Moodle Compliance with GDPR
Dan Hughes from CoSector - University of London reviews Moodles organisational support in the run up to the GDPR deadline
On 21 December, Moodle published its approach and plan in terms of supporting organisations with becoming GDPR compliant
On 21 December, Moodle published its approach and plan in terms of supporting organisations with becoming General Data Protection and Regulation (GDPR) compliant under new EU legislation coming into force on 25 May 2018.
More general information on GDPR can found in our previous blog
What Moodle says…
Moodle took the time in mid-2017 to collate feedback from the Moodle community about organisations’ needs around GDPR compliance. In addition to this, it consulted a lawyer familiar with EU data protection legislation to formulate a plan.
Moodle set out a number of features in the form of plugins to go into development, covering:
· On-boarding of new users
· Privacy Statements
· Tracking of consent
· Handling of subject access requests
They have split the functionality into two parts, the first being how data is consented for upon acquisition (essentially the top 3 points above) and the second part being compliance with subject access requests (SARs). The latter follows a trend in recent years to be able to request any and all data held about you as well as having the right to be forgotten as is frequently seen in requests to sites like Google and social media applications.
Plugin Features for GDPR compliance support
On-boarding and Processing of Users
Processes to comply with subject access requests (SARs), for a particular user, including:
Displaying all required privacy statements
A request to retrieve all user data on Moodle
Listing and requesting consent for all 3rd-parties who may receive user data
A request to erase all identifiable user data on Moodle
Establishing a process for consenting minors
A request to modify user data
Capturing and recording each specific consent given by a user
Timeline for plugin release…
The plugins will become core code in Moodle version 3.5 due in late 2018 but are scheduled for release in March 2018 to be utilised with versions 3.3 and 3.4. Users on versions below 3.3 will not be able to utilise these particular plugins however Moodle is reviewing other solutions for users of 3.2 and below.
Will these plugins make me GDPR compliant?
The answer is absolutely a big ‘No!’ Moodle is also very clear about this, saying;
“Installing the plugins alone is not going to be enough to meet the GDPR requirements. Correct configuration and implementation of the required processes and procedures is also required and you should engage with your IT and legal department on what is required” – Moodle Blog
So no, the plugins are not a magic bullet to help meet all of GDPR and in-fact if you are not on a version of Moodle that will support the plugins, there is no need to panic. You can perfectly comply with GDPR by ensuring your business processes and interactions with users are up to scratch. We can then support you with compliance in Moodle with or without the plugins.
The Moodle plugin tools will be helpful in making the process easier and automated but they are not a pre-requisite for compliance.
How Serious is GDPR in terms of Moodle Data?
For most of our customers, data that is hosted by us does not fall into the high value/risk categories which are mainly considered to be medical and financial records of individuals. We do not process any data of that sort for customers.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier such as name, identification number, location data or online identifier.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
The more serious application of GDPR is towards ‘Sensitive Personal Data’ including racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In short, Moodle as a platform compared to other organisational databases is not where GDPR is strongly aimed. GDPR compliance around VLE’s in general should not be seen as an excessive task or something that is ever likely to pose a threat of millions of pounds in fines should there be a breach.
Where to start?
Data that ends up in Moodle usually originates from another source such as the student records system (SRS) of an academic institution or some other form of CRM from a Moodle operating organisation. CoSector, University of London is a data processor, not a data controller and the processing of customer data is undertaken under customer instruction. We still have obligations in how we process that data but at the point of processing by us the data should already be compliant with GDPR.
This means that your organisational processes when adding user data to a CRM or SRS, needs to include all the safeguards as set out in the GDPR legislation.
Ultimately it’s our recommendation that you have a suitable member of staff or a team that can ensure you are GDPR compliant or have a consultancy review your business processes to give you actions to implement in your organisation.
Our provision to customers (and authorities) as a data processor
To support our customers and meet our GDPR obligations, we will:
1. Keep a register of our data processing activities, which will be made available to supervisory authorities on request
2. Ensure we can respond to a Request for data on a specific individual or individuals within 30 days (reduced down from the data protection Act’s current time of 40 days)
3. Provide the Name and contact details of the processor, the controller(s) we work for and their data protection officer,
4. Keep records that can specify the categories of processing carried out
5. Report on transfers of personal data to a third country document the suitable safeguards. Any third party we use for data processing will have the same if not better standards than our own. For example, data stored in cloud services such as AWS or MS Azure.
6. Maintain a general description of our technical and organisational security measures.
7. As a service provider, if we suspect that you as a customer and data controller are instructing us to do something that we believe infringes on GDPR, we will notify you.
Document: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)