MoodleDocs - User contributions [en]

MediaWiki:MoodleDocsVersionLinks

2018-11-30T16:03:19Z

Tsala: 3.6 link

3.3 docs: /33/en/{{FULLPAGENAMEE}}
3.6 docs: /36/en/{{FULLPAGENAMEE}}
3.5 docs: /35/en/{{FULLPAGENAMEE}}
3.4 docs: /34/en/{{FULLPAGENAMEE}}
3.1 docs: /31/en/{{FULLPAGENAMEE}}

Template:MediaPlayer

2018-10-30T12:21:08Z

Tsala: Fix the urlargs parameter syntax (copied from 35 docs)

<includeonly>{{#evt:
service=youtube
|id={{{url}}}
|description={{{desc|{{{url}}}}}}
|urlargs=modestbranding=1&rel=0
}}</includeonly><noinclude>

Displays an embedded media player of the given YouTube video.

== Syntax ==

<nowiki>{{MediaPlayer | url = https://www.youtube.com/watch?v=U7M3sZL6wts | desc = Video description}}</nowiki>

</noinclude>

Policies plugin

2018-09-17T14:27:42Z

Tsala: tool_policies standard in 3.3.8 (MDL-62800)

{{New features}}The policies tool provides a new user sign-on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies.

It was introduced as a plugin [https://moodle.org/plugins/tool_policy tool_policy] in Moodle 3.3 and is available as standard in Moodle 3.3.8 onwards.

==Enabling the policies tool==

To enable the policies tool:

# Go to 'Policy settings' in the Site administration.
# Set the Site policy handler to 'Policies (tool_policy)'.
# Save changes.

Two new pages will then appear in the Site administration - 'Manage policies' and 'User agreements'.

Note that when Policies is set as the site policy handler, the settings 'Site policy' and 'Site policy for guests' are ignored.

==Adding and managing policies==
[[File:policies and agreements.png|thumb|Policies and agreements]]
An admin or any user with the [[Capabilities/tool/policy:managedocs|Manage policies]] capability (by default manager) can access the page 'Manage policies' in the Site administration and:

* Add a new site / privacy / third parties / other policy for all users, authenticated users or guests
* Change the active / inactive status of each policy
* View the number and percentage of users who have agreed to each policy
* Edit a policy and specify whether it is a minor change (not requiring users to reconfirm their consent) or not
* View the current version of each policy and also previous versions
* Change the order in which policies are shown to users

To add a new policy:

# Go to 'Manage policies' in the Site administration.
# Click the button 'New policy'
# Complete the form and save changes.

Note that once created, a policy can be edited, or set to inactive, but if users have agreed to it, it can't be deleted.

==Giving consent to policies==
[[File:Agreeing to policies.png|thumb|Giving consent to policies]]
All users (with the exception of admins) will be required to give their consent to all policies defined either for “Authenticated users” or for “All users” before proceeding further on the site.

If a new policy is added, all users will be required to give their consent when they next log in. Similarly, if an existing policy is edited and is not marked as a minor change, all users will be required to give their consent when they next log in.

If self-registration is enabled on the site, new users will be required to give their consent to all policies before proceeding to the sign-up form. If digital age of consent verification (a new setting in Moodle 3.4.2 onwards) is enabled in '[[Privacy|Privacy settings]]' in the Site administration, when a new user clicks the 'Create new account' button, they will be prompted to enter their age and country. If the user's age is lower than the age of consent for their country, they will see a message prompting them to ask their parent/guardian to contact the support contact (as specified in 'Support contact' in the Site administration).

==Policies for guests==
[[File:policies modal window.png|thumb|Policies for guests modal window]]
If a user logs in as a [[Guest access|guest]], a modal window will be shown at the bottom of the user's browser window with links to all policies defined either for guests or for all users.

==Minors==
[[File:No permission to agree to policies.png|thumb|Minor prevented from proceeding further on the site]]
Users who are younger than the age of digital consent, called 'minors', may be prevented from giving their consent by prohibiting the capability [[Capabilities/tool/policy:accept|Agree to policies]]. They will then be prevented from proceeding further on the site until someone can give consent on their behalf.

===Sites with minors as the majority of users===

To prohibit users from agreeing to policies because they are a minor:

# Go to 'Define roles' in the Site administration.
# Edit the role of authenticated user and set [[Capabilities/tool/policy:accept|Agree to policies]] to prohibit.
# Save changes.

To enable teachers and other users who are not minors to agree to policies:

# Go to 'Define roles' in the Site administration.
# Click the button 'Add a new role'.
# Give the role a name such as 'Able to give consent', short name and description.
# For context types where this role may be assigned, tick system.
# Enter policy in the filter box, then allow the capability Agree to policies.
# Click the button 'Create this role'.
# Go to 'Assign system roles' in the Site administration.
# Choose the 'Able to give consent' role to assign.
# Select teachers and other users in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

===Sites with only a few minors===

To prohibit users from agreeing to policies because they are a minor:

# Go to 'Define roles' in the Site administration.
# Click the button 'Add a new role'.
# Give the role a name such as 'Digital minor', short name and description.
# For context types where this role may be assigned, tick system.
# Enter policy in the filter box, then prohibit the capability Agree to policies.
# Click the button 'Create this role'.
# Go to 'Assign system roles' in the Site administration.
# Choose the 'Digital minor' role to assign.
# Select minors in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

==User agreements==
[[File:user agreements.png|thumb|User agreements filtered to show minors]]
An admin or any user with the [[Capabilities/tool/policy:viewacceptances|View user agreements reports]] capability (by default manager) can access the page 'User agreements' in the Site administration and:

* View user consents
* Filter by policy, permission, status or role
* Give consent on behalf of minors
* Download table data

User agreements for a particular policy may also be viewed via the 'Manage policies' page by clicking the link in the Agreements column.

==Giving consent on behalf of other users==

An admin or any user with the capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] can give consent on behalf of minors or when a written consent was obtained offline.

===Giving consent on behalf of multiple users===
[[File:Record of consents.png|thumb|Record of consents with remarks]]
Users with capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] in the system context, such as managers, can give consent on behalf of multiple users as follows:

# Go to 'User agreements' in the Site administration.
# If necessary, filter by 'Permission: Can not agree'.
# To give consent for multiple policies, tick the box next to selected users' names then click the consent button.
# To give consent for a single policy, click the red cross next to the user's name.

When giving consent on behalf of other users, there is an opportunity to add some remarks. Clicking on the link in the Overall column gives an overview with details of who gave consent and when, together with any remarks.

===Giving consent on behalf of a child===

A parent or guardian may be allowed to give consent on behalf of their child by giving them the capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] in the user context. See the [[Parent role]] for details of how to create the role and assign a parent to a student. The parent or guardian will then be able to give consent as follows:

# Go to the child's profile page.
# Click the link 'Policies and agreements'.
# Click the red cross next to the policy name.

==Capabilities==

* [[Capabilities/tool/policy:accept|Agree to policies]] - allowed for authenticated user role
* [[Capabilities/tool/policy:managedocs|Manage policies]] - allowed for default role of manager only
* [[Capabilities/tool/policy:manageprivacy|Manage privacy settings]] - allowed for default role of manager only
* [[Capabilities/tool/policy:viewacceptances|View user agreements reports]] - allowed for default role of manager only
* [[Capabilities/tool/policy:acceptbehalf|Agree to policies on someone else's behalf]] - allowed for default role of manager only

==See also==

* [[GDPR for administrators (Moodle 3.4.2+)]]

[[Category:Privacy]]

[[es:Plugin de políticas]]
[[de:Richtlinien und Einwilligungen]]

Data privacy

2018-09-17T14:25:16Z

Tsala: removing heading

{{New features}}The Data privacy functionality provides the workflow for users to submit a data request (also known as a subject access request or SAR) and for the site administrator or privacy officer to process these requests. It was introduced as a plugin [https://moodle.org/plugins/tool_dataprivacy tool_dataprivacy] for Moodle 3.3 and is available as standard in Moodle 3.3.8 onwards.

==Privacy officer role==

It is recommended that you create a [[Privacy officer role]] and assign it to the person responsible. If there is nobody on the site with the role of privacy officer i.e. nobody with the capability to manage data requests, then a site admin can respond to data requests and manage the data registry.

