 So a very warm welcome to you all to this webinar on GDPR and data protection compliance. Today we'll be finding out from Gavin and Martin from Moodle how Moodle empowers institutions. Together with my colleague Martin Hoekse from ALT, I'm delighted to welcome so many of you today. And I wanted to emphasize that we are recording this session website afterwards. And also if you have any questions during the session, you can raise them in the chat. You are best to pick them up during the session and also at the end. Now on behalf of ALT, I'd like to very warmly welcome our two presenters who are joining us today. We are being joined by Gavin Hendrick, a Moodle Business Development Manager. Hello Gavin, do you want to introduce yourself quickly? Hi there, this is Gavin from Moodle. You probably already know me from running the Moodle MOOCs for the last few years in the UK and Ireland and being active in the community and I've been to quite a few of the ALT conferences as well. So hello to you all. A very warm welcome to you. And I think we're also being joined intermittently at the moment by Martin Uramas, a Moodle founder and CEO. So Martin's just been dropping in and out of the session but hopefully he'll be with us and connect it properly in a moment. Alright, so sorry about that everybody. Hello, I'm Martin Uramas from Moodle and with Gavin we're going to just give you a quick overview of what we've been doing lately regarding GDPR in the Moodle core product particularly. As you know GDPR affects everybody and so we also have a lot of other systems that are involved in Europe and we're also working on all of those. So that's all our community sites and our business operations and Moodle cloud and even some of the new things we're working on too. But this is specifically about the Moodle open source product that many of you are using and we wanted to give you a bit of some highlights of what we've been doing. So Gavin if you wouldn't mind go to the next slide. So a very quick backdrop on GDPR. So it is an EU regulation. It's about personal data for EU citizens and it's a very good initiative. I'm really behind it philosophically. I think this is what the internet has needed. Something to harmonize data privacy laws and set new standards and also to leverage the power of that regulation to force IT institutions to start implementing some of this stuff. And so there's a deadline of 25th of May and there are steep fines possible and that has helped a lot of organizations finally address this stuff properly even though a lot of what's in here has already been around in some form or another as a recommendation. Now everyone has the incentive to implement these things. But it's good for us all as individuals going forward. So next slide there. So GDPR is really focused on personal data and that can include things like names, addresses, health information and photos, the obvious things. But it also applies to any information posted online in social media and even IP addresses in certain cases. So the address you're coming from is also a factor here. So there has to be a lawful basis for any company to collect and process data. And when I say company I mean organization and that includes the many users of Moodle. The organization should ask for consent from individuals. Gavin you might want to switch off your microphone actually. We have to ask for consent for collecting data for specific purposes and that's to protect people so individuals know what's being collected and why it's going to be used. And the universities in particular are collecting quite a lot of personal data and a lot of data that gets shared in the context of a course is subject to all of this stuff. There's also the concept of right of access. So any individual has the right to get access to their personal data and that's something that a lot of systems were not designed with from the beginning and so that needs to be added to a lot of systems including Moodle. And there's also the right to a ratio. So in certain circumstances the data subject or the individual has the right to ask for their data to be erased. Now there are exceptions to that and particularly in education when you need data to be available for other people's work or for other people's purposes in a shared collaborative system all of those cases just have to be defined well and treated properly. But there is the basic right to a ratio that people have. So going for on here. There are three big terms that you'll hear a lot around GDPR and these are just shorthand for certain concepts that help us decide who is responsible for things. So the data controller is any organization that collects and stores the personal data. So it's actually about where the data is stored and who's actually controlling that data. That's different to a data processor. So a data processor is any organization that processes that personal data whether or not on the data controller's actual systems. And most organizations should have the role of a data protection officer. So it's a contact point for monitoring data protection compliance in that organization for performing impact assessments. They're the contact for external people and also internal people. And they are independent. They shouldn't be really deeply involved in the systems themselves. They should report to the highest management level of the organization so that they don't have conflicts of interests about being involved in the building of the systems that they're responsible for studying and looking over. So those are some of the basic glossary terms. What we've been doing and I'll be the first to admit that I would love it if we'd started all this a lot earlier. But the concepts here are necessarily difficult, I think, for IT people to understand. And a lot of us in the whole community, I think, have taken quite a while to really comprehend the extent of this regulation and the amount of work that we all have to do. And so I think most companies are scrambling and only releasing things like it now, even though it's only next month for this deadline. But that's it for the last eight