Show
General comments
Keep your JS console open while running this test.
You should test this using both boost and clean themes
Pre-requisites
An Outgoing email server. Alternatively, you can use Mailcatcher as described below:
Open your terminal
Install Mailcatcher: gem install mailcatcher
Run mailcatcher: mailcatcher
Open your browser and go to http://localhost:1080
Edit your moodle instance's config.php and add the following line:
$CFG->smtphosts = 'localhost:1025';
Data Protection Officer (DPO) role creation
Login as an admin
Go to " Site administration / Users / Define roles "
Create a Data Protection Officer role with the following settings:
Short name
dpo
Custom full name
Data Protection Officer
Role archetype
Guest
Context types where this role may be assigned
System
Capability
"moodle/site:configview" (Allow)
Capability
"tool/dataprivacy:managedatarequests" (Allow)
Capability
"tool/dataprivacy:managedataregistry" (Allow)
Capability
"moodle/category:viewhiddencategories" (Allow)
Capability
"moodle/course:viewhiddencourses" (Allow)
Capability
"moodle/course:view" (Allow)
Capability
"moodle/course:viewhiddenactivities" (Allow)
Capability
"tool/dataprivacy:makedatarequestsforchildren" (Allow)
Save changes.
Confirm that the role is successfully created.
Go to " Site administration / Users / Permissions / Assign system roles "
Assign at least one user to the DPO role.
Save the changes.
Site courses and users
Create a course C1 with some activities in it.
Set its course end date to last year (the date is not important)
Create another course C2
Set its course end date to last year (the date is not important)
Create another course C3 with some activities in it but don't set any course end date.
Create another course C4 with no activities
Set its course end date to a date in the future
Create a user newuser , go to the database and edit its mdl_user->lastaccess field, set it to 111
Test
Settings
Go to " Site administration "
Scroll down to the bottom of the " Site administration " tab
Confirm that you see a "Privacy settings" under "Privacy and policy" category
Click "Privacy settings"
Confirm that the " Contact Data Protection Office " setting is NOT ticked by default.
Tick the " Contact Data Protection Office " setting to enable it.
Check the " Data Protection Officer role mapping " setting.
Confirm that it only contains the Data Protection Officer role that you created earlier.
Select the " Data Protection Officer " role for the " Data Protection Officer role mapping ".
Save changes.
Contacting a Data Protection Officer (DPO)
Login as a user
Go to your profile page.
Confirm that there is a " Privacy " section on your profile page.
Confirm that you see the following links:
Contact Data Protection Officer
Data requests
Click on the " Contact Data Protection Officer " link.
Confirm that a dialogue comes up that contains:
The " Reply to " field containing your email address.
A message text area where you can enter your message for the DPO.
Without entering anything into the Message field, click " Send "
Confirm that you get an error message indicating that the field is required.
Enter some message and click " Send "
Confirm that the dialogue is closed.
Go to the Mailcatcher browser window.
Confirm that you see an email to the DPO about the message that you sent.
Login as the user that you assigned as the site DPO.
Check your notification.
Confirm that you get a "General inquiry" notification about the user's message through Moodle.
Click on the notification.
Confirm that you are redirected to the " Data requests " page.
Check the contents of the " Data requests " page.
Confirm that you see an entry referring to the message that the user sent you.
Click on the " Actions " menu of the message.
Click " View the request "
Confirm that you see a modal showing the user's name, email, the message date, the status and the message itself.
Data request: Export
Log in as a user
Go to your profile page.
Click on " Data requests "
Click on " New request "
Confirm that you are redirected to the " Contact Data Protection Officer " form.
Select " Export all of my personal data " for the Type field
Enter a message "Export request 1"
Click " Save changes "
Confirm that you are redirected back to the " Data requests " page.
Confirm that you get a notification that your request has been submitted to the site's DPO.
Confirm that you see your request on the data requests table and that it's status is currently " Pending "
Click again on the " New request " button and try to create another data export request.
Save the changes.
Confirm that you get an error that you already have an ongoing request.
Go back to the data requests page.
Click on the " Actions " menu of your data export request.
Click " Cancel request "
Confirm that you see a confirmation dialogue about the cancellation of your request.
Confirm the request cancellation.
Confirm that your request's status is now shown as "Cancelled"
Repeat the above steps to create another data export request but don't cancel it this time and with a comment "Export request 2"
Open a terminal.
Go to the root directory of your moodle instance.