==Data requests==
[[File:requesting data.png|thumb|Requesting data]]
Any user can send a message to the privacy officer via the 'Contact privacy officer' link on their profile page.

In addition, they can request a copy of all of their personal data or request that their personal data should be deleted as follows:

# Go to your profile page (via the user menu).
# Click the link 'Data requests' then click the 'New request' button.
# Select 'Export all of my personal data' or 'Delete all of my personal data' as appropriate.
# Save changes.
[[File:Request approved.png|thumb|Request approved]]
The privacy officer will then receive a data request notification.

If the user has requested a copy of all of their personal data, once the request is approved, they will receive a notification to inform them that their personal data may be downloaded from their Data requests page. In Moodle 3.3.8 onwards, the user has by default one week to download their data before the download link expires. (An administrator can set a different expiry time for the data request in 'Privacy settings' in the Site administration.)

If the user has requested that their personal data should be deleted, once the request is approved, they will receive an email to inform them and they will no longer be able to log in to the site.

==Responding to data requests==
[[File:viewing a data request.png|thumb|Viewing a data request]]
The privacy officer can respond to data requests as follows:

# Go to 'Data requests' in the Site administration (or follow the link in the data request notification).
# In the Actions dropdown, select View, Approve, or Deny as appropriate.

If the user has sent a message, the privacy officer can view the message and copy the user's email address, then reply via email. In Moodle 3.3.8 onwards, after replying they can mark it as complete.

==Data registry==
[[File:data registry.png|thumb|Data registry]]
The privacy officer can set purposes (why the organisation is processing data) with retention periods and categories for data stored in Moodle in the data registry.

A default purpose and retention period may be set for course categories, courses, activity modules and blocks.

===Example categories===

* Administrative: Civil status, identity, identification data, images …
* Personal life (lifestyle, family situation, etc.)
* Economic and financial information (income, financial situation, tax situation, etc.)
* Connection data (IP address, logs, etc.)
* Educational Data (Assessed Coursework, exam scripts etc)
* Records of Education Attainment (Results of exams, assessments, qualifications awarded etc)
* Location data (travel, GPS data, GSM, etc.)

===Data registry set-up===

To add purposes and categories:

# Go to 'Data registry' in the Site administration.
# In the Edit menu select Categories.
# On the 'Edit categories' page, click the + button to add a new category.
# Enter a category name and description then click the Save button.
# Go to 'Data registry' again and in the Edit menu select Purposes.
# On the 'Edit purposes' page, click the + button to add a new purpose.
# Enter a purpose name, description and retention period then click the Save button.

To set default categories and purposes:

# In 'Data registry' in the Site administration click the 'Set defaults' button.
# Select a default category and purpose for the site, and for users, course categories, courses, activity modules and blocks as required.
# Save changes.

==Capabilities==

* [[Capabilities/tool/dataprivacy:managedataregistry|Manage data registry]]
* [[Capabilities/tool/dataprivacy:managedatarequests|Manage data requests]]
* [[Capabilities/tool/dataprivacy:makedatarequestsforchildren|Make data requests for children]]

[[Category: Privacy]]

[[es:Plugin de privacidad de datos]]
[[de:Schutz persönlicher Daten]]

Data privacy plugin

2018-09-17T13:53:01Z

Tsala: Tsala moved page Data privacy plugin to Data privacy

#REDIRECT [[Data privacy]]

Data privacy

2018-09-17T13:53:01Z

Tsala: Tsala moved page Data privacy plugin to Data privacy

==Data privacy functionality==
{{New features}}The Data privacy functionality provides the workflow for users to submit a data request (also known as a subject access request or SAR) and for the site administrator or privacy officer to process these requests. It was introduced as a plugin [https://moodle.org/plugins/tool_dataprivacy tool_dataprivacy] for Moodle 3.3 and is available as standard in Moodle 3.3.8 onwards.

==Privacy officer role==

It is recommended that you create a [[Privacy officer role]] and assign it to the person responsible. If there is nobody on the site with the role of privacy officer i.e. nobody with the capability to manage data requests, then a site admin can respond to data requests and manage the data registry.

==Data requests==
[[File:requesting data.png|thumb|Requesting data]]
Any user can send a message to the privacy officer via the 'Contact privacy officer' link on their profile page.

In addition, they can request a copy of all of their personal data or request that their personal data should be deleted as follows:

# Go to your profile page (via the user menu).
# Click the link 'Data requests' then click the 'New request' button.
# Select 'Export all of my personal data' or 'Delete all of my personal data' as appropriate.
# Save changes.
[[File:Request approved.png|thumb|Request approved]]
The privacy officer will then receive a data request notification.

If the user has requested a copy of all of their personal data, once the request is approved, they will receive a notification to inform them that their personal data may be downloaded from their Data requests page. In Moodle 3.3.8 onwards, the user has by default one week to download their data before the download link expires. (An administrator can set a different expiry time for the data request in 'Privacy settings' in the Site administration.)

If the user has requested that their personal data should be deleted, once the request is approved, they will receive an email to inform them and they will no longer be able to log in to the site.

==Responding to data requests==
[[File:viewing a data request.png|thumb|Viewing a data request]]
The privacy officer can respond to data requests as follows:

# Go to 'Data requests' in the Site administration (or follow the link in the data request notification).
# In the Actions dropdown, select View, Approve, or Deny as appropriate.

If the user has sent a message, the privacy officer can view the message and copy the user's email address, then reply via email. In Moodle 3.3.8 onwards, after replying they can mark it as complete.

==Data registry==
[[File:data registry.png|thumb|Data registry]]
The privacy officer can set purposes (why the organisation is processing data) with retention periods and categories for data stored in Moodle in the data registry.

A default purpose and retention period may be set for course categories, courses, activity modules and blocks.

===Example categories===

* Administrative: Civil status, identity, identification data, images …
* Personal life (lifestyle, family situation, etc.)
* Economic and financial information (income, financial situation, tax situation, etc.)
* Connection data (IP address, logs, etc.)
* Educational Data (Assessed Coursework, exam scripts etc)
* Records of Education Attainment (Results of exams, assessments, qualifications awarded etc)
* Location data (travel, GPS data, GSM, etc.)

===Data registry set-up===

To add purposes and categories:

# Go to 'Data registry' in the Site administration.
# In the Edit menu select Categories.
# On the 'Edit categories' page, click the + button to add a new category.
# Enter a category name and description then click the Save button.
# Go to 'Data registry' again and in the Edit menu select Purposes.
# On the 'Edit purposes' page, click the + button to add a new purpose.
# Enter a purpose name, description and retention period then click the Save button.

To set default categories and purposes:

# In 'Data registry' in the Site administration click the 'Set defaults' button.
# Select a default category and purpose for the site, and for users, course categories, courses, activity modules and blocks as required.
# Save changes.

==Capabilities==

* [[Capabilities/tool/dataprivacy:managedataregistry|Manage data registry]]
* [[Capabilities/tool/dataprivacy:managedatarequests|Manage data requests]]
* [[Capabilities/tool/dataprivacy:makedatarequestsforchildren|Make data requests for children]]

[[Category: Privacy]]

[[es:Plugin de privacidad de datos]]
[[de:Schutz persönlicher Daten]]

Data privacy

2018-09-17T13:52:49Z

Tsala: copying updates from 3.4 docs

Upload cohorts

2018-08-09T05:16:33Z

Tsala: cohort and user upload clarification

{{Accounts}}
An administrator can upload multiple cohorts from a CSV (comma separated values) formatted text file in ''Administration > Site administration > Users > Accounts > Cohorts > Upload cohorts''. Cohorts can be created in both the system (site-wide) context or in the [[Course_categories|course category context]].

Once a cohort has been created, new users can be added to it from the [[Upload users]] page, using an appropriately formatted .CSV file.

==Upload cohort process==
Here is an outline of the process:

# Create cohort file for uploading (CSV text file with a 'name' column and the name of each new cohort on a new line)
# Go to ''Administration > Site administration > Users > Accounts > Cohorts > Upload cohorts'
# Add file to upload
# Upload cohort preview - review settings and check for any errors. If errors are reported with the file, correct as needed.
# Upload cohorts - click "Upload cohorts"
# Upload cohorts results - shows how many cohorts were created
# Upload cohorts results - click "Continue"
# Returns to Upload users screen

===Settings===
====File====
The CSV formatted text file containing cohort data to be uploaded. See the [[cohort/upload#File_format_for_the_upload_cohorts_file|File format for the upload cohorts file]] section for more detailed information about the cohorts upload file.

