In light of the recent “Umbrella Agreement” between the United States and the European Union on data protection that sets processes and safeguards for sharing of information and cooperation between relevant agencies, it is wise for IT staff to take a moment and consider the implications, and perhaps review their Moodle security guidelines, especially if their organizations serve students across international markets.
In the age of social media and increasing awareness of data rights, many have seen this agreement coming for a while. The European Union was already having trouble supervising US-based companies, which they only had to self-certify compliance, and then along came Snowden. It is safe to assume the European Commission will continue to evolve their directives, possibly pushing for enforcement capacities. Privacy is a fundamental right according to the European Convention of Human Rights (links to a PDF file).
According to the DLA Piper Global Data Protection Handbook, Europe and North America have some of the heaviest data protection laws in the world. US and Canada have national, state-level (in most cases) and sector-specific laws, and the extra layer of the Federal Trade Commission in the latter. East of the Atlantic, an European Data Protection Directive gives guidelines for national Data Protection Authorities to implement. At this time it is unclear how the withdrawal of the United Kingdom from the EU will impact the state of affairs, particularly on the upcoming General Data Protection Regulation, agreed to become enforceable come 2018.
Data security and transparency in Moodle
LMS and Moodle operators with a global presence should be keen to prioritize EU and US regulations, since the rest of the world usually draws from them to develop their own. Nevertheless, they should not dismiss laws in other countries, or differences between states, as they are not necessarily covered in full by the more stringent cases. In a series of commentaries, HowToMoodle discusses the duties of learning services providers to their users regarding personal data, based on current UK regulations. High profile companies must have procedures in place in case users request their data as well as information on how it is used.
US businesses can join the self-certification process laid out by Privacy Shield, an initiative from the International Trade Administration at the Department of Commerce to streamline privacy compliance requirements by EU Member States.
The Moodle documentation offers directives for IT staff and recommendations to promote security among students. Some of the most basic ones is to add SSL certification, keeping students profiles available for logged in users only, even disabling user fields or the profiles altogether; or to apply password salting. In most countries users have the right to request a Security Overview Report produced by Moodle for site administrators, in any case a simple procedure that promotes transparency and oversight.
Making sure your Moodle site is up to date, preferably with the latest stable release, is always a good measure, security-wise. While each Moodle installation has the right to define their own policies, the Moodle documentation offers policy recommendations.
Privacy rights will be an ongoing discussion. As Moodle deepens the work of in-house analytics, further personal data issues are expected to appear, as well as new possibilities and value-added services from the use of anonymized sets. With fears of upcoming threats to student privacy, Moodle HQ is poised to play a role as small, scattered installations of the LMS might not have resources to properly protect data, let alone fight against malicious exploits of vulnerabilities or government overreach, as consumer software has done recently.
A byproduct of the complexing regulation landscape is the sprout of a law-competency edge where learning organizations who invest in legal departments, perhaps at the expense of learning design or innovation, get a head start in global market growth. There is also the age-old concern about the varied, negative impacts of regulation.
As the age of the digital native learner sets in, the field of action for privacy and security increasingly relies on education efforts. Meaning that in the near future, an LMS-based learning provider can be held liable for breaches attributed to poor IT security education and awareness.
Share your views on privacy with us!