months or so. We've been working very hard on what we need to do. So we've been working with a privacy and compliance specialist lawyer from the EU who's been guiding us with the specifications of what we need to be doing. Really great guys, been super helpful and continues to be. We've gone through and built a lot of user stories and technical specs from that. And we had two dedicated development teams inside Moodle HQ just focused on the GDPR implementations. And this was most of our core devs, in fact. We haven't done much else in the past cycle than this. So it really was number one importance over anything else we were doing. So there are two main sections. One is on the registration and consenting of users. And the other is about handling subject access requests and erasure and the data registry. As part of that, we've implemented a whole new privacy API inside Moodle, which is the foundation of all of the work that our community still needs to do. So one of the community produced plugins. Some of them are published centrally in our plugins database. But many of them are not and many of them, the institutions, various institutions have made their own plugins for their own purposes, which is one of the beauties of Moodle that it's so flexible and customizable. But it means they will also have to do this work on that code to make it fully compliant system. And mostly that's just about each plugin needs to be able to identify the personal data that they individually store and expose that through the API. So more about this as we go on. So next slide again. So we've started by implementing as much as we can as plugins. And that's so that because we know not everybody's going to want to or not be able to upgrade to Moodle 3.5, which is our next release. And we'll include all this new software. That comes out in May. But for people who are still on slightly older versions, 3.3 and 3.4 you would need to go and you need to install these plugins on top of your system and use those. And we try to make them as comprehensive as we possibly can. But they will continue evolving over coming months and years as well. And yeah, and we'll be maintaining those plugins for the 3.3 and 3.4 and 3.5 going forward. So you really should be on one of those releases to fully take advantage of these. There is some talk about some people porting these plugins back to Moodle 3.2 and maybe earlier. That's not our focus right now because we've got more than enough of our plate implementing everything for the last three versions of Moodle. So go on forward, Gavin. So these are the two major plugins. The first one is the policy plugin, which is all about the sign-on process and defining policies and showing them to users. And then there's the data privacy plugin, which is really about the workflow for those users once they're in the system. So if we just push forward to the next one, Gavin. So this is some of the workflow that happens in the policy plugin and it's about the signing-up process. So during sign-up, depending on the age of students, you may need to ask them, are they over the age of consent? If they are not over the age of consent, so they're quite younger students, then they can't proceed with making an account themselves. As soon as you even ask them for names or email addresses, you start getting into privacy of personal data, so we can't even continue with the process. At that point, we just ask them to go to the admin and there's going to have to be a different custom process for how you get that student into the system. And that'll be a local process just for you. Gavin, you've skipped slides there. Can you go back one, please? So once they are over the age of consent, then you can continue and the login process will take them through showing them all the current policies on the site. They need to consent to each one of them individually and if they do, then they go through the user registration and create an account as usual. Now this only applies for when you have users signing up themselves. For most institutions, they would have connected Moodle with a student information system or if it's a company, a human resources system, and generally these accounts are created automatically anyway. But for those cases where Moodle was used this way, we had to implement the process. So if you go on a bit, next one. So the digital age of consent part of this, it defaults to 16, but different countries have different age requirements and in the plugin we have a way for the admin to set it up for their own situation. If they're accepting students from all over the world, then you can enter in all the countries and their age of consents and Moodle will handle it. If of course you're an institution in just one country, it's going to look a lot simpler. So go on. So the policy pages, you're able to set policies for the site about privacy or about any other topic and Moodle has interfaces now for the administrator to define these policies. And an example you'll know from most sites in the past couple of years is the little pop-up that you see that says we are using cookies on this site. Do you agree? So it's just like a very short policy shown to you when you first get there. That's an example of what we can now define, but you can have any policy you like and we have to leave it up to you because every individual site is going to be quite different. So let's go to the next one. So this is the consent page that shows the summary. So first you see the full policies and then you're taken to a summary and overview. So you see them a second time and you can see all the policies and you can agree to them individually so it records the agreements. So go on to the next page there, Gavin. And then once you've agreed to policies, you see they're all recorded. This is an overview that the site admin or the privacy officer can see for each person which of the policies they've agreed to. Now something about the policies is that we have version management in there so if you update a policy you can fix a simple typo that doesn't materially affect the content and in that case you're allowed to just make a change to the policy without getting everybody to agree to it again. But if you do make any substantial changes to the policy then you are required that all users see that again and re-consent to that policy. And so Moodle does handle all those versions and tracks them. The next time those users log in they'll be shown those policies and they have to re-agree. Next slide. Policies can be set to particular types of users and even guests may have to see policies and then you can see it. It looks a bit like this. Can you go on, Gavin? Oh, shots controlling the slideshow. Anyway, here we go. So all of that was just the policy plugins and how they work. We can show you some more screen shots later if there's any questions. The data privacy plugin is about what happens after. So once a student or a teacher, any user is in the system and they need to interact to get their data or raise the data. They need to talk to the data protection officer. Now, we could have just put an email link and let it all be handled via email but we chose to do it as a system inside Moodle because it really helps people focus, I think, and do this service properly. I need to have it integrated in Moodle shows how serious we are about this and that Moodle wants to handle these things. We really want to give the affordances to your data protection officer or your data privacy officer to handle this stuff or the data protection officer. So this is an example. Once a student has filled out the form, clicked on the link and sent the request, there is an interface where the DPO can see all those requests and take action on it. They move through a variety of statuses. They start off waiting for approval. You can accept that and review the data and approve it. Now, once you approve it, Moodle is able to process that request and in the background, it will start generating a zip file if they want to copy all their data. Then Moodle will generate a zip file with all their data. Now, that zip file is quite easy to read structure. It's something even a student can have on their desktop and open and browse and they'll see all the images they've uploaded, all the files like PDFs or Word documents they've uploaded in the system, but also texts such as forum posts, attachments, assignment submissions, everything. As much as possible, we try to make it really usable by the student or by the teacher. In many cases though, the data is database-like and so those are JSON files and they can be processed by a machine if necessary. There are no standards around how we do this, so we had to invent one. So let's call this the Moodle personal data export format and we can go into more details about that. Another time. The data property plugin because one other part to it which is just being finished which is about the data registry and it has the purpose to... We want to be able to define a retention period to certain data stored in Moodle. So it's about saying Moodle collects this sort of data for this purpose and we only want to keep it for this amount of years or whatever it is. So for different courses or modules or blocks you can now set what the purpose of the data in there is and how long you want to keep it and defining that lets us be aware of the data we have and to treat it appropriately. So for example, you might have a policy in the organization that courses need to be kept for seven years online so that students can refer back to them or something. So you need to make that the policy and all the participants need to agree that their own data will be allowed to be online for seven years. You need to justify that. So this is an example of the interface where it lets you browse through the course and set different data registry settings for each part of Moodle. If you don't have to go down to details you can set it for the whole site at once for example. The last important thing we want to talk about here is that you are responsible for your own compliance. Each organization needs to do this needs to go through a process. No software is going to be enough. What we've built in Moodle are affordances to make it easier for people to implement and be compliant with the regulations but just having that there isn't enough. So you need to configure it correctly. You need to implement it. You need to write the policies and have those procedures. So we really highly recommend if you haven't already that you get independent legal advice about your own particular situation use the tools that we've provided and if there's things that you need if you realize that there are improvements to the tools that you think would really help then get in touch with us because we really want you to we want the community to really input into this. So just lastly in summary we are implementing GDPR support new plugins. There are some small core changes so it really only works with the last three major versions of Moodle so far. You can already get these plugins and play with them. They're on Moodle.org on the public plugin database if you search for GDPR you'll find them. They will be built into Moodle 3.5 and later and we'll we'll continue evolving them as necessary in response to community feedback. And lastly you are responsible for your compliance so I do recommend everyone gets legal advice. And that's the end of our short summary. These were the slides that the team have put together. Our team of developers have been working really hard on this for the last six to eight months and we think we're hitting the sweet spot here of simple tools that enable people to do this stuff but it is a very difficult process for everyone to work through and we're just trying to help as much as we can. So thank you. Plenty of time for questions now. Wow, thank you very much Martin and Gavin that was a really great presentation, really insightful and also really keen to hear about how your values as an organization are kind of reflected in the actions that you've taken. As you can see, there is a lot of interest that's being generated very lively chat but I think before we go and jump right into questions for you and