====CSV delimiter====
The character used as a delimiter between fields in the cohort upload file. The delimiter separates the various fields on a single line. By default, a comma (',') is used as the delimiter; however, other options are available.
; <pre>,</pre> - uses the comma character as the field delimiter
; <pre>;</pre> - uses the semicolon character as the field delimiter
; <pre>:</pre> - uses the colon character as the field delimiter
; <pre>\t</pre> - uses \t (tab) as the field delimiter

====Encoding====
You can specify the character encoding of the upload cohorts file. The default character encoding is UTF-8.
====Default context====
You can specify the default context to use from a list of available contexts. The default context is the System context (i.e. site-wide). A list of course categories will be listed and one of those course categories can be selected as the default context if one is not provided in the upload cohorts file. If the <code>contextid</code> (or one of the available fields to lookup the <code>contextid</code>) is provided, then that value will be used; however, if a contextid is not provided for a particular cohort the default context will be used.

==File format for the upload cohorts file==
The upload cohorts CSV text file has fields separated by a comma (or other delimiter). The first line contains valid field names (preferrably lower case). The rest of the lines (records) contain information about each new cohort.

'':Tip:'' Avoid special characters in field information like quotes or other commas. Test a file with only one record before a large upload.
'':Tip:'' You can use a spreadsheet program to create the file with the required columns and fields. Then save the file as "CSV (comma delimited)". These files can then be opened with simple text editors for verification.

===Valid upload file for testing===
Here is an example of a simple valid upload cohorts file:
(Column headers on the first line of the file are only highlighted in bold in this example to distinguish it from the rest of the of the data/user details)

'''name,idnumber,description'''
Class of 2019,2019,Members of the Class of 2019
Class of 2020,2020,Members of the Class of 2020

===Fields that can be included===

*'''Required fields''':
:<code>name</code> - the name of the cohort to be created

*'''Optional fields''': To provide values other than the default include one or more of the following optional fields:
:<code>contextid</code> - used to specify the context id number of the cohorts you are uploading. For example, the context id number of a particular course category.
:<code>idnumber</code> - used to provide an id number for the cohorts you are uploading
:<code>description</code> - used to provide a description for the cohorts you are uploading
:<code>descriptionformat</code> - used to specify the text format of the description. By default, the descriptionformat is set to the recommended value of 1 (FORMAT_HTML); however, values of 0 (FORMAT_MOODLE) and 2 (FORMAT_PLAIN) are also available. These format values are defined in lib/weblib.php.
:<code>visible</code> - used to specify whether the cohorts you are uploading should be visible (1) or not (0).

*'''Additional fields''' : If needed, there are some additional fields that while not normally used can be utilized. Additional fields typically require looking up information in other tables (such as the course categories or context tables). The additional fields provide an alternative way of finding the course category context id. A bit of extra caution is recommended in using these additional fields. The list of additional fields includes:
:<code>context</code> - used to specify the name of the context name for each of the cohorts you are uploading.
:<code>category</code> - used to specify the name of the category name for each of the cohorts you are uploading. For example, the category name of a particular course category.
:<code>category_id</code> - used to specify the course category id (not idnumber) of the category for each of the cohorts you are uploading. For example, the course category id of a particular course category.
:<code>category_idnumber</code> - used to specify the course category idnumber (not id) of the category for each of the cohorts you are uploading. For example, the course category idnumber of a particular course category.
:<code>category_path</code> - used to specify the course category path of the category for each of the cohorts you are uploading. For example, the course category path of a particular course category.

== See also ==
* [[Cohorts]]
* [[Cohorts#Creating_cohorts_in_bulk|Creating cohorts in bulk]]

[[es:Subir cohortes]]
[[de:Globale Gruppen hochladen]]

MoodleDocs:Privacy policy

2018-06-18T15:52:15Z

Tsala: link update

The privacy notice for Moodle Docs is available on moodle.org: [https://moodle.org/admin/tool/policy/view.php?policyid=1 Privacy notice].

Privacy

2018-05-18T09:41:21Z

Tsala: /* Digital age of consent verification */ updated list default

{{Security}}
==Privacy settings==

===Digital age of consent verification===
{{New features}}[[File:age and location verification.png|thumb|Age and location verification]]
In Moodle 3.3.5 onwards, a 'Digital age of consent verification' may be enabled in 'Privacy settings' in the Site administration. The default digital age of consent, and the age in any country where it differs from the default, may be specified. Country codes are as specified in [https://en.wikipedia.org/wiki/ISO_3166-2 ISO 3166-2].

*, 16
AT, 14
ES, 14
US, 13

In the above list the default digital age is 16.

If self-registration AND 'Digital age of consent verification' are both enabled, when a new user clicks the 'Create new account' button, they will be prompted to enter their age and country. If the user's age is lower than the age of consent for their country, they will see a message prompting them to ask their parent/guardian to contact the support contact (as specified in 'Support contact' in the Site administration).

[[File:digital minor message.png|thumb|Digital minor message]]

==Policy settings==

* A site policy may be enabled by entering the URL in 'Policy settings' in the Site administration. The URL can point to any type of file anywhere online that can be accessed without a log in to your Moodle. It is not recommended that a [[Page resource|page resource]] is used as a site policy, since the site header will be repeated in the iframe (see MDL-30486).
* It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
* The site policy will be displayed in a frame. You can view it via the URL ''<nowiki>yourmoodlesite.org/user/policy.php</nowiki>''.
* If [[Email-based self-registration]] is enabled on the site, a link to the site policy is displayed on the signup page.
* When a site policy URL is set, all users will be required to agree to it when they next log in before accessing the rest of the site.
* A site policy for guests may also be enabled. Guest users will need to agree to it before accessing a course with [[Guest access]] enabled.

(In versions of Moodle prior to 3.3.5, the the Site policy URL and Site policy URL for guests settings were located in 'Site policies'.)

==Enrolment key usage==
If [[Self enrolment]] is used, in ''Settings > Site administration > Plugins > Enrolments > Self enrolment'':

* Enforce enrolment key usage by ticking the 'Require enrolment key' checkbox
* Enforce enrolment key complexity by ticking the 'Use password policy' checkbox
* Disable the [[Enrolment key|enrolment key]] hint leaving the 'Show hint' checkbox unticked

==Hiding user fields==

Increase student privacy by hiding user fields which would normally appear on users' profile pages, and in some cases on the course participants page.

The ''hiddenuserfields'' setting is in ''Administration > Site administration > Users > Permissions > [[User policies]]''.

User fields which may be hidden are:<br />
Description, city/town, country, web page, ICQ number, Skype ID, Yahoo ID, AIM ID, MSN ID, first access, last access, last IP address and my courses.

==See also==

* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]
* Using Moodle [https://moodle.org/mod/forum/discuss.php?d=233702 Student Privacy] forum discussion
* [https://docs.moodle.org/dev/GDPR_For_Administrators GDPR for administrators] - GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union

[[de:Datenschutz in Moodle]]
[[es:Aumentando la privacidad en Moodle]]

MediaWiki:MoodleDocsVersionLinks

2018-05-17T06:34:58Z

Tsala: 3.5 link

3.3 docs: /33/en/{{FULLPAGENAMEE}}
3.5 docs: /35/en/{{FULLPAGENAMEE}}
3.4 docs: /34/en/{{FULLPAGENAMEE}}
3.1 docs: /31/en/{{FULLPAGENAMEE}}

GDPR for administrators

2018-04-16T08:13:14Z

Tsala: content copied from 3.4 wiki

{{GDPR}}

Disclaimer: The advice in this document is provided for informational purposes only, and not be construed as legal or professional advice. Moodle Pty Ltd does not warrant that the advice is accurate, complete, reliable, current or error-free. Please ensure to obtain your own independent legal and IT advice.

