement to obtain individual informed consent under the Code of Federal Regulations, Title 45, Public Welfare, Department of Health and Human Services, Part 46, Protection Of Human Subjects §46.101 (b)(1)(ii), involving research on the effectiveness of or the comparison among instructional techniques, curricula, or classroom management methods, and §46.101 (4), involving the collection or study of existing data, recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.

Preserving confidentiality and privacy of this data has been treated with the utmost consideration. Following recommendations from Daries et al (2014), both personally identifying information (PII) and data fields that could be used in combination to uniquely identify an individual are either encrypted or generalized. Log data is currently maintained within the Moodle server, restricted to system administrators with access to the database. Extraction of this data will be de-identified by salted one-way encryption or summarization of all uniquely identifying values. Relationships between data will remain intact per individual, but it will not be possible to decode the reference of the data to determine individual identity.

Individual De-Identification

The measures taken to ensure individual anonymity include:

  • Replace all Personally Identifiable Information data in User, Course, and Category records (short text fields, e.g. names, email addresses, course and category names and ID numbers) with unique, consistent identifiers not based on user identifiable information, e.g. keyed hashed values appended with a literal text field identifier such as”_firstname”
  • Replace all long text fields (e.g. forum posts, activity descriptions) with ”dummy” text of the same length (e.g. repeated null words)
  • Replace all attached files with ”dummy” files of approximately the same size and type

Within-Institution De-Identification

Because individual courses may have low enrollment and generally have only one faculty member assigned, individual course names and textual contents are also encrypted to prevent exposure of student and instructor identity.

Institutional De-Identification

Institutional identification becomes an issue for individuals when an institution is small enough that identifying an individual’s relationship with that institution becomes a potential means of identifying the individual. Institutions may also be concerned about revealing data about their internal processes, strengths, and potential weaknesses.

Secure Transmission

Moodle Pty Ltd uses public key encryption with an SSL connection to support the secure transmission of data across the Internet. Access by Moodle Pty Ltd staff to servers storing institutional data is controlled by user IDs and passwords.

Last modified: Tuesday, November 14, 2017, 2:54 AM