With the General Data Protection Regulation (GDPR) coming into force on 25th of May 2018 for all EU countries, it’s vital organisations can fulfil their requirements and protect and support their EU learners. Totara Learn 11 features a range of data protection features and user data management tools to ensure your organisation’s learning management system supports GDPR compliance.
The new Site Policy feature will allow organisations to create a site-wide
use policy that users must review
and agree or decline - with all responses recorded. Versioning allows organisations to update policies as required, and users are able to visit a dedicated Site Policy page and amend their agreement if necessary.
G D P R
DATA RETENTION AND DELETION
Totara Learn will provide administrators with the ability to create and manage multiple ‘Purge Types’. Each Purge Type will have an individual configuration, specifying the retention, deletion or anonymisation requirements of various user data types throughout the system. Users may have a Purge Type applied to their account so their data will be processed in accordance with an organisation’s data retention requirements.
While the data export feature will provide all user data in a consistent format that allows for porting of data, existing functionality within Totara Learn allows key learning data to be exported in a more ‘human readable’ format, via the Report Builder and Record of Learning areas.
DATA ACCESS AND EXPORT
Administrators will have the ability to export all data that is linked to a given user, with the option to review the data prior to transmitting to the individual.
This export file will allow the individual to review what type of personal data
is processed within their Totara Learn site and reconcile this information
with their version of the Site Policy. For example, from the exported file, a user will be able to see that the platform is processing items such as quiz answers, 360° feedback responses, course enrolments, progress and completions, site logins etc.
Totara Learn GDPR Approach Statement
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
2) Compliance enabled through the Totara platform
A software platform on its own doesn't ensure GDPR compliance. Compliance is a result of:
clearly articulated policies and information given to users informing them of their rights and how you use their data, and
enabling technology to deal with requests from individuals that arise from their increased rights under GDPR.
While we recognise that the Totara platform is only part of your overall drive for your organisation to be GDPR compliant, we will ensure that Totara Learn is capable of fully supporting GDPR requirements. We have identified some improvements we can make and these are detailed below.
3) Improvements to Totara Learn
While Totara Learn supports many of the existing rights under current legislation, we have identified further improvements to the platform that will support subscribing organisations and partners to be GDPR compliant.
Ability to track the version of a site policy and any opt-ins that a user has agreed to and the ability for a user to visit the site policy pages they have signed up to and amend their agreements to the policy or opt-ins.
Development of the ability for Administrators to export of all data that is linked to a given user, to allow the Administrator to review the data prior to transmitting the data to the user. Note, the data will be in the format as stored in the application's database (e.g., numerical values that represent status).
This data will complement the user's ability to see what type of processing is happening in the system and should align with the data policies they have signed up to in the site policy. For example, they will be able to tell from the output that the platform is processing items like: quiz answers; appraisal completions; 360 feedback responses; course enrolments, progress and completion; site logins etc.
While the data export improvement above will provide all data in a consistent output that may be useful for porting data, our view is that there are key data items that somebody is likely to want to "port" to another platform and this needs to be in a more human readable format. In Totara Learn this is available through existing capabilities in our application (e.g. Report Builder, Record of Learning).
This can provide information that would be useful for an individual wanting, for example, to take their completion data (courses, competencies, certifications) with them to a new employer.
In order to comply with data retention policies and the right to erasure we are enhancing your ability to manage "Purge Types". For each "Purge Type" configuration, you will be able to configure what happens to corresponding data throughout the system for users who have that "Purge Type" applied to them.
As an example, you could configure these three types:
A type that:
keeps a user's certification completions - perhaps because they represent compliance course completions, and
deletes the forum posts that they made when collaborating with other learners in courses.
A type that:
anonymises the user profile information - so you cannot identify the the user anywhere in the system where user details would normally be displayed or tracked, and
deletes the performance management data - appraisals, 360 feedback, goals, and
keeps the course completion information - so you could still track content usage statistics for electronic content and physical training event fill-rates (seminars).
A type that deletes all the data related to a user.
To adhere to your data retention policy period and the requirement to only keep the data you need for as long as you need it, you may choose to apply a type when a person leaves the organisation, the second type after 5 years and the 3rd after 7 years.
You will be able to configure these "purge types" and therefore what they mean for data in a different areas across the platform.