== Checklist ==

<ol>
<li> Is the Moodle site hosted in an EU member state, or is it possible that any user of the Moodle site is an individual from an EU member state?
<ul>
<li> If you answered no to this question, you are not affected by this regulation. However, the benefits of data protection afforded by the regulation are universally applicable and you may consider voluntarily complying with this legislation for the benefit of your site users.</li>
</ul>
</li>
<li>
Do you require your site users to accept a site or privacy policy document before using your site (either in Moodle or something outside of Moodle, like a paper form)?
<ul>
<li>If you answered no to this question, you must start doing so. Users need to be aware of their rights and the processes with which they can exercise their rights.</li>
<li>If you answered yes to this question you must review your policy to make sure it covers all requirements of the new regulations (see “Site policy” below). If you change your policy you must get all site users to accept the new policy before they can continue using the site.</li>
</ul>
</li>
<li>Is it possible that your site is used by minors? (Under 16 in most member states, but some states may reduce this as low as 13 years).
<ul>
<li>If you answered yes to this question, you must ensure that the consent is obtained from their legal guardian. Keep in mind that collecting and processing personal information on minors may impact your risk assessment. You should take extra care to adequately secure this information, and retain it for as short a period as is necessary.</li>
</ul>
</li>
<li>Is it the collection or storage of personal data from your site users likely to result in a high risk to their rights and freedoms?
<ul>
<li>Some examples that would indicate high risk are:
<ul>
<li>a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person</li>
<li>processing on a large scale of special categories of data including
<ul>
<li>Racial or ethnic origin</li>
<li>Political opinions</li>
<li>Religious or philosophical beliefs</li>
<li>Trade union membership</li>
<li>Genetic data</li>
<li>Biometric data</li>
<li>Data concerning health</li>
<li>Sexual orientation</li>
<li>Data concerning a natural person’s sex life</li>
<li>Criminal convictions</li>
</ul>
</li>
<li>This is not an exhaustive list and if you are unsure if you should consider the data collected from your users as “High risk” you should refer to the legislation and seek professional advice.</li>
</ul>
</li>
<li>If the answer is “Yes”, you should perform a Data Protection Impact Assessment. Refer to the legislation and seek professional advice.</li>
</ul>
</li>
<li>Do you use any of the collected personal information for the purposes of marketing?
<ul>
<li>If you answered yes to this question - you must obtain a separate consent from each user to use this data for this purpose. Consent to use the data for marketing must be separately withdrawable by the user.</li>
</ul>
</li>
<li>Do you use any of the collected personal information for the purposes of research?
<ul>
<li>If you answered yes to this question, you must either obtain a specific consent from each user to use the data for this purpose, or completely anonymise the data before using it for research. <br /><br />[https://github.com/moodlehq/moodle-local_anonymise https://github.com/moodlehq/moodle-local_anonymise] is an example of a tool designed to anonymise all the data on a moodle site.</li>
</ul>
</li>
<li>Do you share any of the collected data with any third parties? This includes sites and services that integrate with Moodle such as: Google analytics, LTI, Repositories (Google Docs, OneDrive etc), Authentication systems etc. This also includes sites and services used in the provision of your own Moodle site such as hosting providers.
<ul>
<li>If you answered yes to this question then you are responsible for all data that is shared with a third party. You must obtain the user’s consent to share this data with each third party. If the list of third party services changes you must re-obtain consent from all site users for each new third party site/service. You should also take reasonable steps to ensure that each third party will adequately protect users personal data including:
<ul>
<li>Reviewing the third party privacy policy to make sure it is congruent with your own</li>
<li>Monitoring and notifying your site users about changes to the third party privacy policy</li>
<li>Identify the mechanism for processing requests to erase or correct personal data with each third party so that you can follow this process when you receive one of these requests for your own site</li>
<li>Identify and list the data protection officer, and privacy policy for each third party site as part of your own privacy policy</li>
</ul>
</li>
<li>Google analytics for example has not yet provided clear updated instructions on how to comply with the new GDPR when using their service. It is probable that they will issue guidance on how to use Google Analytics in compliance with the GDPR before it becomes enforceable, but this example demonstrates that it is your responsibility to ensure the protection of privacy of the users of your site and it is not legal to use cloud services without considering the privacy implications of each and every service provider.</li>
</ul>
</li>
<li>Do you follow best practice policies and procedures to ensure data security?
<ul>
<li>If you answered no to this question then you have must review your policies and procedures to ensure you are not placing your sites users personal data at risk.
<ul>
<li>“Best practices” includes but is not limited to organisational and technical measures to ensure a level of security appropriate to the risk such that:
<ul>
<li>pseudonymisation and encryption of personal data</li>
<li>the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services</li>
<li>the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident</li>
<li>a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing</li>
</ul>
</li>
<li>Examples:
<ul>
<li>Appropriate use of encryption (https)</li>
<li>Maintaining all systems and software with relevant security updates.</li>
<li>Deletion of personal data as soon as possible, once it is no longer required for the purpose it was collected.</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>Do you have defined policies and procedures for disclosing data breaches?
<ul>
<li>If you answered no this question then you must define some</li>
<li>If you have existing policies and procedures they should be reviewed</li>
<li>These policies and procedures must include notifying the Supervisory Authority within 72 hours of the data breach and notifying all affected users if they have been adversely affected (personal data disclosed).</li>
</ul>
</li>
<li>Have you appointed a data protection officer, and listed them in your privacy policy?
<ul>
<li>If you answered no to this question then you must appoint one and list them in your site's privacy policy. The data protection officer is expected to be “proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data [[#ref1|1]].</li>
</ul>
</li>
<li>Do you have a mechanism with with your site users can request their personal data is erased, corrected or made available to the requesting user on your site?
<ul>
<li>If you answered yes to this question then must ensure it is listed in your site's privacy policy</li>
<li>If you answered no to this question then you define one and list it in your site's privacy policy
<ul>
<li>For a Moodle site that does not make use of the GDPR plugins, a suitable mechanism would be an email address, reserved for this purpose that is monitored by an administrator for your Moodle site. Once a request is received, reasonable steps should be taken to ensure the authenticity of the request and the identity of the user making the request</li>
<li>Corrections to personal data can be processed by changing the data in Moodle directly using an administrator account</li>
<li>Erasures of personal data can be processed by either deleting the user account, or by editing the user account to remove all identifying information and making it inactive</li>
<li>Records of personal data can be obtained from the “Site Administration -> Reports -> Logs” by downloading all the logs for a single user as a CSV file. There will likely be additional personal data about a user that is stored outside of Moodle, such as web server access logs.</li>
</ul>
</li>
</ul>
</li>
<li>Does your organisation have more than 250 employees?
<ul>
<li>If you answered yes to this question then you must maintain detailed records on all processing of personal data. Refer to the regulation for details of the records that must be maintained</li>
</ul>
</li>
</ol>

== Site policy ==

A site policy can be used to collect consent for the purposes of GDPR compliance. The site policy document should be reviewed carefully to make sure it covers all the information listed below, in succinct, simple language.

In Moodle 3.3.5 onwards, to enable a site policy, enter the URL of the page in 'Site policy URL' (sitepolicy) in 'Policy settings' in the Site administration. (In versions of Moodle prior to 3.3.5, the setting 'Site policy URL' (sitepolicy) can be found in 'Site policies' in the Site administration.)

The site policy page should contain all of the information listed below. The site policy will be displayed in an iframe as part of the login process, so it does not require headers and footers.

A recommended practice is to create a file resource on the front page of the Moodle site and copy the URL for this resource to use as the site policy. This means the site policy is always available for your users to access, and can be updated easily from within Moodle. Note that this technique is incompatible with the “Force users to log in (forcelogin)” setting, (also in 'Site policies' in the Site administration) as the file resource will no longer be visible until the user has logged into the site.

The site policy must include all of the following information in simple language:

# What information is collected.
# The purpose of all processing to be performed on the users data. Marketing must be listed separately with a separate revocable “consent”.
# The identity of the data controller and contact information
# List of rights
# The period the data is stored
# The mechanism for withdrawing consent
# The mechanism for requesting corrections, or erasures of personal data
# The mechanism for requesting a record of all personal data
# List of third parties that data will be shared with (This includes integrations such as LTI, portfolios, plagiarism, repositories, authentication etc.) including:
## The contact details of the data protection officer for each
## The privacy policy for each.
# Whether the personal data will be used for any automated decision making process, including the significance and details of the process (e.g. analytics).

