Moodle Security Under GDPR

In late May of this year, the EU will enact the General Data Protection Regulation (GDPR). This wide ranging law is designed to unify data protection rights for individuals in the EU and will affect any Australia company doing business in the EU.

Australia’s Privacy Act already complies with many of the data security requirements of the GDPR. Both laws require companies to be transparent in the way they handle private data of individuals and inform individuals of any data breaches.

Personal data includes political opinions, ethnicity, political beliefs, biometric identification information, health information and sexual orientation.

According to Australia’s Office of the Information Commissioner, Australian businesses that may be affected by these new regulations include:

  • Australian business with an office in the EU
  •  Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros6
  •  Australian business whose website mentions customers or users in the EU7
  •  Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

The wide ranging law applies to data controllers and data processors, and that means anyone collecting and processing data on an LMS like Moodle. Under the EU law data controllers will have to appoint data protection officers to monitor and report on compliance; and undergo a data protection impact assessment prior to data processing.

Under the GDPR, consent must freely given, specific, informed and unambiguous. So there will be plenty of work for lawyers to draw up these consent documents.

Moodle has been actively working to comply with Europe’s new General Data Protection Regulation (GDPR) by developing a new set of features which cover the following areas: onboarding of new users, privacy statements, the tracking of consent and handling of subject access requests.

The data security new features will be available as plugins in March of this year for Moodle 3.3 and 3.4 users. The release of Moodle 3.5 will include these data compliance features. Recommendation from Moodle developers is that you upgrade to 3.3 or above in February.

Plugin installation of the new data compliance features should be done in conjunction with IT and legal departments to make sure you meet the new GDRP regulations.

Contact us to check if your LMS is compliant.