Revoke privacy consent

Bug #1734171 reported by Kristina Hoeppner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Wishlist
Maria Sorica

Bug Description

We need to make a series of changes in Mahara to comply with the GDPR. More info is available on the wiki at https://wiki.mahara.org/wiki/Developer_Area/Specifications_in_Development/GDPR_compliance

It should be possible for a user to revoke their consent to the T&C. If that is done, their account would be suspended as it's currently either full consent or no consent.

I can imagine this could look like the following:

1. New menu item "Privacy" in the "User menu" -> "Settings" -> "Privacy".
2. On that page they see the privacy statement (and date of when last updated) that they agreed to (site and institution privacy statements) as well as show the consent switches that they have set. They are able to set those to "No".
3. When they want to save their changes and there is a "No" selection, they see a modal letting them know that their account will be suspended if they continue. They have two choices:

1. Double-check that they didn't make changes accidentally.
2. Go through with the change. Then their account will be suspended automatically and the institution administrators (or site admin for "No institution" or if there is no institution admin) receive a notification about this so that they can follow up with the user if needed.

Revision history for this message
Peter Spicer (peter.spicer) wrote :

There is one caveat: when consent is withdrawn, it will usually cover all of the rights to processing, which includes holding the data at all. Fortunately for most installations this shouldn't be a problem because in most cases there's more than just consent for the data being the right to process (provision of a service covers a fair amount too)

The user should be told that their account will be suspended, and reviewed by an administrator - because in some cases, the administrator will need to look at it as if it's a request for deletion as there may not be a lawful basis to hold the data any more. This will be subject to any data retention policies an institution might have, and that's a matter for them.

That said, this is based on the current published advice; the Article 29 Working Party is due to publish some guidance next month on consent and in particular on withdrawal of it. We may need to look again once that is published.

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Good point, Peter. I had the "Admin needs to review and approve the account deletion" on bug #1734178. The same behavior would be expected here.

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Instead of suspending the account like we suspend them right now, we've been talking in Wellington that we could put them into a pending state and allow them to go through the login and present the T&C / Privacy statements again to consent to and accept. If they do, the pending state is lifted and they can log in and if they don't agree, they still can't log in. In either case, the institution admin gets a notification so they know whether to still contact the user or not.

States:
- Haven't seen the T&C
- Have seen and accepted
- Have seen and rejected

description: updated
Changed in mahara:
assignee: nobody → Maria Sorica (maria-sorica)
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/8468

Changed in mahara:
status: Confirmed → In Progress
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8468
Committed: https://git.mahara.org/mahara/mahara/commit/790b2c273f63f2ce718733db3f214bb9625d2bdc
Submitter: Cecilia Vela Gurovic (<email address hidden>)
Branch: master

commit 790b2c273f63f2ce718733db3f214bb9625d2bdc
Author: Maria Sorica <email address hidden>
Date: Wed Jan 24 17:26:43 2018 +0000

Bug 1734171: Revoke privacy consent

1. Add the Yes/No switch to the users privacy page that will
allow the user to withdraw their consent if they change their mind.
2. Display the date when a user consented to a privacy statement.

behatnotneeded

Change-Id: If9f85125287a7384e27c1b45aefa98ad37e97776

Robert Lyon (robertl-9)
Changed in mahara:
status: In Progress → Fix Committed
tags: added: nominatedfeature
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.