Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-71316

Intended removal of "old" user data leads to the removal of live data, including logs.

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 3.9.6
    • Logging, Privacy
    • None
    • MOODLE_39_STABLE
    • Removal of live user data

      This is a scenario that recently happened:

      1.  Teacher recycles an old course without changing the course end date. Teachers are generally not responsible for maintaining site-wide GDPR compliance and can be unaware of this setting's implications.
      2. Students enroll in the course, turn in homework, etc. Apparently, nothing prevents students from self-enrolling into a course with course end date set far into the past.
      3. The course end date is older then the retention period set in site policies. So according to site policy the course gets picked up by \tool_dataprivacy\task\expired_retention_period as a candidate for privacy data deletion.
      4. Course is listed in /admin/tool/dataprivacy/datadeletion.php?filter=50 as a "context with expired retention period." This is currently the only safeguard in place. However there is no link, no course ID by which the admin can quickly locate and check the course. No warning about the course being actually used and containing live user data. It can be one course among tens or hundreds listed for cleaning. So the course is selected by admin as part of the bulk of other courses for "old" privacy data removal. The course at this point contains days and weeks of fresh user data. 
      5. After several more days the course is finally cleaned with \tool_dataprivacy\task\delete_expired_contexts. All student's data as recent as few minutes old is removed. The student's work literally vanished before their eyes.
      6. All associated log entries - old and fresh - are also deleted, including those which the admin is legally bound to keep. This process leaves no clue why the user data disappeared or whether they were ever there. The only chance to figure out what happened is to download and search all the task logs before they get deleted too. The default limit is 20 task logs, which means a few days on a large busy server.

      Suggestions for improvement:

      1. Put a Warning next to the course end date setting about data privacy implications.
      2. Prevent students from self-enrolling into a course with an expired course end date.
      3. Put a general warning on top of the list of courses listed for cleaning that they may contain live data.
      4. Put a specific warning next to each course in the list for cleaning that they contain live data.
      5. Prevent removal of log entries that are not older than the period declared in site policies for logs. It may be optional via settings.

       

      Thanks.

            Unassigned Unassigned
            complicator Pavel Krejci
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.