What is GDPR?
GDPR stands for General Data Protection Regulation and refers to the European Union regulation for data protection for all individuals within the European Union.
GDPR affects any individual or organization that stores or processes personal information on an identifiable person from an EU member state (regardless if the processing or storage of information occurs in the EU or not). It also applies if the individual or organization themselves is located in an EU member state.
What is personal data?
Personal data is anything that can be associated with an individual person. A user account and activity within that user account is personal data.
GDPR & Moodle
Moodle HQ leveraged the community and asked for feedback when first developing GDPR features for the LMS. Based upon that, plugins were built and eventually became part of core Moodle. However that isn’t enough – you still need to configure and implement these processes. We do suggest that you consult with your Legal and IT departments before setting anything up.
If you just do not know where to start, some guidance for administrators was put together by Moodle for reference.
Components in Moodle
Policies
The policies tool allows an administrator to create a site policy, a privacy policy, and/or a third-party policy which will show to a user upon login. The user must consent to these policies, and that action is tracked in Moodle.
siteurl/admin/settings.php?section=policysettings
siteurl/admin/tool/policy/managedocs.php
Privacy
Data Privacy functionality provides a workflow for a user to request his/ her data from the site. Please refer to the information above on what types of data is retained for a user. Moodle users have access to make this request through the profile – there is a “Data request” link there. The user can request an export of personal data or for their data to be deleted. Once this request is made, Moodle sends a notification to the site’s privacy officer.
siteurl/admin/settings.php?section=privacysettings
siteurl/admin/tool/dataprivacy/datarequests.php
siteurl/admin/tool/dataprivacy/datadeletion.php
Privacy Officer Role
Ideally, a Privacy Officer has been defined by the organization already. This person not only has an appropriate role on the Moodle site (with correlating permissions for managing GDPR data requests, etc) but has a conception of how long the site’s retention period is, what policies are in place on the site, etc. The Privacy Officer is required to respond to any requests for data that are made, however, actions can include both approving the request and denying it. You can also allow automatic downloads of data, rather than have these requests go through the Privacy Officer, but a lot of organizations with multiple systems and centralized request processes choose to prevent users from downloading their own data and they instead enable the privacy officer to download it for them.
Moodle provides a list of the permissions the Privacy Officer should have, so if the organization is designating someone to this role who has no other roles on the site you can create a new role and allow these permissions. You can also have a Site Administrator (or similar role) allocated as the Privacy Officer – if you go this route, just ensure all the correct permissions are allowed for the role that user has.
Example/Foundation for creating your own policy: https://moodle.com/privacy-notice/