Now that May 25, 2018 has come and gone the European Union’s General Data Protection, better known as GDPR, has come into effect. Luckily Totara 11 and Moodle 3.5 both came out ahead of that date and provide technical support for the GDPR requirements. The GDPR features are also available in the latest 3.3 and 3.4 releases as plugins.
The primary GDPR changes in Moodle 3.5 and Totara 11 revolve around supporting the right to be informed about how your data will be used, access to your data, and the ability to request that your data be erased. The details differ a bit between Totara and Moodle, but in general they have both added new and more flexible ways to add privacy/site agreement statements that users must review and acknowledge, the ability for users to request a copy of their data, and a process for users to request their accounts be deleted (along with all data).
Moodle added a new section to the Site administration area called Privacy and policies to contain most of this functionality. From here you can set a wide range of options, such as whether you want to do age verification prior to account creation, create policies (site, privacy, third party and “other” are your choices of types), set different policies for authenticated users versus guests and review who has or hasn’t agreed to your policies.
Your end users also get some additions to their profile pages. Under Privacy and policies Moodle end users will be able to contact the Data Protection Officer (DPO) to request a copy of their data or their account/data to be deleted. They can also review the status of data requests and review all policies and agreements that are currently active and whether they accepted the policy or not.
The features in Totara are similar but are located in slightly different spots. Most of the GDPR related functions are either under the Users menu (a new option “User data management”) or in the Security menu under “Site Policies.”
As a reminder – simply upgrading or installing plugins to make your Moodle or Totara site technically capable of being GDPR compliant isn’t enough. GDPR compliance is more about a privacy/user first policy and procedural shift. This requires reviewing all aspects of your process, from how users get into your site in the first place, to what you do with the data you collect, how your site is secured, and how you disclose these measures and data to users.
*Current clients please contact support for more details specific to your installation or to schedule an upgrade.