Last year, the European Union Parliament agreed on the text of the General Data Protection Regulation. The GDPR updates and harmonizes existing legal guidelines for the region, touching on various aspects of privacy and data empowerment for European citizens. Among other elements, it covers business practices involving “data export” outside the region by companies who have personal information.
Moodle Founder and CEO, Martin Dougiamas, recently stated his support for the updated laws, underlying his convictions in favor of privacy for all Moodle users, not only the Europeans. He also highlights the possible complexities that might arise as users are allowed to gain further control of their information online, both the presence they create and the one that can be used to identify them.
A small example of one of such complexities is given by Dougiamas himself. With greater control over their posts, he says,
«a person removing all their forum posts from a discussion will completely disrupt the learning environment for everyone else.»
More generally, issues Moodle will have to deal with in the future include:
- Withdrawal of consent to store personal data by a system
- Right to know the extent of personal data stored by a system
- Right to export or transfer personal data
- Right to be forgotten
- Proof of compliance
A particularly arduous point involves the use of data for the purposes of feedback and analytics. Moodle HQ Analytics leader Liz Dalton asks:
«[D]o the rules distinguish between personally identifying data and de-identified data for withdrawing consent or right to be forgotten? Would it be sufficient to de-identify all records of an individual?»
To which there are no conclusive answers to date.
As the development agenda for Moodle 3.4 begins evolving, the upcoming conversations will be crucial to define a policy for GDPR compliance and general privacy and security in Moodle. These issues will likely take center stage in the upcoming MoodleMoot Germany (June 21st-23rd) and MoodleMoot France (June 27th-28th).
The GDPR will come into effect May 2018. Read more about it here.
This Moodle Governance related post is made possible by: eThink Education, a Certified Moodle Partner that provides a fully-managed Moodle experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, click here.