← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #58638

[Bug 1878690] Re: Fully erase a person's contributions from Mahara

  Thread PreviousDate PreviousThread Next 
GDPR regulates personal information. It is possible to keep certain
personal information if it is important for an institution to fulfil its
obligations towards a person. Thus, deleting everything that a person
has done in a group, on the institution or site level is virtually
impossible as it impacts other people and is not necessarily personal
information.

When an account is deleted, all associated artefacts are deleted as
well, including journal entries and plans.

It is data that is still available in groups, on the institution and
site levels that would need to be dealt with.

Setting up an institution, site or group page may not have been for
personal reasons but only as a template. Therefore, there is no personal
information to delete, and it is not necessary to remove that content.
As Lilian says, a group is also the owner of group content. While the
person uploading a file is the author, that file may not have been
created by them, e.g. if it is a  Creative Commons licensed photo by
someone else.

This request is very difficult to fulfil in an automatic way with rules
on the platform as every single piece of artefact would need to be
reviewed and looked at whether it contains personal information or not
as otherwise accidentally valuable content and content not created by
the person who wants to delete their account can go missing that impacts
other people's right to their content.

While someone may start a forum topic or create a page, they may not be
the ones to actually participate in the discussion or add to the content
of the page. Furthermore, on a group page, a text box could have been
started by someone but another person re-wrote it and a third person
contributed to it as well. Who is then to say that this text can be
deleted only because the original author was the person who wants to
delete their data? But if we were able to look at it, we would realise
that there may have only been three words left that they had authored?

I don't think it is possible to create a one-size-fits-all approach as
we have with the deletion of all personal data in an account because it
is far more intricate a scenario.

The problem of data erasure is also very prominent in forum posts when
names are used, which is a courtesy to people. We already use
pseudonymisation for the posting itself, but when a person shares their
name or other details, that can't be deleted or pseudonymised
automatically.

Under GDPR it is not necessary that everything is solved by a software,
esp. when it can't be done with reasonable measures.

Furthermore, while a person has the right to be forgotten, there are
exceptions, and one of them is the archiving for public interest etc.
(Art 17, 3d https://gdpr-info.eu/art-17-gdpr/ ). See
https://law.stackexchange.com/questions/32361/does-a-user-have-the-
right-to-request-their-forum-posts-deleted

In Mahara, we have the option that an institution can delay the deleting
of an account because if an archive is needed for institution purposes
like keeping of assessment data, then the institution needs to have the
chance to do that before the data is deleted.

Similarly, I think a technical situation for removing group, institution
or site content will need to be handled differently between a public
site where anybody can join and use the site and a site set up for
organisational purposes.

In general, I see the following possibilities:

1. List all contributions a person has made on the site (which would be
good anyway, eps. for forum posts) and distinguish between different
types of artefacts, where (group, institution, site) and links to them.

2. Give the person the option to select which artefacts to delete and
which ones to leave on the site, indicating the implications for others
when they select the deletion, e.g. when used in a template, in a group
discussion etc.

3. If an institution requested that the deletion needs approval, show
that selection the person has made to the institution admin along with
the full list of contributions and allow them to add or remove items
from the list to discuss with the account holder.

4. Do a manual search in the database for forum posts the person has
authored and remove their name in the text replacing it with 'Deleted
account holder' to indicate that a change had taken place rather than
simply removing the name thus altering the post more than necessary.

5. If forum posts are asked to be deleted entirely, leave a 'Post
deleted by request of the original poster...'.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1878690

Title:
  Fully erase a person's contributions from Mahara

Status in Mahara:
  Opinion

Bug description:
  See https://mahara.org/interaction/forum/topic.php?id=8628 for the
  original request.

  When you delete a user account, all personal data is wiped from the
  system. The user’s contributions in groups, e.g. forum messages,
  uploaded files and pages created in a group, are still available, but
  are made anonymous by changing the name to « Deleted user » as author
  where an author is shown.

  In accordance with GDPR compliance, it would be good to offer the
  possibility to not only anonymize contribution but delete them when
  the user is deleted.

  Currently this option is not available.

  To implement this we would need to make the following changes:

  1) Turn forum posts done by the user into 'Post deleted' value to
  allow post threads to continue to exist

  2) Delete forum topics the user started

  3) Delete any files uploaded into groups by the user

  4) Delete any pages in groups created by the user

  5) Delete / update blocks on other group pages where content / files
  added user exist

  6) Delete any group journal entries done by the user

  7) Delete any group plans / tasks that were created by the user

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1878690/+subscriptions

References

  Thread PreviousDate PreviousThread Next