For the online learning world




With the impending application of GDPR (docs.moodle.org/34/en/GDPR) on the 25th May 2018, what does this mean for you and your Moodle installation?

I’m not a lawyer, I’m a developer so will be writing with the aspect of the latter rather than the former.


Firefox® is a registered trademark of the Mozilla Foundation.

Ubuntu® is a registered trademark of Canonical Ltd – www.ubuntu.com/legal/terms-and-policies/intellectual-property-policy

Moodle™ is a registered trademark of ‘Martin Dougiamas’ – moodle.com/trademarks.

I am independent from the organisations listed above and am in no way writing for or endorsed by them.

Does it affect me?

If you have users whom are or based in an EU member state then you will need to comply with GDPR. Otherwise you do not have to. But because of GDPR there has been improvements in Moodle to increase the privacy provision. Greater understanding is being provided on the user data stored not only by the core components (via the ‘Privacy API’ (docs.moodle.org/dev/Privacy_API), but contributed plugin developers now need to implement the ‘Privacy API’ too. This, despite being a lot of work, is a good thing. So even if you don’t have to comply with GDPR, then you can still have improvements in the best interest of your users.

Data privacy tool

This is currently an additional tool that can be installed if you are using the correct version of Moodle. You can get it from moodle.org/plugins/tool_dataprivacy. It is my understanding that it will become a part of Moodle core in the future.

Contributed plugins

As already mentioned, contributed plugins have to implement the ‘Privacy API’. By ‘have’ I mean that if it is published on Moodle.org then it will have an indication that it does and I would assume that the credibility of a plugin will drop if it does not. Implementation is a ‘must’ even if the plugin itself does not store user data, a ‘null provider’.

So how can you tell that a plugin implements privacy? Well with the data privacy tool there is functionality ‘Plugin privacy registry’ (which you can find by first navigating to ‘Site administration -> Users’ then click on ‘Category: Privacy and policy’ then you’ll see ‘Plugin privacy registry’ at the bottom) that tells you, along with what the developer has stated:

Course formats in the data privacy tool

Here you can see that I have stated what my Collapsed Topics does (if you want more detail, then please read my post of ‘January 2018‘) and what sort of data it is. And in the case of the Grid format (pending me implementing the API for it) what is shown if the Privacy API has not been implemented.

However as hinted at already, I’m a developer and not a lawyer, so my description is based on my understanding of GDPR and as such with the responsibility under the regulation being on you (because you run and control your site) then you need to check the code for yourself. This is where open source really helps as you can apply a fine-tooth comb and look in detail at every element of the code.

Core code

But what about core code? Is its implementation of the privacy API correct? It is worth looking at the code to be sure. As I did find an issue and reported it in the Moodle tracker – tracker.moodle.org/browse/MDL-61966, thankfully down to the people who worked on it promptly it has been resolved.

Beyond plugins

Plugin checking is only one aspect of the data privacy tool, it has a lot more features to manage policy, handle requests and deletions that you can find described here: docs.moodle.org/34/en/Data_privacy_plugin. Currently it appears to process requests and move their progression via the ‘cron’ process, docs.moodle.org/34/en/Cron, so if you find things are not working then either decrease the interval between cron runs or run manually as required.

What is privacy?

So far I have been describing Moodle specific functionality. That functionality has clearly taken a substantial amount of effort to achieve. But to what ends? Is that effort worth it? How much as humans in society do we value privacy? With the introduction of GDPR then that value and the need to protect it has increased. Technology and our acceptance of it moves so very fast, so fast indeed that like any new thing we need time to understand and discover the positives and negatives. It is perhaps our discovery of those negatives that has given rise to legal regulation.

But what about the positives of technology? Will new regulation stifle invention? Where is the balance to be made?

Looking at Collapsed Topics I state that user data pertains to the user id and the state of the toggles on a course. Those toggles represent choice, choice at a given moment in time that indicates what sections the user was looking at (or could look at). How important to somebody else is that data? I think it depends on the content of the course and then combined with other data in order to build a picture of the individual. Therefore the balance is context based and any such regulation needs to cope with this variable. Does it?

Ultimately privacy is about the fear that information about ourselves will be used in a negative way by others. Even if done in a positive way without our consent or choice. But then taking away consent or choice is negative. Therefore privacy is a negative concept that helps to protect the positive concept of choice. So does Moodle as a vehicle of education that can be said to empower choice through learned knowledge meet the needs of privacy to support it?

Gareth Barnard
Latest posts by Gareth Barnard (see all)

Gareth Barnard

Gareth is a developer of numerous Moodle Themes including Essential (the most popular Moodle Theme ever), Foundation, and other plugins such as course formats, including Collapsed Topics.

4 thoughts on “Privacy

  • Very interesting post :-). I wonder what will happen if the USA (for example) implements a different standard – how will Moodle (or indeed others) respond to this and will online site need to adhere to both – I guess so? I would also be ver interested to see how a user in the EU would legally challenge a provider in Asia for example. It’s OK to say “this law applies to all EU residents” but I don’t see the legal framework for challenging user data in a different jurisdiction? In simple terms, the EU can’t enforce laws in regions outside the EU, because those laws can only apply to the EU. Confusing for sure.

    • Hi Stuart,

      Oh indeed. I do wonder in actual practice how it can be enforced. In watching the news about Brexit and with a view that is neither for or against, the EU at the top appears to be or operate in terms of idealism and a belief in the system but with no practical grip on reality and the complexities of implementation of a concept. It is a drive towards one vision of utopia with a set of ideals but no understanding of how they can be achieved or if they are implemented, their full logical impact and consequences.

      For example, I once took a test to drive a mini-bus, this is covered by an EU regulation or similar. There is a maximum speed for motorways that is defined in kilometres per hour. This equates in the UK to 62.5 miles per hour. UK motorways tend to have maximum speed limits of 70 mph for cars and coaches, and 60 mph for lorries and large vans etc. So mini-busses are in their own unique and odd bracket. So there is no allowed practical pragmatic local adaptation of a given regulation for a given member state.

      Therefore whilst GDPR is a good idea for privacy in principle, I suspect there will be many landmark legal cases and cross border diplomatic conflicts to come.


Add a reply or comment...