Execute CRON
php admin/cli/cron.php
Confirm that the CRON script completes successfully and that you don't encounter any errors.
Go to the Mailcatcher browser window.
Confirm that you see two more emails to the DPO about the data requests that the user sent.
Log in as the DPO.
Check your notifications.
Confirm that you get only one notification about the user's export data request. (The DPO should no longer received an email about the cancelled one)
Click on one of the notifications.
Confirm that you are redirected to the " Data requests " page.*
Check the contents of the " Data requests " page.
Confirm that you see two entries referring to the data export requests that the user sent you.
Confirm that the cancelled request is shown with the status "Cancelled".
Confirm that the other request is shown with the status "Awaiting approval".
Click on the " Actions " menu of the cancelled request.
Confirm that you only see " View the request "
Click " View the request "
Confirm that you see a modal showing the user's name, email, the message date, the status and the message itself.
Confirm that there are no buttons in the footer of the modal and you can close the modal by clicking on the modal's close button on the top right part of the modal header.
Click on the " Actions " menu of the request that is awaiting approval.
Confirm that you see the options " View the request ", " Approve request ", and " Deny request ".
Click " View the request "
Confirm that you see a modal showing the user's name, email, the message date, the status and the message itself.
Confirm that you also see the " Approve " and " Deny " buttons in the dialogue.
Click " Approve ".
Confirm that you see a confirmation dialogue regarding the approval.
Confirm the approval.
Confirm that the request's status is now shown as " Approved "
Back to your terminal, run CRON again.
Confirm that the CRON runs successfully.
Go to the Mailcatcher browser window.
Confirm that you see an email to the requesting user that tells them that their data is now ready for download.
Log in as the user who made the data export request.
Confirm that you get a notification that tells you that your data is now ready for download.
Click on the notification to go to the data requests page.
On the Data requests page, check your data request.
Confirm that its status is now set to "Complete"
Open the actions menu of the request.
Confirm that you see a " Download " action link and a file is downloaded
Confirm that you can open the file and it contains files with contents (no need to check the contents, just that something is generated)
Repeat the data export request creation. This time though, as DPO, deny the request.
Confirm that the status of the request becomes " Rejected "
Data request: Deletion
Log in as a user
Go to your profile page.
Click on " Data requests "
Click on " New request "
Confirm that you are redirected to the " Contact Data Protection Officer " form.
Select " Delete all of my personal data " for the Type field
Enter a message (optional)
Click " Save changes "
Confirm that you are redirected back to the " Data requests " page.
Confirm that you get a notification that your request has been submitted to the site's DPO.
Confirm that you see your request on the data requests table and that it's status is currently " Pending "
Click again on the " New request " button and try to create another data deletion request.
Save the changes.
Confirm that you get an error that you already have an ongoing request.
Open a terminal.
Go to the root directory of your moodle instance.
Execute CRON
php admin/cli/cron.php
Confirm that the CRON script completes successfully and that you don't encounter any errors.
Go to the Mailcatcher browser window.
Confirm that you an email to the DPO about the data deletion request that the user sent.
Log in as the DPO.
Check your notifications.
Confirm that you get a notification about the user's data deletion request.
Click on one of the notifications.
Confirm that you are redirected to the " Data requests " page.*
Check the contents of the " Data requests " page.
Confirm that you see the entry referring to the data deletion request that the user sent you.
Confirm that the data deletion request is shown with the status "Awaiting approval".
Click on the " Actions " menu of the request that is awaiting approval.
Confirm that you see the options " View the request ", " Approve request ", and " Deny request ".
Click " View the request "
Confirm that you see a modal showing the user's name, email, the message date, the status and the message itself.
Confirm that you also see the " Approve " and " Deny " buttons in the dialogue.
Click " Approve ".
Confirm that you see a confirmation dialogue regarding the approval.
Confirm the approval.
Confirm that the request's status is now shown as " Approved "
Back to your terminal, run CRON again.
Confirm that the CRON runs successfully.
Go to the Mailcatcher browser window.
Confirm that you see an email to the requesting user that tells them that their data has now been deleted and they would no longer be able to log into the site.
Try to log in again as the user that requested the deletion request. You SHOULD NOT be able to do it as its account was deleted
Creating data requests for other users.
As a DPO, confirm that when you click on " New request " you will be able to create data requests on behalf of other users.
Log in as an admin.
Create a Parent role , but also give it the " tool/dataprivacy:makedatarequestsforchildren " capability.
