Forums | Mahara Community
Mahara and the GDPR (new privacy regulation in the EU)
15 January 2018, 10:10 AM
Thank you for your write-up.
We are working on requiring the acceptance of the T&C and the privacy statement when a person logs in for the first time and also when either statement changes.
The account creation is a bit trickier and seems that we overlooked that when going through the GDPR. We'll have to see if we can still make changes for April for that. If not, institutions still have the chance to inform their users via email about the accounts.
Self-registration is OK. Your idea with the admin-created accounts sounds like a sensible one: The account is in a "holding state" until a person logs in and if they don't do so for a specified number of weeks, the account is removed.
We can't necessarily say though that the account is removed after a fixed period of time, e.g. 2 or 4 weeks because some institutions use the CSV file or web services to create accounts for incoming students so they can also put them into groups. Since the students may not yet have access to their email account or have an idea what this new system is about, it could be more confusing to send them account info beforehand when they haven't even joined a university yet or when the email doesn't go anywhere for them to action.
We can't send everyone an email about the account with the current notification as that includes a password. Accounts created by institutions may use SAML, LDAP, LTI, web services etc. to connect to Mahara, which do not always use the password used in the CSV file as they are external authentication methods. And since students don't always know what SAML / LDAP / LTI means, we can't just put the authentication method in. It might need to be possible for institution admins to create their own email text for students when they set up accounts for a specific authentication method.
For the time being, institutions can email students manually about new accounts (which is allowed by the GDPR) until we have a process in place in Mahara. Since there is no login date associated with an account simply created by CSV but never logged in, they'll be easy to find in the system and admins can delete these accounts after a few weeks if needed.
15 January 2018, 10:24 AM
the problem is not creating user accounts by admin or csv user upload or LDAP or anything else. The question is, is there a contract or should the user close the 'contract' by confirmig the accunt for Mahara. There are a lot of different situations that I think this process should be configurable (active or not) for each user authentication process.
I.e. users coming from Moodle may have confirmed the required informaton within Moodle. External usesr uploaded via CSV have to run through the information and confirmation process.