In May 2018, every technology serving European customers that uses their data to some extent will have to start complying with the European Union’s General Data Protection Regulation (GDPR), sanctioned last year. Currently, 80% of affected companies are lagging behind in preparations, according to Symantec as quoted by cio.com.
As MoodleCEO Martin Dougiamas stated, work is underway to make sure Moodle-based companies are fully compliant by the time GDPR is actively enforced. Some of the issues Moodle has to figure out how to deliver include the user’s right to export or transfer personal data, withdrawal of consent to store personal data, and the right to be forgotten.
Data Protection Moodle doc and new site policy
On August 22nd, Moodle HQ’s Damyon Wiese shared an update on the compliance process. The focus of the efforts can be tracked in detail on a new Moodle documentation page: “GDPR For Administrators.” This page features a 12-question checklist about Moodle site specifics, including:
- Is your site used by minors?
- Do you use your users’ personal information for marketing purposes?
- Do you share collected data with third parties?
- Does your organization have more than 250 employees?
The page also features a sample site policy updated according to GDPR’s needs. Moodle makes it clear that no part of the documentation constitutes legal advice and that Moodle will not be held liable for failure to comply by organizations.
New documentation and list of changes as Issues in the Moodle Tracker
For more technical details, Wiese also revealed the existence of two issues at tracker.moodle.org. They are currently open for the community to provide feedback about the best ways administrators can stay on top of and implement the changes that come with GDPR.
- Issue MDL-59286: Collection of changes in Moodle that will assist in GDPR compliance
- Issue MDL-59617: Create documentation for GDPR compliance for Moodle Administrators
Anonymized data can be used for analytics and research with consent and limitations
Finally, important guidance was given to questions initially raised by Elizabeth Dalton about the ability and process need to use anonymous user information on behavior and general characteristics, such as demographics. They were listed by Ralf Hilgenstock, admin Moodler and Berliner.
- People should grant permission to use data, even if they are anonymized
- People can withdraw their permission at any time
- Organizations should favor minimal data use and prompt deletion once it’s done being used
- A subset of “sensible data” that may not be permissible to collect and use in any circumstance
As the discussion points out, the use of learning analytics is still in the early stages across European countries. Ongoing use, real-life examples, and cultural perceptions about right and wrong uses of student data will shape the responses by organizations and authorities.
GDPR will begin to take effect in May, 2018, with a 2-year trial period. Visit the official site of the European Data Protection Supervisor for more information.