Setting up data privacy
Overview
Moodle sites can contain a variety of sensitive personal data and personally identifying information (PII). This information is often protected by regulatory frameworks in different jurisdictions. As such, privacy protection and policy control tools are a critical feature of Moodle.
However, software tools cannot provide compliance with the laws without configuration to match institutional policies. This page overviews the process of preparing a site to be compliant with data privacy regulations.
Preparation
Policies
Audit the site to identify which areas require policies for different types of data processing, including:
- Cookie policy
- General privacy policy
- Assessment submissions and results
- Communication between participants and the institution
- Collaboration, e.g. forum discussions
- Instruction
- General administration
- 3rd party integrations like Adobe Connect / Bigbluebutton
You may also have policies related to other aspects of your site, e.g. an Academic Honesty policy.
Draft the required policies and have them reviewed and signed off by your legal team
For each one, decide if all users, logged in users or guests should be accepting them.
Categories
Document the different categories of data that you have on the site. These categories will be used to organize data exports and reports. Examples might include:
- Administrative: Civil status, identity, identification data, images …
- Personal life (lifestyle, family situation, etc.)
- Economic and financial information (income, financial situation, tax situation, etc.)
- Connection data (IP address, logs, etc.)
- Educational Data (Assessed Coursework, exam scripts etc)
- Records of Education Attainment (Results of exams, assessments, qualifications awarded etc)
- Location data (travel, GPS data, GSM, etc.)
Purposes
Document the different purposes behind data collection and processing. The purpose provides the legal reason for storing and processing the information and the retention period for each type of data. Different types of data may need to be stored for different lengths of time. For example, student submissions to an assessment may need to be retained indefinitely to be able to provide evidence of student accomplishments, whereas general coursework such as forum posts might only be retained until graduation + 12 months.
A default purpose and retention period may be set for data stored by the site, as well as data stored or processed by course categories, courses, activity modules and blocks.
Data Protection Officer
Organizations that are involved in regular and systematic monitoring of data on a large scale, or process sensitive personal data, are obliged to employ a Data Protection Officer. The DPO is required to keep straight internal records, to ensure the organization complies with privacy laws, and to report any data breach to the data protection authorities.
Record the name, email and contact details of your Data Protection Officer.
Specific fields and settings
Once the relevant data has been gathered, configure the Moodle site to implement the privacy policies.
Configure digital age of consent
The digital age of consent is the age at which a data subject can legally accept data privacy agreements and policies. The digital age of consent varies in different countries throughout the EU, typically ranging from 13 to 16 years of age. The digital age of consent in the USA is 13. This feature is enabled and configured on the Privacy Settings page.
Enable Data Privacy Officer
Configuring this feature will provide a link on each user's profile page and on the site's privacy policy page. The link leads to a form in which the user can make a data request to the Privacy Officer. This feature is enabled on the Privacy Settings page.
A custom role can be created to allow the Data Privacy Officer to respond to requests without granting full administrative capabilities. It is also possible to map an existing role to enable data privacy officer capabilities. This role mapping is configured on the Privacy Settings page. At least one role with the capability tool/dataprivacy:managedatarequests must exist for the role mapping subform to display. (If there is nobody on the site with the role of Data Protection Officer i.e. nobody with the capability to manage data requests, then a site admin can respond to data requests and manage the data registry.)
Enable site policy handler
To enable the new features for managing and versioning of policies, the site policy handler needs to be set to “Policies (tool_policy)”. This feature is enabled and configured on the Policy Settings page.
Set up data registry
Data categories and purposes must be configured in the data registry to enable data requests (exports and deletions) as well as retention periods. These are configured on the Data registry page.
Check site plugins for compliance
All core plugins in Moodle 3.5 and up are compliant with GDPR laws. Ensure that all third-party plugins on your site are compliant by checking the Plugin registry page. Contact the maintainer of any third-party plugins that are not yet compliant.
Create site policies
Create one policy document for each major policy your users must agree to. These are created and managed on the Manage policies page. When a user logs in for the first time after a policy is configured or changed, the user will be shown each policy in full and then an agreement page with a summary of each policy.
See also
- GDPR - GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union
- Student Privacy forum discussion
- Security and Privacy forum discussion