Gavin, I just want to say a big thank you and I hope that our participants can put their hands together and give you guys a big thank you if a virtual one for a really super great webinar so thank you very much. We do have a lot of questions that have come up in the chat but if you do have any questions for Martin or for Gavin, please post them as well and I'm hoping that we can also make the recording available afterwards so you can go through any of the details. Gavin, Martin, are you happy to have a look in the chat yourself and try and we'll pick out some of the questions that you might be raising so we'll just wait for the applause to die down and then we'll see what questions we have. Thank you, Mara. So Gavin hasn't done much yet except for answering all the questions in the chat which is great. Gavin, if you want to speak at any time answer anything go for it. Okay, well I'll elaborate a little bit. So Michael said that should institution systems be doing this themselves rather than relying on Moodle. So my response is obviously this is lots of different organizations some will have heavily integrated centralized systems, some won't so Moodle has to be able to enable these affordances to all types of organizations using it but the most important one for me is the majority of institutions have a contract of with their students and contract by contract is one of the lawful basis for processing anyhow you don't need to say what you're processing and I've looked at a few university contracts with their students and not one of them actually specified hey we're going to be giving all your data to Google, we're going to be giving all your data to Blackboard by using Collaborate and specifying all these external systems that their data is going to be going to so even when it comes to my contract you still need to actually let the students know where their data is going to be and I remember there was been debates on whether you could even force them to or not use these systems, that's a separate thing but I know that Alice had a discussion on that last year so yeah I think that Moodle for most institutions will use these policies to augment all of the permissions and contractual basis that they have with their student contract like when they roll out a new system maybe Blackboard Collaborate or something else I think that's one of the main things for the big ones, all the small ones it might be the only thing they have there's some early ones from Zaman about UCL about can a tutor request to be anonymous so a student doesn't know who Mark or where, right so Zaman that's a really even pre GDPR issue and it's something where students has a right to all personal data on them, actually the person writing it is their personal data and actually the student doesn't necessarily have the right to that so technically that's an area where the institution will have to make a judgment call on it of what their agreement because a lot of institutions also have a charter with their students which lets them know how much transparency and stuff there is but again legal advice on what your current contract says so any of these other ones here if we download the plugins will there be any issues when we upgrade to 3.5 in July so Mark do you want to grab that one no audio, no there won't be any problems at all that's designed to be upgradable and so yeah no problem at all installing those and then upgrading it's the same code so Rebecca's asked about the registry it is a work in progress it's not finished yet so bear with us on that Rebecca so it's a it does work as Mark necklines there that you can specify the purposes and so on and if there is some things you need to have for a much longer or shorter you can do your purposes to have it differently in there so it is but it is a work in progress so there's a good one there 5 years purpose to allow student data just sorry Dave has various option fields like Yahoo wants to turn them off don't need them he can hide them but he wants to empty the data in them that's really outside of the scope of this work day but it might be something you want to put in as a plugin request within the whole GDPR and privacy area for ongoing after 3.6 if you're talking about having that as a general thing that's more e-privacy than GDPR per se what about staff data that's a good one a lot of institutions may not realize that their staff are data subjects too so data subjects have certain rights but not everyone has all rights so for example from a student point of view where they might have the right of a rager for certain things staff because it is actually work product and probably again depending on your contract copyright to the institution it might not have so these are things that you're going to need to understand your own contracts with your staff about ownership copyright and your students that's why marketing goes back to you must get your own legal advice we're just enabling you we're not telling you what to do I've just posted a link which I'll put on the presentation at the end actually that says security and privacy forum on Moodle.org if you're watching a recording and you have questions that's where you should go and even some of the questions here which I don't actually know the answer to to make sure that the team answer them there in that forum does one there about how long will the zip file of data be available parts I'm not sure that I'll top my head that's one I actually just ask the team if they know but they're still answering I don't know exactly so Ian that's a great one to put on the forum sure this is about flash you don't need any flash agreed Rebecca your point about the DPO request and deletion some of this is still work in progress over the next few weeks so bear with us and we'll when it is released on May 14 these plugins will be robustly finished by that point ideally they'll close the if you've deleted everything from an account that would include the account itself I imagine so I don't know why it behaved that way for you probably a bug sounds like something we should test I see Gerard's got his hand who is Gerard