The Complete Moodle User Guide
Moodle GDPR Compliance and Other Top Features of Moodle
Chapter 2 of the Complete Moodle User Guide will help you to make the most of your Moodle LMS by teaching you how to utilize Moodle’s top features.
We’ve broken this guide into three sections that cover the most important features of Moodle to help organizations stay in compliance with GDPR laws, no matter where in the world your operations are.
We also take you through how to set up competency frameworks to get your staff trained to be able to do their jobs better, attain and manage certifications, meet industry regulations and keep a strong competitive advantage.
The Completion Tracking and Restricted Access section provides details on how to completely manage your courses by setting certain conditions. Throughout the guide, we point you to additional resources and tools that can help you get even more benefits from your Moodle learning management system.
GDPR and Moodle
GDPR Compliance and LMS Platforms
Does your Moodle system comply with GDPR? The European Union’s General Data Protection Regulation (GDPR) began to be enforced on May 25, 2018 and the new laws force virtually all websites and online platforms in the world to put control of data firmly back into the users’ hands. LMS platforms and eLearning systems are able to process, analyze and report on data submitted by administrators and site users. The updated GDPR compliance regulations affect these systems by holding them accountable to various changes and updates to data protection legislation.
What is Personal Data?
It is all information that can be associated with a natural person. Each user account and all the activity associated with that user account is classified as personal data/information. This also extends to associated information such as web server log files.
Who Does GDPR Affect?
Think because your company is not based in the EU that the GDPR doesn’t apply to you? Think again! GDPR compliance laws not only affect all organizations located within European Union borders but also any company, business or group that is located elsewhere in the world and collects, processes and analyzes the personal data of EU subjects, regardless of the location of their headquarters. For example, a company selling online courses internationally will be held accountable to the GDPR regulations if anyone in the EU purchases and studies their courses.
Non-Compliance = Fines!
These laws are not to be taken lightly. Depending on the severity of noncompliance, organizations can be fined up to 20 million euros or 4% of their annual global revenue, whichever is highest. Ouch!
Moodle 3.5 focuses on GDPR compliance, enhanced usability and accessibility. The Moodle HQ team has been working hard to support GDPR compliance for all Moodle sites prior to May 25 2018 and continues to enhance capabilities. A new set of features have been developed to assist Moodle sites to meet GDPR compliance needs and mainly cover:
- Onboarding of new users, including age and location, check to identify minors, versioning of privacy policies and tracking of user consents.
- Handling of subject access requests and erasure requests and maintaining a data registry.
Two plugins will help organizations and IT administrators comply with key sections of GDPR including:
Data privacy (tool_dataprivacy). This adds a “request workflow” to the Moodle site to ensure users can enforce their rights to request what personal data is hosted by the site and how it has been used in the past. The current version of the plugin retrieves information from selected Moodle activities including Choice, HTML Block and User Tours.
Policies (tool_policy). This helps administrators create policies around everything in the site including privacy, intellectual property and late assignments. In compliance with the regulation, it keeps a history of policy changes as well as user consent given to each one. It forces users to accept the policies prior to using the Moodle site.
Right to Erasure
The GDPR introduces the right for individuals to have their personal data erased. The ‘right to erasure’ is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. Companies have one month to respond to a request.
Upgrading Is Not Enough
If you are using Moodle and have any of your servers or users in the EU, then just upgrading to a recent version isn’t enough. New tools in Moodle 3.5 make things easier but you are still responsible for ensuring that your organization is GDPR-compliant. Remember, simply having a GDPR-ready LMS doesn’t automatically make your business compliant; there are a number of processes and systems that must be in place also.
GDPR for Moodle Administrators
If you are a Moodle system administrator and have a Moodle site older than the 3.3.6 or 3.4.3 version, or have a site that is not affected by GDPR but would still like to do as much as possible towards compliance, we recommend that you read the GDPR for Moodle Administrators guide.
Moodle & GDPR for Plugin Developers
If you are a plugin developer, we recommend the following actions to assist you in preparing your Moodle for GDPR:
- Read through the documentation GDPR for Plugin Developers in the dev docs.
- Check on the Moodle forum site for discussions about the GDPR.
Moodle & GDPR for Educators & Learners
If you are an educator or a learner and would like to find out more about your rights under GDPR and how features in Moodle can assist with protecting your data privacy, we recommend that you check in with your system administrators for information specific to your institution or organization.