[[es:GDPR para administradores]]

Template:GDPR

2018-04-16T08:12:01Z

Tsala: copying changes from 3.4 wiki

<div class="navtrail">[[Main page]] ► [[GDPR]] ► [[{{PAGENAME}}]]</div>
<div class="sideblock right" style="width: 16em;">
<div class="header">[[GDPR]]</div>
<div class="content">
</div>
* [[GDPR for administrators|GDPR for admins]]
* [[Policies plugin]]
* [[Data privacy plugin]]
* [[GDPR FAQ]]
</div>

<includeonly>[[Category:GDPR]]</includeonly>
<noinclude>This template will categorize articles that include it into [[:Category:GDPR]].</noinclude>

GDPR FAQ

2018-04-16T08:11:10Z

Tsala: copying changes from 3.4 wiki

{{GDPR}}

===What is GDPR?===

GDPR stands for General Data Protection Regulation, and refers to the European Union regulation for data protection for all individuals within the European Union.

The regulation (Regulation (EU) 2016/679) becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC) from 1995.

===Who needs to be GDPR compliant?===

Any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not) are affected by GDPR.
GDPR rules also applies if the individual or organisation themselves is located in an EU member state.

===How is Moodle HQ assisting with GDPR compliance?===

Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.

We have a plan to meet those needs and the plan involves the development of a set of features (made available through plugins and some minimal changes to core) which will assist Moodle sites meeting GDPR compliance needs. The features cover the following areas:

* Onboarding of new users, including; age and location check to identify minors, versioning of privacy policies and the tracking of user consents;
* Handling of subject access requests and erasure requests, and maintaining a data registry.

[https://moodle.com/news/moodle-gdpr-approach-plan/ Find out more about our plan.]

===What can I do now to make my Moodle ready for GDPR?===
We recently released Moodle 3.4.2 and 3.3.5 which include the required core APIs to support two GDPR plugins we have released:

* The [[Policies plugin]] provides a new user sign on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies;
* The [[Data privacy plugin]] provides the workflow for users to submit subject access requests and for site administrators and privacy officers to process these requests. The subject access request process currently retrieves the user information from the following core plugins:
**Choice Activity Module
**HTML Block
**User Tours

Hence we recommend you upgrade to either Moodle 3.4.2 or 3.3.5 to access these plugins.

If you are on an older Moodle site, we recommend that you read the section on site policy on the [https://docs.moodle.org/34/en/GDPR_for_administrators GDPR for Moodle administrators guide.]

===Is installing the Moodle plugins enough for GDPR compliance?===

Installing the developed plugins alone will not be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required.

We at Moodle HQ highly recommend that you also engage your IT and legal departments on what is required for GDPR compliance.

==Any further questions?==

Please post in the [https://moodle.org/mod/forum/view.php?id=7301 Security and privacy forum] on moodle.org.

[[Category:FAQ]]

[[es:GDPR FAQ]]

Category:GDPR

2018-04-16T08:05:36Z

Tsala: index page

An index of pages relating to the General Data Protection Regulation and Moodle.

GDPR

2018-04-16T08:05:07Z

Tsala: content copied from 3.4 wiki

<div class="navtrail">[[Main page]] ► [[GDPR]]</div>
<div class="sideblock right" style="width: 16em;">
<div class="header">[[GDPR]]</div>
<div class="content">
</div>
* [[GDPR for administrators|GDPR for admins]]
* [[Policies plugin]]
* [[Data privacy plugin]]
* [[GDPR FAQ]]
</div>

== Overview ==

GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union. The regulation (Regulation (EU) 2016/679)[[#ref2|2]] becomes enforceable on 25 May 2018 and replaces the data protection directive (officially Directive 95/46/EC)[[#ref3|3]] from 1995.

===Who does it affect?===

Any individual or organisation that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not). It also applies if the individual or organisation themselves is located in an EU member state.

===What kind of information comprises personal data in a Moodle site?===

It is all information that can be associated with a natural person. Each user account and all the activity associated with that user account is classified as personal information. This also extends to associated information such as web server log files.

===How is Moodle HQ assisting with GDPR compliance?===

Earlier this year we reached out to the community through our forums and social media to gauge the needs of different organisations on how they would need to comply with GDPR. We received direct input from a number of Moodle institutions, our Moodle Partner network and developers.

We have a plan to meet those needs and are scheduling the development within our Open Source team under the lead of Sander Bangma, our Open Source Development Coordinator.
The plan involves the development of a set of features (made available through plugins and some minimal changes to core) which will assist Moodle sites meeting GDPR compliance needs. The features cover the following areas:

* Onboarding of new users, including; age and location check to identify minors, versioning of privacy policies and the tracking of user consents;
* Handling of subject access requests and erasure requests, and maintaining a data registry.

[https://moodle.com/news/moodle-gdpr-approach-plan/ Find out more about our plan.]

'''Important note:''' Installing the developed plugins alone will not be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required.

We at Moodle HQ highly recommend that you also engage your IT and legal departments on what is required for GDPR compliance.

====GDPR plugins====

* [[Policies plugin]] - requires Moodle 3.3.5 onwards, and will be included as standard in Moodle 3.5
* [[Data privacy plugin]] - also requires Moodle 3.3.5 onwards, and will be included as standard in Moodle 3.5

==GDPR for Moodle administrators==

If you are a Moodle system administrator and have a Moodle site older than the 3.3.5 or 3.4.2 version, or have a site that is not affected by GDPR but would still like to do as much as possible towards compliance, we recommend you read our [https://docs.moodle.org/34/en/GDPR_for_administrators “GDPR for Moodle Administrators”] guide.

If you are on Moodle 3.4.2 version and above, please refer to our [https://docs.moodle.org/34/en/GDPR_for_administrators_(Moodle_3.4.2%2B) “GDPR for Moodle Administrators (Moodle 3.4.2+)”] guide for information on GDPR functionalities that have been released recently and continuing to develop.

==Moodle & GDPR for plugin developers==

If you are a plugin developer, we recommend the following actions to assist you in preparing your Moodle plugin for GDPR:

* please read through our spec documentation [[:dev:GDPR for plugin developers|GDPR for plugin developers]] in the dev docs and,
* join the discussion [https://moodle.org/mod/forum/discuss.php?d=352538 EU General Data Protection Regulation (GDPR) compliance.]

==Moodle & GDPR for Educators & Learners==

If you are an educator or a learner and would like to find out more about your rights under GDPR and how features in Moodle can assist with protecting your data privacy, we recommend you:

* Check in with your system administrators for information specific to your institution or organisation;
* Read more information on GDPR in the “See also” section below.

==Latest News & Updates==

* [https://moodle.org/mod/forum/discuss.php?d=367479#p1482159 Moodle 3.4.2, 3.3.5, 3.2.8 and 3.1.11 are now available and include the required core APIs to support the GDPR plugins.]
* [https://moodle.org/mod/forum/discuss.php?d=367522#p1482337 Data Privacy and Policy plugins to support GDPR compliance now available]

==See also==

* [[GDPR FAQ]]

References:

* [https://www.eugdpr.org/ Home Page of EU GDPR]
* [http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf GDPR Regulation]
* [http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046 Directive 95/46/EC]
* [https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ Guide to the General Data Protection Regulation (GDPR)] from the UK's Information Commissioner's Office

[[Category:GDPR]]

[[es:GDPR]]
[[fr:RGPD]]

Data Protection Officer role

2018-04-15T21:32:02Z

Tsala: copying changes from 3.4 wiki

A Data Protection Officer can respond to data requests and manage the data registry.

Note: This role requires the [[Data privacy plugin]] to be installed on the site. The Data privacy plugin requires Moodle 3.3.5 or later and will be integrated in the Moodle 3.5 release in May 2018.

==Role set-up==

# Go to 'Define roles' in the Site administration.
# Click the button "Add a new role".
# Set the role archetype to Guest.
# Give the role a name such as 'Data Protection Officer', short name and description.
# For context types where this role may be assigned, tick system.
# Enter dataprivacy in the filter box, then allow the 3 dataprivacy capabilities 'Manage data registry', 'Manage data requests' and 'Make data requests for children'.
# Allow more capabilities as follows: moodle/site:configview, moodle/category:viewhiddencategories, moodle/course:viewhiddencourses, moodle/course:view, moodle/course:viewhiddenactivities.
# Click the button "Create this role".

