Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-62309

Make site policies required or optional, distinguish on "User acceptances" page whether consent was not yet given or refused

XMLWordPrintable

    • MOODLE_34_STABLE, MOODLE_35_STABLE
    • MOODLE_36_STABLE
    • MDL-62309-master-optionalpolicies
    • Hide

      Common scenarios are covered by Behat tests. Human testing should be exploratory. Following are main features that should guide the human tester:

      1. Feature: Policies can be set optional via the Manage policies interface by editing the policy version.
      2. Feature: Users are not forced to accept the optional policy, they can decline it.
      3. Feature: Still, users are forced to either accept or decline the policy. They can't use the site with the optional policy left in the pending status.
      4. Feature: Policy acceptance can have three states for optional policies: Pending, Accepted, Declined. Pending policy can be either accepted or declined. Accepted can be withdrawn (revoked). Declined can be accepted.
      5. Feature: Users can change their mind. Declined policies can be accepted and accepted policies can be withdrawn from the user's profile page.
      6. Feature: Administrators can accept and decline optional policies on behalf of the users.
      7. Feature: On signup, only compulsory policies are shown and must be agreed before submitting the signup form. Optional policies are presented on the first login.
      Show
      Common scenarios are covered by Behat tests. Human testing should be exploratory. Following are main features that should guide the human tester: Feature: Policies can be set optional via the Manage policies interface by editing the policy version. Feature: Users are not forced to accept the optional policy, they can decline it. Feature: Still, users are forced to either accept or decline the policy. They can't use the site with the optional policy left in the pending status. Feature: Policy acceptance can have three states for optional policies: Pending, Accepted, Declined. Pending policy can be either accepted or declined. Accepted can be withdrawn (revoked). Declined can be accepted. Feature: Users can change their mind. Declined policies can be accepted and accepted policies can be withdrawn from the user's profile page. Feature: Administrators can accept and decline optional policies on behalf of the users. Feature: On signup, only compulsory policies are shown and must be agreed before submitting the signup form. Optional policies are presented on the first login.
    • GDPR Followup Sprint 1

      In the policy tool it is not possible to withdraw a consent. It is also not possible to enter the site without consent. So to give consent in the current case is always compulsory. This goes against the spirit of GDPR

      In some cases, consent is compulsory to offer a certain service (e.g. education), but in other cases not, e.g. share e-mail adres with other users, share pictures on Facebook, share address with classmates or all Moodle and non-Moodle related consents that fit under GDPR in an organisation. Organisations need a way to organise all their user consents and the policy tool is a great start for that.  

       

      From https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L:2016:119:FULL&from=EN

       

      (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

      See also https://moodle.org/mod/forum/discuss.php?d=369844

        1. mediaconsent.png
          mediaconsent.png
          274 kB
        2. MDL-62309.PNG
          MDL-62309.PNG
          179 kB
        3. image-2018-05-23-19-29-43-710.png
          image-2018-05-23-19-29-43-710.png
          228 kB

            mudrd8mz David Mudrák (@mudrd8mz)
            koen Koen Roggemans
            Michael Hawkins Michael Hawkins
            David Monllaó David Monllaó
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            15 Vote for this issue
            Watchers:
            26 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours
                3h

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.