Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64322

GDPR: Mechanism for restricting delete requests

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Precondition

      1. Create a new roles "Privacy officer" and set this role as a DPO for tool dataprivacy
        1. Go to Site administration > Users > Permissions > Define roles and click the "Add a new role" button
        2. Set Context types where this role may be assigned: System
        3. Set allow for moodle/site:configview, and tool/dataprivacy:managedatarequests
        4. Map the privacy officer role.
          1. Go to Site administation > users > Privacy and policies > Privacy settings: Privacy officer role mapping
          2. Also enable Contact the privacy officer
      2. Create the following users:
         User name Role
        student Authenticated user
        privacyofficer Privacy officer

       
      TC1: Check Privacy officer can not request delete another user data without "tool/dataprivacy:requestdeleteforotheruser" capability.

      1. Log in as an admin and edit the role for the "Privacy officer" to the permission in the table below.
        1. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the privacy officer.
      Capability  Permission
      tool/dataprivacy:requestdeleteforotheruser Prevent
      1. Login as "Privacy officer" and navigate to page "Create a new data request" of data privacy tool.
        1. Navigate to Site administration > Users > Privacy and policies > Data requests - Click the "new request" button.
      2. Check the field "Type" is at value "Export all of my personal data" and we can't change it.
      3. Create a new export request, approve the request, run the cron, reload the data requests page and check the status of the request is set to "Download ready".
         

      TC2: Check Privacy officer can not request delete another user data with "tool/dataprivacy:requestdeleteforotheruser" capability.

      1. Log in as an admin and edit the role for the "Privacy officer" to the permission in the table below.
        1. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the privacy officer.
          Capability  Permission
          tool/dataprivacy:requestdeleteforotheruser Allow
      1. Login as "Privacy officer" and navigate to page "Create a new data request" of data privacy tool.
        1. Navigate to Site administration > Users > Privacy and policies > Data requests - Click the "new request" button.
      2. Check we can change the value of the "Type" field.
      3. Create a new deletion request, approve the request, run the cron, reload the data requests page and check the status of the request is set to "Deleted".

      TC3: Check student cannot request to delete their own data without "tool/dataprivacy:requestdelete" capability.

      1. Log in as an admin and edit the role for the "Authenticated User" to the permission in the table below.
        1. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the Authenticated user.
          Capability  Permission
          tool/dataprivacy:requestdelete Prevent
      1. Login as a "student" and navigate to the user profile (user menu in the top left > Profile).
      2. Check that there is no link under "Privacy and policies" to delete my account.
      3. Click the Data requests link. Click New Request.
      4. Check the field "Type" is at value "Export all of my personal data" and we can't change it.

      TC4: Check student can request to delete their own data with "tool/dataprivacy:requestdelete" capability.

      1. Log in as an admin and edit the role for the "Authenticated User" to the permission in the table below.
        1. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the Authenticated user.
          Capability  Permission
          tool/dataprivacy:requestdelete Allow
      1. Login as a "student" and navigate to the user profile (user menu in the top left > Profile).
      2. Check that there is a link under "Privacy and policies" to delete my account.
      3. Click the Data requests link. Click New Request.
      4. Check we can change the value of the "Type" field.
      5. Check we can create a "Delete all of my personal data" request.

      TC5: Check a parent can create a delete data request for their children when they have the "tool/dataprivacy:makedatarequestsforchildren" capability

      1. Create a parent role as per the instructions here. Add the following capability and create the three users in the second table.
      Capability  Permission 
      tool/dataprivacy:makedatarequestsforchildren  Allow
      User  Note
      parent User with parent role, and having child1 as children
      child1 Children of parent user.
      child2 Normal user
      1. Add the parent child relationship:
        1. Go to the preferences of the potential child [Site administration > Users > Accounts > Browse list of users] and click a users name - In the "Administration section" click Preferences.
        2. In the "Roles section" follow "Assign roles relative to this user" - Click Parent and assign the parent.
      2. Login as the parent and go to profile page
        (user menu in the top left > Profile).
      3. Under the "Privacy and policies" section follow "Data requests" and click New request.
      4. Change the user from the parent to the child.
      5. Set the type to "Delete all of my personal data" and submit.
      6. Check There is a message under the type select box with "You don't have permission to create deletion requests for this user."
      7. Give the parent role the following capability tool/dataprivacy:makedatadeletionrequestforchildren
      8. Log back in as the parent. Go back to the profile and make another data request. Try a deletion request on behalf of the child.
      9. Check that the request is now submitted.

       

      Show
      Precondition Create a new roles "Privacy officer" and set this role as a DPO for tool dataprivacy Go to Site administration > Users > Permissions > Define roles and click the "Add a new role" button Set Context types where this role may be assigned : System Set allow for moodle/site:configview, and tool/dataprivacy:managedatarequests Map the privacy officer role. Go to Site administation > users > Privacy and policies > Privacy settings: Privacy officer role mapping Also enable Contact the privacy officer Create the following users:  User name Role student Authenticated user privacyofficer Privacy officer   TC1: Check Privacy officer can not request delete another user data without "tool/dataprivacy:requestdeleteforotheruser" capability. Log in as an admin and edit the role for the "Privacy officer" to the permission in the table below. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the privacy officer. Capability  Permission tool/dataprivacy:requestdeleteforotheruser Prevent Login as "Privacy officer" and navigate to page "Create a new data request" of data privacy tool. Navigate to Site administration > Users > Privacy and policies > Data requests - Click the "new request" button. Check the field "Type" is at value "Export all of my personal data" and we can't change it. Create a new export request, approve the request, run the cron, reload the data requests page and check the status of the request is set to "Download ready".   TC2 : Check Privacy officer can not request delete another user data with "tool/dataprivacy:requestdeleteforotheruser" capability. Log in as an admin and edit the role for the "Privacy officer" to the permission in the table below. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the privacy officer. Capability  Permission tool/dataprivacy:requestdeleteforotheruser Allow Login as "Privacy officer" and navigate to page "Create a new data request" of data privacy tool. Navigate to Site administration > Users > Privacy and policies > Data requests - Click the "new request" button. Check we can change the value of the "Type" field. Create a new deletion request, approve the request, run the cron, reload the data requests page and check the status of the request is set to "Deleted". TC3: Check student cannot request to delete their own data without "tool/dataprivacy:requestdelete" capability. Log in as an admin and edit the role for the " Authenticated User " to the permission in the table below. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the Authenticated user . Capability  Permission tool/dataprivacy:requestdelete Prevent Login as a "student" and navigate to the user profile (user menu in the top left > Profile). Check that there is no link under "Privacy and policies" to delete my account. Click the Data requests link. Click New Request. Check the field "Type" is at value "Export all of my personal data" and we can't change it. TC4: Check student can request to delete their own data with "tool/dataprivacy:requestdelete" capability. Log in as an admin and edit the role for the " Authenticated User " to the permission in the table below. Go to Site administration > Users > Permissions > Define roles and click on the edit icon for the Authenticated user . Capability  Permission tool/dataprivacy:requestdelete Allow Login as a "student" and navigate to the user profile (user menu in the top left > Profile). Check that there is a link under "Privacy and policies" to delete my account. Click the Data requests link. Click New Request. Check we can change the value of the "Type" field. Check we can create a "Delete all of my personal data" request. TC5:  Check a parent can create a delete data request for their children when they have the "tool/dataprivacy:makedatarequestsforchildren" capability Create a parent role as per the instructions here . Add the following capability and create the three users in the second table. Capability  Permission  tool/dataprivacy:makedatarequestsforchildren  Allow User  Note parent User with parent role, and having child1 as children child1 Children of parent user. child2 Normal user Add the parent child relationship: Go to the preferences of the potential child [Site administration > Users > Accounts > Browse list of users] and click a users name - In the "Administration section" click Preferences. In the "Roles section" follow "Assign roles relative to this user" - Click Parent and assign the parent. Login as the parent and go to profile page (user menu in the top left > Profile). Under the "Privacy and policies" section follow "Data requests" and click New request. Change the user from the parent to the child. Set the type to "Delete all of my personal data" and submit. Check There is a message under the type select box with "You don't have permission to create deletion requests for this user." Give the parent role the following capability tool/dataprivacy:makedatadeletionrequestforchildren Log back in as the parent. Go back to the profile and make another data request. Try a deletion request on behalf of the child. Check that the request is now submitted.  
    • Affected Branches:
      MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull Master Branch:

      Description

      In our institution we do not want our 'DPO' staff to be able to make delete requests.

      Delete requests are dangerous as obviously they delete the user's data meaning that our system stops working for the user. Although there are plenty of steps in the process, we and they are still worried that it might happen by accident, so we have been requested to remove the option.

      (Some background: our process is that we will never apply student deletion requests on our main system - we can use various other aspects of GDPR law to justify keeping the data for all students for the retention period.)

      Currently if you give somebody the tool/dataprivacy:managedatarequests capability, they by default become a DPO, or you can configure the role list in admin settings... this capability is weird... Anyway my point is there is an existing tool/dataprivacy:managedatarequests capability, it is complicated and I don't want to change it.

      Proposal

      Add a new capability

      tool/dataprivacy:requestdeleteforotheruser

      1. When visiting the form for making a new request for another user, admin/tool/dataprivacy/createdatarequest.php?manage=1, if you do not have this new capability then the 'Type' dropdown would be fixed to the single value 'Export all of my personal data'. (The form field will be frozen so it doesn't appear as a dropdown any more.) You will not be able to select the other option 'Delete all of my personal data'.

      2. If making a request for yourself (the same form but without the manage=1) then there is no change and both options will be available regardless of capabilities. (Note: We could consider also adding a second new capability tool/dataprivacy:requestdelete, that works a similar way but for individuals - we haven't got that requirement here but I'm happy to get it implemented as part of this if people think it would be beneficial/more consistent.)

      3. The new capability would initially be made to default to the value of tool/dataprivacy:managedatarequests (so maintaining existing behaviour).

      4. The development should include a simple Behat scenario to check the new feature (i.e. set up a role that does/doesn't have this capability, go to the form and confirm the option is/isn't there).

        Attachments

          Activity

            People

            • Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                20/May/19

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 2 hours, 30 minutes
                1d 2h 30m