Next

# Go to 'Privacy settings' in the Site administration.
# Set the Data Protection Officer role mapping to Data Protection Officer.
# Save changes.

==Role assignment==

# Go to 'Assign system roles' in the Site administration.
# Choose the Data Protection Officer role to assign.
# Select the user in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

[[Category: Privacy]]
[[Category:Roles]]

[[es:Rol de Oficial de Protección de Datos]]

Privacy officer role

2018-04-15T21:31:22Z

Tsala: Tsala moved page Privacy officer role to Data Protection Officer role

#REDIRECT [[Data Protection Officer role]]

Data Protection Officer role

2018-04-15T21:31:22Z

Tsala: Tsala moved page Privacy officer role to Data Protection Officer role

A privacy officer can respond to data requests and manage the data registry.

Note: This role requires the [[Data privacy plugin]] to be installed on the site. The Data privacy plugin requires Moodle 3.3.5 or later and will be integrated in the Moodle 3.5 release in May 2018.

==Role set-up==

# Go to 'Define roles' in the Site administration.
# Click the button "Add a new role"
# Give the role a name such as 'Privacy officer', short name and description.
# For context types where this role may be assigned, tick system.
# Enter dataprivacy in the filter box, then allow the 3 dataprivacy capabilities tool/dataprivacy:managedataregistry, 'Manage data requests' and 'Make data requests for children'.
# Allow more capabilities as follows: moodle/site:configview, moodle/category:viewhiddencategories, moodle/course:viewhiddencourses, moodle/course:view, moodle/course:viewhiddenactivities. (These capabilities are all allowed for the default role of manager, so if the privacy officer also has the manager role, it is not necessary to allow the capabilities for the privacy officer role.)
# Click the button "Create this role".

==Role assignment==

# Go to 'Assign system roles' in the Site administration.
# Choose the Privacy officer role to assign.
# Select the user in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

[[Category: Privacy]]
[[Category:Roles]]

[[es:Rol de oficial de privacidad]]

File:data registry.png

2018-04-15T21:30:25Z

Tsala:

File:viewing a data request.png

2018-04-15T21:30:14Z

Tsala:

File:Request approved.png

2018-04-15T21:29:58Z

Tsala:

File:requesting data.png

2018-04-15T21:29:40Z

Tsala:

Data privacy

2018-04-15T21:29:22Z

Tsala: copying changes from 3.4 wiki

{{Infobox plugin
|type = Admin tools
|entry = https://moodle.org/plugins/tool_dataprivacy
|tracker = https://tracker.moodle.org/issues/?jql=component%20%3D%20Privacy
|discussion =
|maintainer = Moodle HQ
}}

The Data privacy plugin provides the workflow for users to submit subject access requests and for the site administrator or Data Protection Officer (DPO) to process these requests.

The Data Privacy plugin forms part of Moodle’s privacy feature set and will assist sites to become GDPR compliant. It requires Moodle 3.3.5 or later and will be integrated in the Moodle 3.5 release in May 2018.

==Data Protection Officer role==

After installing the data privacy plugin, the first thing to do is to create a [[Data Protection Officer role]] and assign it.

==Data requests==
[[File:requesting data.png|thumb|Requesting data]]
Any user can send a message to the Data Protection Officer via the 'Contact Data Protection Officer' link on their profile page.

In addition, they can request a copy of all of their personal data or request that their personal data should be deleted as follows:

# Go to your profile page (via the user menu).
# Click the link 'Data requests' then click the 'New request' button.
# Select 'Export all of my personal data' or 'Delete all of my personal data' as appropriate.
# Save changes.
[[File:Request approved.png|thumb|Request approved]]
The DPO will then receive a data request notification.

If the user has requested a copy of all of their personal data, once the request is approved, they will receive a notification to inform them that their personal data may be downloaded from their Data requests page.

If the user has requested that their personal data should be deleted, once the request is approved, they will receive an email to inform them and they will no longer be able to log in to the site.

==Responding to data requests==
[[File:viewing a data request.png|thumb|Viewing a data request]]
The DPO can respond to data requests as follows:

# Go to 'Data requests' in the Site administration (or follow the link in the data request notification).
# In the Actions dropdown, select View, Approve, or Deny as appropriate.

==Data registry==
[[File:data registry.png|thumb|Data registry]]
The DPO can set purposes (why the organisation is processing data) with retention periods and categories for site content in the data registry.

To add purposes and categories:

# Go to 'Data registry' in the Site administration.
# In the Edit menu select Categories.
# On the 'Edit categories' page, click the + button to add a new category.
# Enter a category name and description then click the Save button.
# Go to 'Data registry' again and in the Edit menu select Purposes.
# On the 'Edit purposes' page, click the + button to add a new purpose.
# Enter a purpose name, description and retention period then click the Save button.

To set default categories and purposes:

# In 'Data registry' in the Site administration click the 'Set defaults' button.
# Select a default category and purpose for the site, and for users, course categories, courses, activity modules and blocks as required.
# Save changes.

==Capabilities==

* [[Capabilities/tool/dataprivacy:managedataregistry|Manage data registry]]
* [[Capabilities/tool/dataprivacy:managedatarequests|Manage data requests]]
* [[Capabilities/tool/dataprivacy:makedatarequestsforchildren|Make data requests for children]]

[[Category: Privacy]]

[[es:Plugin de privacidad de datos]]

Data Protection Officer role

2018-04-11T09:36:23Z

Tsala: version edit

File:digital minor message.png

2018-04-11T08:17:31Z

Tsala:

File:age and location verification.png

2018-04-11T08:17:23Z

Tsala:

Privacy

2018-04-11T08:17:11Z

Tsala: Privacy settings - content copied from 3.4 wiki

{{Security}}
==Privacy settings==

===Digital age of consent verification===
{{New features}}[[File:age and location verification.png|thumb|Age and location verification]]
In Moodle 3.3.5 onwards, a 'Digital age of consent verification' may be enabled in 'Privacy settings' in the Site administration. The default digital age of consent, and the age in any country where it differs from the default, may be specified. Country codes are as specified in [https://en.wikipedia.org/wiki/ISO_3166-2 ISO 3166-2].

*, 16
AT, 14
CZ, 13
DE, 14
DK, 13
ES, 13
FI, 15
GB, 13
HU, 14
IE, 13
LT, 16
LU, 16
NL, 16
PL, 13
SE, 13

In the above list the default digital age is 16.

If self-registration AND 'Digital age of consent verification' are both enabled, when a new user clicks the 'Create new account' button, they will be prompted to enter their age and country. If the user's age is lower than the age of consent for their country, they will see a message prompting them to ask their parent/guardian to contact the support contact (as specified in 'Support contact' in the Site administration).

[[File:digital minor message.png|thumb|Digital minor message]]

==Policy settings==

* A site policy may be enabled by entering the URL in 'Policy settings' in the Site administration. The URL can point to any type of file anywhere online that can be accessed without a log in to your Moodle. It is not recommended that a [[Page resource|page resource]] is used as a site policy, since the site header will be repeated in the iframe (see MDL-30486).
* It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
* The site policy will be displayed in a frame. You can view it via the URL ''<nowiki>yourmoodlesite.org/user/policy.php</nowiki>''.
* If [[Email-based self-registration]] is enabled on the site, a link to the site policy is displayed on the signup page.
* When a site policy URL is set, all users will be required to agree to it when they next log in before accessing the rest of the site.
* A site policy for guests may also be enabled. Guest users will need to agree to it before accessing a course with [[Guest access]] enabled.

(In versions of Moodle prior to 3.3.5, the the Site policy URL and Site policy URL for guests settings were located in 'Site policies'.)

==Enrolment key usage==
If [[Self enrolment]] is used, in ''Settings > Site administration > Plugins > Enrolments > Self enrolment'':

* Enforce enrolment key usage by ticking the 'Require enrolment key' checkbox
* Enforce enrolment key complexity by ticking the 'Use password policy' checkbox
* Disable the [[Enrolment key|enrolment key]] hint leaving the 'Show hint' checkbox unticked

==Hiding user fields==

Increase student privacy by hiding user fields which would normally appear on users' profile pages, and in some cases on the course participants page.

