GDPR and Moodle - What's Happening?
The GDPR extends current EU Data Protection legislation and the penalties for non-compliance can be severe.
There are a number of areas to be addressed in order to achieve GDPR compliance. One of them is to consider how your Moodle site is complying with GDPR.
GDPR affects any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not). It also applies if the individual or organisation themselves is located in an EU member state.
One of the biggest changes from the Data Protection Directive is that all relevant people have the right to receive a copy of their data, the right to correct and restrict their data as well as the right to erase data. For data collection, people must have to opt-in to have their personal data stored before any personal data can be captured.
What kind of information comprises personal data in a Moodle site?
All information that can be associated with an individual person. Each user account and all the activity associated with that user account is classified as personal information. This extends to information stored in backups, as well as associated information such as web server log files, including IP addresses.
What Moodle are doing to help
Moodle has a set of features in development, which will meet compliance covering the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.
The features will initially be implemented as plugins, with the following functionality:
1. The onboarding process for new users, including:
- Displaying all required privacy statements. Provide additional privacy information during user sign up, as well as more extensive recording and logging of user consents. [See this in the Moodle Tracker].
- Listing and requesting consent for all 3rd-parties who may receive user data
- Establishing a process for consenting minors
- Capturing and recording each specific consent given by a user.
2. Processes to comply with subject access requests (SARs), for a particular user, including:
- A request to retrieve all user data on Moodle
- A request to erase all identifiable user data on Moodle
- A request to modify user data
- Provide additional means for users to obtain a copy or their data, invoke their right to data erasure and keeping track of all types of data within Moodle in a data registry. [See this in the Moodle Tracker].
These will initially be released as plugins, scheduled for March 2018, which will enable those using Moodle 3.3 and 3.4 to become compliant with the new regulations by installing and configuring the plugins in addition to implementing the required organisational procedures and processes.
These features will then become part of
Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required.
Where to start
The first place to start is to read
If you are not on Moodle 3.3 or above we recommend you upgrade as soon as possible. This will enable you to install the plugins that Moodle are developing to ensure compliance.
If you are on Moodle 3.2, there is not yet a plan
If you are on Moodle 3.3 or above you should make sure that you update to the most recent version of these releases.
You can check your Moodle version by navigating to Site Administration -> Notifications. The version is at the bottom of the page.