Handling Sensitive Data
The data held in your Moodle LMS will likely be sensitive and you need to take steps to ensure you handle it appropriately. A lot of the analysis we have discussed in these posts entails downloading and examining data from your Moodle installation. In this article we will look at what you need to consider when handling this sensitive data.
There will be legal requirements regarding the use of sensitive data held within your Moodle installation. This will depend on where in the world you (or your users) live and the laws that govern you. The General Data Protection Regulation in the EU is a good example. This article is not intended as legal advice and will not tell you how to comply with local or international data laws. What it will do is provide you with some practical tips and aspects you need to consider when handling data.
Data stored in your LMS
Most of the data we are dealing with is held within your Moodle installation. This can include sensitive data such as personally identifiable information, email and password combinations, location data and preferences. There are processes in place to address the sensitivity of this data which include:
- Limiting who can access what data based on roles and permissions
- Securing accounts with passwords
- Protecting data such as passwords within the Moodle database
- Plugins for policies and data privacy.
The data stored within your Moodle installation should be secure provided you are careful with who you give administrative privileges to. It is once the data leaves the LMS that you need to be conscious of how you handle it.
Data downloaded for analysis
You may choose to run an Ad-hoc database query and pull down data from your Moodle LMS for later analysis. You need to handle this data with care to ensure that it is kept secure and that people’s privacy is maintained. Some of this data could be sensitive. As an example, in a previous (non-Moodle) LMS that I worked with downloaded student contact information would include their email address and password in plain text. This meant that if this dataset got into the wrong hands someone could log in as that user. If the user used the same email and password combination across multiple accounts then they could really do some damage. While most systems would not allow something as basic as this to occur, it does highlight the importance of keeping any downloaded data secure.
Good practice when handling data exported from your LMS includes the following points:
- Only download the data you need for the analysis
- Keep the data stored locally (e.g. not in a Dropbox folder where it could be synced to multiple devices)
- Password protect the file if it will be stored for a period of time (e.g. not using it immediately)
- Delete the file when you have finished with it (securely)
- Remove personally identifiable information from any analysis that you then share with others.
Sharing data with others
There may be times when you need to share the data you downloaded with other people. This could be the case where you are working together on an analysis project or you want someone to sense check your analysis by repeating it with the same dataset. It could also be the case when you are an administrator of a Moodle site and need to provide reporting data to other users. It is important that you keep the data secure when sharing with others (and that they follow the steps above regarding downloaded data). You should consider the following when sharing data with others:
- Only share data that is required for the analysis (remove unnecessary data)
- Secure the data with a password and send the password via a separate means, such as emailing the data file and sending a text with the password
- Place the file into a secure folder on a server with restricted access (e.g. a SharePoint folder) and ensure it is deleted once accessed
- Make sure the recipient is aware of any requirements to keep the data secure and respect people’s privacy.
Data that you access from your Moodle installation can be sensitive and you have a responsibility to protect it. Taking steps to secure the data and to share it securely with others will prevent the data from getting into the wrong hands or people’s privacy being breached.
- Version Control – Git GUI – 7th March 2023
- Version Control – Git Command Line Tool – 7th February 2023
- Version Control – Creating Repositories – 7th January 2023
One thought on “Handling Sensitive Data”
That’s a really good reminder – just because you can download data .. doesn’t mean you should !
Once it’s in an Excel spreadsheet it’s potentially far less secure than being in the Moodle database – definitely something to consider when reporting on and extracting data.