The ''hiddenuserfields'' setting is in ''Administration > Site administration > Users > Permissions > [[User policies]]''.

User fields which may be hidden are:<br />
Description, city/town, country, web page, ICQ number, Skype ID, Yahoo ID, AIM ID, MSN ID, first access, last access, last IP address and my courses.

==See also==

* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]
* Using Moodle [https://moodle.org/mod/forum/discuss.php?d=233702 Student Privacy] forum discussion
* [https://docs.moodle.org/dev/GDPR_For_Administrators GDPR for administrators] - GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union

[[de:Datenschutz in Moodle]]
[[es:Aumentando la privacidad en Moodle]]

Talk:Increasing privacy in Moodle

2018-04-11T05:53:57Z

Tsala: Tsala moved page Talk:Increasing privacy in Moodle to Talk:Privacy

#REDIRECT [[Talk:Privacy]]

Talk:Privacy

2018-04-11T05:53:57Z

Tsala: Tsala moved page Talk:Increasing privacy in Moodle to Talk:Privacy

Maybe it would be useful to include some text about the laws/acts for the protection of personal data in English speaking countries (with links).

For example, in the spanish translation for this page, I (German Valero) included links to the official government sites for the protection of personal data for Spain and Mexico:
* En México debe de hacerse lo planteado por el [http://inicio.ifai.org.mx/_catalogs/masterpage/ifai.aspx Instituto Federal de Acceso a la Información y Protección de Datos Personales (IFAI)].
* En España debe de hacerse lo planteado por la [http://www.agpd.es/portalwebAGPD/index-ides-idphp.php Agencia Española de Protección de Datos].

== English speaking countries data protection law/act ==

Please see data protection laws/acts in some English speaking countries:

Australia: http://www.oaic.gov.au/privacy/privacy-act/the-privacy-act
Europe: http://ec.europa.eu/justice/data-protection/index_en.htm
New Zealand: http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html
USA: http://uk.practicallaw.com/6-502-0467

Increasing privacy in Moodle

2018-04-11T05:53:57Z

Tsala: Tsala moved page Increasing privacy in Moodle to Privacy over redirect

#REDIRECT [[Privacy]]

Privacy

2018-04-11T05:53:57Z

Tsala: Tsala moved page Increasing privacy in Moodle to Privacy over redirect

{{Security}}
Here are some suggestions for site administrators to increase privacy in Moodle:

==Site policy settings==
In ''Settings > Site administration > Security > [[Site policies]]'':

* Force users to login by checking the ''forcelogin'' checkbox
* Keep "Force users to login for profiles" enabled to keep anonymous visitors and search engines away from user profiles

==Enrolment key usage==
If [[Self enrolment]] is used, in ''Settings > Site administration > Plugins > Enrolments > Self enrolment'':

* Enforce enrolment key usage by ticking the 'Require enrolment key' checkbox
* Enforce enrolment key complexity by ticking the 'Use password policy' checkbox
* Disable the [[Enrolment key|enrolment key]] hint leaving the 'Show hint' checkbox unticked

==Hiding user fields==

Increase student privacy by hiding user fields which would normally appear on users' profile pages, and in some cases on the course participants page.

The ''hiddenuserfields'' setting is in ''Administration > Site administration > Users > Permissions > [[User policies]]''.

User fields which may be hidden are:<br />
Description, city/town, country, web page, ICQ number, Skype ID, Yahoo ID, AIM ID, MSN ID, first access, last access, last IP address and my courses.

==See also==

* Using Moodle [http://moodle.org/mod/forum/view.php?id=7301 Security and Privacy forum]
* Using Moodle [https://moodle.org/mod/forum/discuss.php?d=233702 Student Privacy] forum discussion
* [https://docs.moodle.org/dev/GDPR_For_Administrators GDPR for administrators] - GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union

[[de:Datenschutz in Moodle]]
[[es:Aumentando la privacidad en Moodle]]

Data Protection Officer role

2018-04-10T20:14:38Z

Tsala: content copied from 3.4 wiki

A privacy officer can respond to data requests and manage the data registry.

Note: This role requires the [[Data privacy plugin]] to be installed on the site. The Data privacy plugin requires Moodle 3.4.2 or later and will be integrated in the Moodle 3.5 release in May 2018.

==Role set-up==

# Go to 'Define roles' in the Site administration.
# Click the button "Add a new role"
# Give the role a name such as 'Privacy officer', short name and description.
# For context types where this role may be assigned, tick system.
# Enter dataprivacy in the filter box, then allow the 3 dataprivacy capabilities tool/dataprivacy:managedataregistry, 'Manage data requests' and 'Make data requests for children'.
# Allow more capabilities as follows: moodle/site:configview, moodle/category:viewhiddencategories, moodle/course:viewhiddencourses, moodle/course:view, moodle/course:viewhiddenactivities. (These capabilities are all allowed for the default role of manager, so if the privacy officer also has the manager role, it is not necessary to allow the capabilities for the privacy officer role.)
# Click the button "Create this role".

==Role assignment==

# Go to 'Assign system roles' in the Site administration.
# Choose the Privacy officer role to assign.
# Select the user in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

[[Category: Privacy]]
[[Category:Roles]]

[[es:Rol de oficial de privacidad]]

Capabilities/tool/policy:accept

2018-04-10T20:13:12Z

Tsala: content copied from 3.4 wiki

{{Capabilities}}
* This allows a user to agree to the [[Policies plugin|policies]]
* This capability is allowed by default to authenticated users
* A new role prohibiting this capability can be created and assigned to children who are below the age of digital consent. In this case, a privacy officer or parent will have to agree to policies on their behalf.
* This capability is included in the Policies plugin in Moodle 3.3.5 and will be included as standard in Moodle 3.5.

[[Category:Capabilities|Privacy]]
[[Category:Privacy]]

File:Record of consents.png

2018-04-10T20:11:51Z

Tsala:

File:user agreements.png

2018-04-10T20:11:34Z

Tsala:

File:No permission to agree to policies.png

2018-04-10T20:11:18Z

Tsala:

File:policies modal window.png

2018-04-10T20:11:03Z

Tsala:

File:Agreeing to policies.png

2018-04-10T20:10:45Z

Tsala:

File:policies and agreements.png

2018-04-10T20:10:29Z

Tsala:

Capabilities/tool/dataprivacy:managedatarequests

2018-04-10T20:08:41Z

Tsala: content copied from 3.4 wiki

{{Capabilities}}
* This allows a user to manage data requests.
* This capability is not set for any of the default roles. It may only be applied in the system context i.e. as a system role.
* This capability is included in the [[Data privacy plugin]] in Moodle 3.3.5 and will be included as standard in Moodle 3.5.

[[Category:Capabilities|Privacy]]
[[Category:Privacy]]

Capabilities/tool/dataprivacy:managedataregistry

2018-04-10T20:07:37Z

Tsala: content copied from 3.4 wiki

{{Capabilities}}
* This allows a user to manage a data registry.
* This capability is not set for any of the default roles. It may only be applied in the system context i.e. as a system role.
* This capability is included in the [[Data privacy plugin]] in Moodle 3.3.5 and will be included as standard in Moodle 3.5.

[[Category:Capabilities|Privacy]]
[[Category:Privacy]]

Data privacy

2018-04-10T20:05:50Z

Tsala: content copied from 3.4 wiki

Capabilities/tool/dataprivacy:makedatarequestsforchildren

2018-04-10T20:04:39Z

Tsala: content copied from 3.4 wiki

{{Capabilities}}
* This allows a user to make data requests for minors.
* This capability is not set for any of the default roles. It may only be applied in the system context i.e. as a system role.
* This capability is included in the [[Data privacy plugin]] in Moodle 3.3.5 and will be included as standard in Moodle 3.5.

[[Category:Capabilities|Privacy]]
[[Category:Privacy]]

Capabilities/tool/policy:acceptbehalf

2018-04-10T20:03:24Z

Tsala: content copied from 3.4 wiki

{{Capabilities}}
* This allows a user to agree to policies on someone else's behalf
* This capability is allowed for the default role of manager only
* It may be applied in the system context i.e. as a system role or in the user context, usually as part of a [[Parent role]]
* This capability is included in the [[Policies plugin]] in Moodle 3.3.5 and will be included as standard in Moodle 3.5.