Assign a user p1 as a parent of a student s1.
Login as p1 and go to the Data requests page.
Click " New request "
Confirm that you can create a data request for s1.
Data registry.
Log in as the user with dpo role
Go to "Site admin > Privacy and policies > Data registry"
You should see a nice tree with, with "Site" as the active node and, on right hand, a form (with "Site" heading)
This tree represents a hierarchy of your site elements
Feel free to:
Navigate through it
To create purposes and categories (try to save without filling the required fields, to cancel the form...)
To save context instances purposes and categories, to edit them... checking that the values are properly saved
Define a category "Cat1" and a purpose "Pur1" with retention period set to 1 day
Define another purpose "Pur2" and set its retention period to 3 years
Define another purpose "Pur3" and set its retention period to 5 years
Assign "Cat1" and "Pur1" to "Site" data registry node
Go to "Set defaults" and set "Pur2" to context course and "Pur3" to context module
Log in as admin
Go to "Site admin > Courses > Manage courses and categories"
Create a new course within a new category (hanging from root) and an activity new module
Log in back as dpo
Return to the context tree in "Site admin > Privacy and policies > Data registry"
Check that:
new category purpose is "Not set" with a retention period of 1 day (from the site default purpose)
Once you press "Courses" below new category node the category courses are loaded
new course purpose is "Not set" with a retention period of 3 years (from the course context level default purpose)
Once you press "Activities and resources" below new course node the course activities are loaded
new module purpose is "Not set" with a retention period of 5 years (from the module context level default purpose)
Change new module purpose to "Pur2" and press "Save changes". Confirm that the value has been saved by moving to another tree node and returning back to the new module. "Pur2" should be selected and "3 years" should appear as its "Retention period"
Change C2 course purpose to "Pur2"
Set C1 purpose to "Pur1" and all C1 activities and blocks to "Pur1" as well (note that you may not have blocks)
Now go to "Edit > Categories"
Check that you don't have the "Delete" option for categories that are assigned to contexts or to defaults
Create a new category and delete it afterwards
Press "Back" button and now go to "Edit > Purposes"
Check that you don't have the "Delete" option for purposes that are assigned to contexts or to defaults
Create a new purpose and delete it afterwards
Expired contexts listing
Go to " Site administration / Server / Scheduled tasks ".
Run the "Expired retention period" scheduled task.
Go to " Site administration / Privacy and policies / Data deletion "
Confirm that the filter is initially set to " Course "
Confirm that you see C1 in the list under the Course filter criterion.
Confirm that you CAN NOT see C2 (retention period 3 years) nor new course in the list under the Course filter criterion.
Hover over the info icon under the Name column.
Confirm that you see the full context path.
Hover over the info icon under the Info column.
Confirm that you see the child contexts of the context.
Change the filter to " Activities and resources "
Confirm that you can see the activities in C1
Click on the Select all checkbox.
Confirm that it selects/deselects the items on the list.
Select one or more course module contexts.
Click " Delete selected "
Confirm that you see a confirmation dialogue.
Confirm the deletion of the contexts.
Confirm that the contexts that you approved for deletion are now removed from the list.
Change the filter to "Blocks" and mark for deletion any C1 blocks (note that you may have none)
Change the filter to "Course".
Approve C1 for deletion.
Confirm that C1 is removed from the list.
Change the filter back to "Activities and resources"
Confirm that the contexts under C1 are now also gone from the list.
Change the filter to "User"
Approve newuser for deletion (select + "Delete selected" + confirm it).
Delete expired contexts
Go to " Site administration / Server / Scheduled tasks ".
Run the "Delete expired contexts" scheduled task.
Also run the "Expired retention period" scheduled task.
Go to " Site administration / Privacy and policies / Data deletion "
Check that non of the previously deleted contexts are listed
Try to log in as newuser you SHOULD NOT be able to do it.
Try to search for in in "Site admin > Users > Browse list of users", newuser SHOULD NOT appear
Plugin privacy registry
Go to " Site administration / Privacy and policies / Plugin privacy registry "
View the list. Clicking on the links should expand into more sections. Ultimately there should be a description about the user data stored for each plugin.
Currently there are sections that are not covered, they should show a small red icon which when you hover over it says "Requires attention".
Verify that the information in the report is consistent with the information pulled from the metadata providers. e.g.
Activity modules > Choice: You should see info about choice_answers content
Antivirus plugin > ClamAV: The ClazmAV Antivirus plugin does not store any personal data.