Managing data requests and data deletion
Both subject access and data deletion requests can be managed in Moodle, and in the final section of this chapter, we’ll learn how. By default, the expectation is that a Moodle user will contact the privacy officer outside of Moodle. However, if you are accepting subject access requests outside of Moodle, then ensure that the person making the request has the authority to do so. Also, it is good practice to include guidance on how long it will take to respond to data requests (within 30 days, for example) so that users’ expectations are properly managed.
Providing data to a third party (however innocent the mistake) is a clear breach of data protection regulations. For example, the UK Information Commissioner’s Office (ICO) has a helpful resource to guide a user in making a subject access request – see https://ico.org.uk/for-the-public/make-a-subject-access-request/. The importance of the ICO guidance is that it...