[[Category:Capabilities|Privacy]]
[[Category:Privacy]]

[[Category:Capabilities]]

Category:Privacy

2018-04-10T19:59:25Z

Tsala: index page

An index of pages relating to privacy.

Policies plugin

2018-04-10T19:58:42Z

Tsala: content copied from 3.4 wiki

{{Infobox plugin
|type = Admin tools
|entry = https://moodle.org/plugins/tool_policy
|tracker = https://tracker.moodle.org/issues/?jql=component%20%3D%20Privacy
|discussion = https://moodle.org/mod/forum/view.php?id=7301
|maintainer = Moodle HQ
}}
The Policies plugin provides a new user sign-on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies.

The Policies plugin forms part of Moodle’s privacy feature set and will assist sites to become GDPR compliant. It requires Moodle 3.3.5 onwards, and is available from the Moodle plugins directory. The plugin will be integrated in the Moodle 3.5 release in May 2018. Moodle 3.3.5 also includes the option of checking whether a new user is a minor.

==Enabling the policies plugin==

After installing the policies plugin, it may be enabled as follows:

# Go to 'Policy settings' in the Site administration.
# Set the Site policy handler to 'Policies (tool_policy)'.
# Save changes.

Two new pages will then appear in the Site administration - 'Manage policies' and 'User agreements'.

Note that when Policies is set as the site policy handler, the settings 'Site policy' and 'Site policy for guests' are ignored.

==Adding and managing policies==
[[File:policies and agreements.png|thumb|Policies and agreements]]
An admin or any user with the [[Capabilities/tool/policy:managedocs|Manage policies]] capability (by default manager) can access the page 'Manage policies' in the Site administration and:

* Add a new site / privacy / third parties / other policy for all users, authenticated users or guests
* Change the active / inactive status of each policy
* View the number and percentage of users who have agreed to each policy
* Edit a policy and specify whether it is a minor change (not requiring users to reconfirm their consent) or not
* View the current version of each policy and also previous versions
* Change the order in which policies are shown to users

To add a new policy:

# Go to 'Manage policies' in the Site administration.
# Click the button 'New policy'
# Complete the form and save changes.

Note that once created, a policy can be edited, or set to inactive, but if users have agreed to it, it can't be deleted.

==Giving consent to policies==
[[File:Agreeing to policies.png|thumb|Giving consent to policies]]
All users (with the exception of admins) will be required to give their consent to all policies defined either for “Authenticated users” or for “All users” before proceeding further on the site.

If a new policy is added, all users will be required to give their consent when they next log in. Similarly, if an existing policy is edited and is not marked as a minor change, all users will be required to give their consent when they next log in.

If self-registration is enabled on the site, new users will be required to give their consent to all policies before proceeding to the sign-up form. If digital age of consent verification (a new setting in Moodle 3.3.5 onwards) is enabled in '[[Privacy|Privacy settings]]' in the Site administration, when a new user clicks the 'Create new account' button, they will be prompted to enter their age and country. If the user's age is lower than the age of consent for their country, they will see a message prompting them to ask their parent/guardian to contact the support contact (as specified in 'Support contact' in the Site administration).

==Policies for guests==
[[File:policies modal window.png|thumb|Policies for guests modal window]]
If a user logs in as a [[Guest access|guest]], a modal window will be shown at the bottom of the user's browser window with links to all policies defined either for guests or for all users.

==Minors==
[[File:No permission to agree to policies.png|thumb|Minor prevented from proceeding further on the site]]
Users who are younger than the age of digital consent, called 'minors', may be prevented from giving their consent by prohibiting the capability [[Capabilities/tool/policy:accept|Agree to policies]]. They will then be prevented from proceeding further on the site until someone can give consent on their behalf.

===Sites with minors as the majority of users===

To prohibit users from agreeing to policies because they are a minor:

# Go to 'Define roles' in the Site administration.
# Edit the role of authenticated user and set [[Capabilities/tool/policy:accept|Agree to policies]] to prohibit.
# Save changes.

To enable teachers and other users who are not minors to agree to policies:

# Go to 'Define roles' in the Site administration.
# Click the button 'Add a new role'.
# Give the role a name such as 'Able to give consent', short name and description.
# For context types where this role may be assigned, tick system.
# Enter policy in the filter box, then allow the capability Agree to policies.
# Click the button 'Create this role'.
# Go to 'Assign system roles' in the Site administration.
# Choose the 'Able to give consent' role to assign.
# Select teachers and other users in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

===Sites with only a few minors===

To prohibit users from agreeing to policies because they are a minor:

# Go to 'Define roles' in the Site administration.
# Click the button 'Add a new role'.
# Give the role a name such as 'Digital minor', short name and description.
# For context types where this role may be assigned, tick system.
# Enter policy in the filter box, then prohibit the capability Agree to policies.
# Click the button 'Create this role'.
# Go to 'Assign system roles' in the Site administration.
# Choose the 'Digital minor' role to assign.
# Select minors in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.

==User agreements==
[[File:user agreements.png|thumb|User agreements filtered to show minors]]
An admin or any user with the [[Capabilities/tool/policy:viewacceptances|View user agreements reports]] capability (by default manager) can access the page 'User agreements' in the Site administration and:

* View user consents
* Filter by policy, permission, status or role
* Give consent on behalf of minors
* Download table data

User agreements for a particular policy may also be viewed via the 'Manage policies' page by clicking the link in the Agreements column.

==Giving consent on behalf of other users==

An admin or any user with the capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] can give consent on behalf of minors or when a written consent was obtained offline.

===Giving consent on behalf of multiple users===
[[File:Record of consents.png|thumb|Record of consents with remarks]]
Users with capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] in the system context, such as managers, can give consent on behalf of multiple users as follows:

# Go to 'User agreements' in the Site administration.
# If necessary, filter by 'Permission: Can not agree'.
# To give consent for multiple policies, tick the box next to selected users' names then click the consent button.
# To give consent for a single policy, click the red cross next to the user's name.

When giving consent on behalf of other users, there is an opportunity to add some remarks. Clicking on the link in the Overall column gives an overview with details of who gave consent and when, together with any remarks.

===Giving consent on behalf of a child===

A parent or guardian may be allowed to give consent on behalf of their child by giving them the capability [[Capabilities/tool/policy:acceptbehalf|Agree to the policies on someone else's behalf]] in the user context. See the [[Parent role]] for details of how to create the role and assign a parent to a student. The parent or guardian will then be able to give consent as follows:

# Go to the child's profile page.
# Click the link 'Policies and agreements'.
# Click the red cross next to the policy name.

==Capabilities==

* [[Capabilities/tool/policy:accept|Agree to policies]] - allowed for authenticated user role
* [[Capabilities/tool/policy:managedocs|Manage policies]] - allowed for default role of manager only
* [[Capabilities/tool/policy:manageprivacy|Manage privacy settings]] - allowed for default role of manager only
* [[Capabilities/tool/policy:viewacceptances|View user agreements reports]] - allowed for default role of manager only
* [[Capabilities/tool/policy:acceptbehalf|Agree to policies on someone else's behalf]] - allowed for default role of manager only

==See also==

* [https://gdprdemo.moodle.net/ Moodle GDPR sandbox demo site] for exploring all the Policies plugin and [[Data privacy plugin]] functionality

[[Category:Privacy]]

[[es:Plugin de políticas]]

Policies

2018-04-10T12:32:25Z

Tsala: redirect

#REDIRECT [[Policies plugin]]

MediaWiki:Sitenotice

2018-02-19T13:43:02Z

Tsala: note and link to latest stable version docs

<p class="note">''Note: You are currently viewing documentation for Moodle 3.3. Up-to-date documentation for the latest stable version of Moodle is probably available here: '''[[:en:{{NAMESPACE}}:{{PAGENAME}}|{{PAGENAME}}]].'''''</p>

MoodleDocs:Contact

2018-02-13T10:58:14Z

Tsala: redirect

#redirect [[MoodleDocs:About]]