Forums | Mahara Community

Open Discussion /
Mahara and the GDPR (new privacy regulation in the EU)

Kristina Hoeppner's profile picture
Posts: 4409

15 January 2018, 10:10

Hello Gregor,

Thank you for your write-up.

We are working on requiring the acceptance of the T&C and the privacy statement when a person logs in for the first time and also when either statement changes.

The account creation is a bit trickier and seems that we overlooked that when going through the GDPR. We'll have to see if we can still make changes for April for that. If not, institutions still have the chance to inform their users via email about the accounts.

Self-registration is OK. Your idea with the admin-created accounts sounds like a sensible one: The account is in a "holding state" until a person logs in and if they don't do so for a specified number of weeks, the account is removed.

We can't necessarily say though that the account is removed after a fixed period of time, e.g. 2 or 4 weeks because some institutions use the CSV file or web services to create accounts for incoming students so they can also put them into groups. Since the students may not yet have access to their email account or have an idea what this new system is about, it could be more confusing to send them account info beforehand when they haven't even joined a university yet or when the email doesn't go anywhere for them to action.

We can't send everyone an email about the account with the current notification as that includes a password. Accounts created by institutions may use SAML, LDAP, LTI, web services etc. to connect to Mahara, which do not always use the password used in the CSV file as they are external authentication methods. And since students don't always know what SAML / LDAP / LTI means, we can't just put the authentication method in. It might need to be possible for institution admins to create their own email text for students when they set up accounts for a specific authentication method.

For the time being, institutions can email students manually about new accounts (which is allowed by the GDPR) until we have a process in place in Mahara. Since there is no login date associated with an account simply created by CSV but never logged in, they'll be easy to find in the system and admins can delete these accounts after a few weeks if needed.




Ralf Hilgenstock's profile picture
Posts: 159

15 January 2018, 10:24

Hi Gregor
hi Kristina


the problem is not creating user accounts by admin or csv user upload or LDAP or anything else. The question is, is there a contract or should the user close the 'contract' by confirmig the accunt for Mahara. There are a lot of different situations  that I think this process should be configurable (active or not)  for each user  authentication process.

I.e. users coming from Moodle may have confirmed  the required informaton within Moodle. External usesr uploaded via CSV have to run through the information and confirmation process.



Kristina Hoeppner's profile picture
Posts: 4409

26 February 2018, 16:02


We've completed the development work for the initial changes and new features to accommodate the GDPR. There are still some other things that can / should be looked into, e.g. creation of accounts on the site via CSV / web services that aren't going to be used immediately and thus potentially automatic deletion of them after X number of days to prevent personal data to be available. We will review these for the next development cycle for Mahara 18.10. Please keep in mind that not everything has to be done / can be done via the software, and that at times manual intervention by an institution is required or necessary.

If you are interested in checking out what the changes are that will be available in Mahara 18.04, watch this preview video that takes you through the main changes. I might have glossed over a couple or only mentioned them in passing, but the big ones are included.




Jochen K's profile picture
Posts: 23

26 March 2018, 21:19

Hello Kristina,

we have tested 18.04RC2 but only the function of confirming "site privacy statement" and "Term & conditions"

It works with uploaded account via csv and also with mnet.

The notfication to the user and to the administration works also.

Everything is fine so far.

Thanks for these features to all in NZ.




Kristina Hoeppner's profile picture
Posts: 4409

27 March 2018, 14:11

Thank you very much for your feedback, Jochen! Great that it works well for you. We are fixing a few things that we discovered during the release candidate but are looking good to release within the first 2 weeks of April.




Sarah Cotton's profile picture
Posts: 7

16 May 2018, 20:50

Hi Kristina

Moodle 3.5 is due for release tomorrow, 17th May, which we are hoping to move to this summer as it addresses GDPR issues.

Do you know when the Mahara assignment submission plugin for Moodle 3.5 will be available? I only ask as I'm aware there is a new Privacy API being implemented and wasn't sure how this would affect the Mahoodle integration. 

Many thanks


17 May 2018, 8:55

Hello Sarah,

We have not yet had time to look into upgrading the Moodle assignment submission plugin, but have it on our ToDo list.




Kristina Hoeppner's profile picture
Posts: 4409

05 June 2018, 11:20

Hello Sarah,

The assignment submission plugin is updated for Moodle 3.5. You can get it at

Please let us know if you run into any issues.




18 results