While Moodle HQ prepares to make the core of the open source LMS compliant with the soon-to-be-enforced General Data Protection Regulation (GDPR) by the European Commission, little attention has been given to the implications for Moodle plugins and third-party services. That is, until Moodle HQ’s Andrew Nicols started a Moodle Forum thread that might serve as a guiding light in the present and future conversation. The thread is authored by Nicols’ whole team.
Even if a plugin does not use or store personal user information, it is still held to the compliance rules laid out by the law, which gives users the right to request information and forces software developers to respond about things such as:
- Personal data held by the plugin, with each instance of use.
- The ability to download all their data and to request the deletion of anything stored by the service within a reasonable time frame.
- The option to consent to use of personal information, but also to revoke the consent at any time.
In short, even if a plugin does not make any significant use of personal data, it must still be able to respond to user requests. If the user revokes initial consent, the service must be able to report on the user’s consent history.
Plugins failing to comply with GDPR could face varying consequences. European Moodle sites uninstalling the plugin would be the first and least worrisome of them all, but consequences extend to being liable for making a user or organization fail to comply.
Nicols ends with a proposal, which is also a warning: Due to the diversity of functions and architecture of the plugins in relation to the core, it is difficult for the Moodle HQ team to ensure GDPR compliance on the plugins. This means developers must take care of it themselves. However, his team proposes a “Privacy API” and a “new privacy subsystem” that will help plugin developers add interfaces where users can manage their data, information and consent requests. He asks Moodlers for feedback and responses, which you can provide at Nicols’ post on the Moodle Forum, here.
This Moodle Practice related post is made possible by: eThink Education, a Certified Moodle Partner that provides a fully-managed Moodle experience including implementation, integration, cloud-hosting, and management services. To learn more about eThink, click here.