We need to make a series of changes in Mahara to comply with the GDPR. More info is available on the wiki at https://wiki.mahara.org/wiki/Developer_Area/Specifications_in_Development/GDPR_compliance
This report here deals with: "Need to re-think the possibility for institutions to have their own T&C and privacy statements since they are still part of the wider site, site admins can also run reports, and institutions can't decide which reports to make available or not. Rather than allowing institutions to fully overwrite the T&C and privacy statement, allow them to add additional information to an existing statement. That way they can add more institution-specific information without removing site information."
Separate wishlist items are created for the versioning of the T&C and also consent.
The GDPR is about transparency for the user. Thus, it might be most transparent to require consent for the site T&C and separately for the institution T&C. That way it is clear which ones are which and we can save the site text as one and the institution text as one as they will most likely also be updated independently.
It might be good to show the individual sections in panels. See bug #1734174 why this might be useful.