Manage data requests
As of version 3.5 (and via plugin for 3.4 and 3.3), Moodle provides a way of handling requests from data subjects (called Subject Access Requests in GDPR). In Moodle these are referred to as Data Requests. These may be initiated by the user themselves or by the administrator. The Privacy Officer will then receive a data request notification.
Clicking on New request as an Administrator uses the same form as the user has access to, but enables the administrator to specify the relevant user and details to submit a request on their behalf.
The admin can select one user to make the request for. There is currently no way to make a request for multiple users or a cohort of users.
This specifies which type of request the user is making. When using this form two types of request can be made:
- Export all of my personal data
- Delete all of my personal data
This field enables data subjects to contextualise their reason for the request. It is not required, however it is especially helpful to add a comment when an admin is making the request, to rcplain why they are doing it rather than the user (e.g. the request came in via email).
Responding to data requests
The Privacy Officer can respond to data requests as follows:
- Go to 'Data requests' in the Site administration (or follow the link in the data request notification).
- In the Actions dropdown, select View, Approve, or Deny as appropriate.
If the user has requested a copy of all of their personal data, once the request is approved, they will receive a notification to inform them that their personal data may be downloaded from their Data requests page.
If the user has requested that their personal data should be deleted, once the request is approved, they will receive an email to inform them and they will no longer be able to log in to the site.