If you have users on your site who users who are residents of Europe, then there are new GDPR requirements that are legally binding on your organisation. They relate to enforcing more rigorous processes for your users data privacy and your policies. These processes can be seen as improving our practices, and giving people more control over their personal data.
Two plugins are being added to Moodle to allow administrators to add a site policy that must be agreed to, and to allow users to see their personal data, and request it be removed if required (requests can be accepted or denied). This is an overview of how you can use Moodle to assist with complying with GDPR laws.
This plugin will allow users to request to have their personal data removed and/or request a copy of their personal data.
You can create a role for a Privacy Officer (PO) in your site. Moodle originally referred to this role as a Data Protection Officer (DPO). PO is probably more appropriate.
A Privacy Officer can respond to data requests and see requests made, and requests denied, approved or awaiting approval and manage a Data Registry. If there is no-one with this role, the Administrator can respond to data requests and manage the Data Registry. There are permissions required for the Privacy Officer role.
If a user requests a copy of their personal data, the PO can accept the request, and personal data that is held by Moodle can be downloaded in .json format.
If a user requests that their personal data is deleted, the request can be accepted or denied. NOTE: approving a request to remove personal data will delete the user, and the user can no longer use the site.
This plugin will handle agreements for users of your site and privacy procedures – you need a web page with a clear and easy to read policy with information about users’ rights, how and why personal data is held, etc. An example Moodle Policy page is at https://moodlecloud.com/app/privacy .
Age of consent
On sites with self-registration allowed, you can ask users to verify their age before displaying the sign-up page. This helps protect your site from minors signing up without parental/guardian consent. An email address is provided to minors for further assistance.
- Once user has passed the age check, they will see a link to the Policy Agreement, and have to acknowledge that they ‘understand and agree’ before logging in as usual.
- Existing users – once you set up the Policies page, when they next log in, existing users will see the new Policy page, and have to agree before logging in.
- You can set the age of consent for different countries. Default is 16. For sites used in other countries, the country codes to use can be found at Wikipedia.
- Once you have set the URL to a site policy, you can see it at <your site name>/user/policy.php
So how can I set this up in Moodle?
If you have the plugins in your site, in the Administration area, under Users – the TVC administrator will see a new area called Privacy and policies.
For further information, see Moodle documentation.