Explicit consent switches on the privacy statement for the GDPR

Bug #1734169 reported by Kristina Hoeppner on 2017-11-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Wishlist
Maria Sorica

Bug Description

We need to make a series of changes in Mahara to comply with the GDPR. More info is available on the wiki at https://wiki.mahara.org/wiki/Developer_Area/Specifications_in_Development/GDPR_compliance

We need to be able to add explicit consent boxes / Yes/No switches to the privacy statement. These should come at the end of the site privacy statement and the institution privacy statement if needed to make it clear in which section consent is given.

The consent should be configurable by site and institution admins as that may change. It also needs to be versioned and the consent date and time recorded as well as the wording to which a user consented to. This could become a report in the administration area. In future it would also be good for the user to see reports that show the data that was collected for them, but that is not the focus here.

For the MVP, users would need to consent to all items for an account to be created. If they leave out any items, they will receive a modal letting them know that their account won't be able to be created and that they have two choices:

1. Revise their selection / double-check that they didn't miss anything by accident
2. Send a message to their institution administrator(s) letting them know why they don't want to consent to a particular item so that the institution can then deal with that. The easiest might be a message field directly on that screen so a message can be dispatched to all institution admins for the institution in which the user is a member / wanting to be a member or if there are no institutions or there is no institution admin, contact the site admin. This behavior should be similar to what we currently see when we have pending registrations: All institution admins receive a message and if there is none, the site admin receives it.

It would be good to create a new admin menu item "Privacy" in which all privacy related items that require configuration and text changes can be collected. Then we could switch between site and specific institution information like we do on the "Institutions" screen.

While in the beginning, we may not have many consent switches, if an institution integrates with other systems, users will need to consent to that as well.

At the moment it would not be possible for users to opt out of any consent. They'd need to agree with them all to set up / use their account.

Changed in mahara:
importance: High → Wishlist

Instead of giving a user access to a report (at the moment), we could implement a privacy page in their account settings: bug #1734171

description: updated
summary: - Explicit consent switches for the GDPR
+ Explicit consent switches on the privacy statement for the GDPR
Changed in mahara:
status: Confirmed → In Progress
assignee: nobody → Maria Sorica (maria-sorica)
Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8459

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8471

Mahara Bot (dev-mahara) wrote :

Patch for "master" branch: https://reviews.mahara.org/8477

Changed in mahara:
status: In Progress → Fix Committed

Reviewed: https://reviews.mahara.org/8456
Committed: https://git.mahara.org/mahara/mahara/commit/658da452b747afbf230286d350b90184bacbad91
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 658da452b747afbf230286d350b90184bacbad91
Author: Robert Lyon <email address hidden>
Date: Fri Jan 19 10:32:58 2018 +1300

Bug 1734169: Use modal for are you sure question

@TODO
- add a textarea field for reason to not accept
- add test to suspend user when it doesn't accept

Change-Id: I7479e8ac1863f7712d45d92e5b60deced2847391
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8455
Committed: https://git.mahara.org/mahara/mahara/commit/382e5f7e4145cd528c694e806330b519e0eca046
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 382e5f7e4145cd528c694e806330b519e0eca046
Author: Maria Sorica <email address hidden>
Date: Thu Jan 18 16:12:22 2018 +0000

Bug 1734169: Suspend user if privacy statement is refused

If a privacy switch has the value 'No', a confirmation
form will be displayed to make sure this is really the
users decision.
If yes, the users account is suspended.

behatnotneeded

Change-Id: Ifa7c175569cbad780a449c8431d4d9f981839c21

tags: added: nominatedfeature
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8477
Committed: https://git.mahara.org/mahara/mahara/commit/35a117acb6cbae7a1bda702889fd4bf23721708a
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 35a117acb6cbae7a1bda702889fd4bf23721708a
Author: Maria Sorica <email address hidden>
Date: Fri Jan 26 17:01:01 2018 +0000

Bug 1734169: Allow the user to say why he refuses the privacy

Add a textare in the 'are you sure' modal where the
user can write the reason why he refuses to consent to
a privacy statement.
This reason will be sent in a message to the institution
or site admin.

behatnotneeded

Change-Id: I6abe4c8c7c517b1319139497bedb40525d095fcb

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8471
Committed: https://git.mahara.org/mahara/mahara/commit/ccb01ab646164bbc1066fa1d630468f767eb16d1
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit ccb01ab646164bbc1066fa1d630468f767eb16d1
Author: Maria Sorica <email address hidden>
Date: Thu Jan 25 15:46:57 2018 +0000

Bug 1734169: Send message to admin when user rejects the privacy

When a user doesn't consent to a privacy statement,
a message will be sent to the institution/site admin.

If the user is part of an institution,the message
will be sent just to the inst admin. Else the
message will be sent to the site admin.

behatnotneeded

Change-Id: I7b3b87a59a537a805d851d29031df9cff941863e

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8459
Committed: https://git.mahara.org/mahara/mahara/commit/79649c70814e1a5ca3030bdf11f466aef0fc5aee
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 79649c70814e1a5ca3030bdf11f466aef0fc5aee
Author: Maria Sorica <email address hidden>
Date: Fri Jan 19 18:02:22 2018 +0000

Bug 1734169: Add privacy statement to the register form

behatnotneeded

Change-Id: I9d7685dc6c3b0871fa2471ce27c0a4aa67af0b34

Robert Lyon (robertl-9) on 2018-04-05
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers