Policies
The policies tool provides a new user sign-on process, with ability to define multiple policies (site, privacy, third party), track user consents, and manage updates and versioning of the policies.
The policies tool forms part of Moodle's privacy feature set assisting sites to become GDPR compliant.
Site policy handler
The Site policy handler in Site administration / Users / Privacy and policy / Policy settings determines how policies and user consents are managed. The default (core) handler enables a site policy URL and a site policy URL for guests to be specified. The policies handler enables site, privacy and other policies to be set. It also enables user consents to be viewed and, if necessary, consent on behalf of minors to be given.
Default (core) handler
When the site policy handler is set to 'Default (core)', a site policy may be set by entering the URL in 'Policy settings'. The URL can point to any type of file anywhere online that can be accessed without a log in to your Moodle site.
- The site policy will be displayed in a frame. You can view it via the URL yourmoodlesite.org/user/policy.php.
- If Email-based self-registration is enabled on the site, a link to the site policy is displayed on the signup page.
- When a site policy URL is set, all users will be required to agree to it when they next log in before accessing the rest of the site.
- A site policy for guests may also be enabled. Guest users will need to agree to it before accessing a course with Guest access enabled.
- It is not recommended that a page resource is used as a site policy, since the site header will be repeated in the iframe (see MDL-30486).
- It is recommended that the site policy is on the same domain as Moodle to avoid the problem of Internet Explorer users seeing a blank screen when the site policy is on a different domain.
Policies (tool_policy) handler
When the site policy handler is set to 'Policies (tool_policy)', two new pages appear in 'Privacy and policies' - 'Manage policies' and 'User agreements'. The remainder of this page describes the policies tool.
Note that when 'Policies (tool_policy)' is set as the site policy handler, the settings 'Site policy' and 'Site policy for guests' are ignored.
Adding and managing policies
An admin or any user with the Manage policies capability (by default manager) can access the page 'Manage policies' in the Site administration and:
- Add a new site / privacy / third parties / other policy for all users, authenticated users or guests
- Change the active / inactive status of each policy
- View the number and percentage of users who have agreed to each policy
- Edit a policy and specify whether it is a minor change (not requiring users to reconfirm their consent) or not
- View the current version of each policy and also previous versions
- Change the order in which policies are shown to users
To add a new policy:
- Go to 'Manage policies' in the Site administration.
- Click the button 'New policy'
- Complete the form and save changes.
Note that once created, a policy can be edited, or set to inactive, but if users have agreed to it, it can't be deleted.
The policy type (site / privacy / third parties) is only displayed at the 'Policies' page linked on the footer and the behaviour is the same for all the policy types.
Giving consent to policies
All users (with the exception of admins) will be required to give their consent to all policies defined either for “Authenticated users” or for “All users” before proceeding further on the site.
If a new policy is added, all users will be required to give their consent when they next log in. Similarly, if an existing policy is edited and is not marked as a minor change, all users will be required to give their consent when they next log in.
If Email-based self-registration is enabled on the site, new users will be required to give their consent to all policies before proceeding to the sign-up form. If digital age of consent verification is enabled in 'Privacy settings' in the Site administration, when a new user clicks the 'Create new account' button, they will be prompted to enter their age and country. If the user's age is lower than the age of consent for their country, they will see a message prompting them to ask their parent/guardian to contact the support contact (as specified in 'Support contact' in the Site administration).
Policies for guests
If a user browses to the site or logs in as a guest, a modal window will be shown at the bottom of the user's browser window with links to all policies defined either for guests or for all users.
Minors
Users who are younger than the age of digital consent, called 'minors', may be prevented from giving their consent by prohibiting the capability Agree to policies. They will then be prevented from proceeding further on the site until someone can give consent on their behalf.
Sites with minors as the majority of users
To prohibit users from agreeing to policies because they are a minor:
- Go to 'Define roles' in the Site administration.
- Edit the role of authenticated user and set Agree to policies to prohibit.
- Save changes.
To enable teachers and other users who are not minors to agree to policies:
- Go to 'Define roles' in the Site administration.
- Click the button 'Add a new role'.
- Give the role a name such as 'Able to give consent', short name and description.
- For context types where this role may be assigned, tick system.
- Enter policy in the filter box, then allow the capability Agree to policies.
- Click the button 'Create this role'.
- Go to 'Assign system roles' in the Site administration.
- Choose the 'Able to give consent' role to assign.
- Select teachers and other users in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.
Sites with only a few minors
To prohibit users from agreeing to policies because they are a minor:
- Go to 'Define roles' in the Site administration.
- Click the button 'Add a new role'.
- Give the role a name such as 'Digital minor', short name and description.
- For context types where this role may be assigned, tick system.
- Enter policy in the filter box, then prohibit the capability Agree to policies.
- Click the button 'Create this role'.
- Go to 'Assign system roles' in the Site administration.
- Choose the 'Digital minor' role to assign.
- Select minors in the Potential users list, and use the left-facing arrow button to add them to the Existing users list.
User agreements
An admin or any user with the View user agreements reports capability (by default manager) can access the page 'User agreements' in the Site administration and:
- View user consents
- Filter by policy, permission, status or role
- Give consent on behalf of minors
- Download table data
User agreements for a particular policy may also be viewed via the 'Manage policies' page by clicking the link in the Agreements column.
Giving consent on behalf of other users
An admin or any user with the capability Agree to the policies on someone else's behalf can give consent on behalf of minors or when a written consent was obtained offline.
Giving consent on behalf of multiple users
Users with capability Agree to the policies on someone else's behalf in the system context, such as managers, can give consent on behalf of multiple users as follows:
- Go to 'User agreements' in the Site administration.
- If necessary, filter by 'Permission: Can not agree'.
- To give consent for multiple policies, tick the box next to selected users' names then click the consent button.
- To give consent for a single policy, click the red cross next to the user's name.
When giving consent on behalf of other users, there is an opportunity to add some remarks. Clicking on the link in the Overall column gives an overview with details of who gave consent and when, together with any remarks.
It's not yet possible to give consent in bulk, however a workaround would be to install and use a browser extension for checking all checkboxes on the page.
Giving consent on behalf of a child
A parent or guardian may be allowed to give consent on behalf of their child by giving them the capability Agree to the policies on someone else's behalf in the user context. See the Parent role for details of how to create the role and assign a parent to a student. The parent or guardian will then be able to give consent as follows:
- Go to the child's profile page.
- Click the link 'Policies and agreements'.
- Click the red cross next to the policy name.
Capabilities
- Agree to policies - allowed for authenticated user role
- Manage policies - allowed for default role of manager only
- View user agreements reports - allowed for default role of manager only
- Agree to policies on someone else's behalf - allowed for default role of manager only