you want to jump on the microphone and ask a question and you're welcome to do that in the meantime some other questions from the chat it's okay Gerard so I think we're just going to focus on the questions in the chat were there any more you want us to pick up? one thing that's come up in previous discussions is that the GDPR stuff can look extremely scary but it really it really isn't it's just a matter of looking at your own setup thinking like we've never thought before as much about where the data is coming in how it's being used and what it's being used for and coming up with common sense policies around those that you can now explain to everybody this is how we're using your data and why and they can agree or not agree in which case if they don't agree in your organization they can't do things that are necessary so it's just working through that process even though it is hard and I've got a theory as to why it's hard for technical people particularly because we are used to having access to everything we can go to a database we can read people's emails we have all this access usually and to actually take that away from ourselves is a funny feeling for a very technical person but that's what we have to do that's how systems should work and all of this legislation is a really useful push for us to fix these things up so David just asked a really deep point and question and possibly it will explain why Moodle has gone around or gone about doing it the way we have what is personal data it's called a sort of the text area conundrum now if you were to think that a forum post a teacher might as an icebreaker in a course go hey everyone please introduce yourself say where you're from why you're doing the course and what you're hoping to get out of it or something so you're basically asking to share personal data oops that means now if even one teacher in your school or college has done something like that forum posts will probably have personal data which means then either you're going to have to go through each one one at a time to make a decision on it or it's just safer to assume every post someone has done may include personal data so we've taken the approach that because it might have let's just export it because if there's a if we didn't do it that way and there was even one post then you'd be in a harder place having to do it manually unless you've got the time to go through a few 10,000 forum posts or something so Martin do you want to handle the erasing part of that right so yes the approach taking with erasing is that if assuming the policy is that you do allow a raising of something like a forum post which is obviously the experience of everybody else and in the context of a discussion is part of that learning content that everybody else in the class would see but assuming you allow people to delete their own entries it obliterates the text exactly Michael it keeps it there but replaces the text and anonymizes the user so that you can't read it or see who posted it so it still keeps the integrity of the discussion while removing their personal data and of course one of the key things there is if they've agreed to let that be available within their consent within your contract that's actually what the important thing is because you can just say you know what everything you do as part of your course is an intrinsic part of your course evaluation and therefore we need to retain this for 7 years it might not be and again you'll have to get a lawyer to advise you on whether that's doable or not because there is a concept of excessive processing and so on that you're going to have to deal with it so yeah back to get a lawyer I think Well Gavin Martin I think we've had a lot of questions already I wonder if we may be given that we've been in the webinar for nearly an hour already whether we want to maybe pick up one or two final points or if you have any final points that you'd like to add before we close the session I would just say that if there was two hours worth of Q&A we would still not answer all the questions that people have we've had months of Q&A internally and with our legal advice and we're still coming up with new questions so the forums are the best place for those which we haven't managed to answer yet Great thank you very much I'm sure the discussion will be ongoing as the time of GDPR implementation comes closer and it's been really insightful to actually hear you both think through some of the challenges and how you are approaching that so I think unless there is anything else from you Martin we might draw the session to a close any final thoughts from you Look thank you and thank you for the opportunity in the platform to talk a bit about what we've been doing and also really thank you for Alton and I really respect what Alton does I personally have had me too much involved in ALT events before now although I've wanted to be and I'm going to try and get to some of your conferences to engage more but thank you very much for that chance and I just really wanted to reiterate that we believe in the GDPR philosophically it does fit in with our vision and the mission for the Moodle project as an open project we have special challenges around this in that everybody takes Moodle and customises it and makes their own learning management system from it and it's a little different to say if we were just Facebook and we had to fix one system centrally but I think that kind of openness is the sort of thing that is needed in education and to support that we all need to work on problems like privacy and think them through and solve it and make sure we have a better world for tomorrow where privacy is something that's just expected and part of the design of everything we build Thank you very much I think that's a wonderful closing note to finish on and leaves are certainly with a lot to aspire to going forward so it just leaves me together with my colleague Martin Hooksy to thank you both again for a really great webinar and thank you all for participating as well we will stop the recording now but we'll put it online as soon as it's available