Page 3 of 197

Weeknote 13/2018

This week I’ve been:

Next week it’s the Easter holidays, so I’ll be at home and not be working on Monday. From Tuesday to Thursday I’ll be working on Moodle-related stuff, and co-op things on Friday.


Photo of the University of Strathclyde’s Technology & Innovation Centre taken by me on Monday.

Weeknote 12/2018

This week I’ve been:

Next week I’m in Glasgow from Sunday afternoon until Wednesday evening for the UK & Ireland MoodleMoot. I’m working from home on Thursday, and then taking the long Easter weekend off!


Photo of the Berlin Cathedral Church taken by me on Thursday using my OnePlus 5. Postprocessing in Snapseed.

Weeknote 11/2018

This week I’ve been:

  • Sending out Issue #295 of my Thought Shrapnel newsletter. This one was called ‘A wee problem…’ and featured curated links from the Thought Shrapnel blog (where you can also sign up if you don’t yet subscribe!)
  • Recording, editing and releasing Episode 98 of the Today In Digital Education (TIDE) podcast with my co-host Dai Barnes. We entitled this episode ‘Zoom zoom zoom’ and discussed audio recording, coding, philosophy books, the work of Nassim Nicholas Taleb, thinking about dying, big tech, and some tech tricks!
  • Working on Project MoodleNet:
  • Recording a podcast episode with Jeff Utecht about Open Badges.
  • Working with Bryan Mathers on behalf of the co-op on some follow-up work for the Inter-American Development Bank. I’m delighted that we’ll be sharing those outputs on Badge Wiki.
  • Planning for next week’s presentation in Berlin.
  • Attending a fantastic basketball match on  Friday night where Newcastle Eagles came from behind to destroy their opponents, Bristol Flyers. My family loved it!
  • Unexpectedly free on Saturday, after Scout Camp was postponed due to the snow. I was supposed to be leading a group for a mini version of Operation Twilight.

Next week I’m working at home for Moodle Monday through Wednesday. I’m then flying to Berlin to speak on digital literacies at an event organised by the Goethe Institut. I’ll be back on Friday to finish off my Moodle work.

Weeknote 10/2018

This week I’ve been:

Next week I’m at home all week, working on all things Moodle from Monday to Thursday, and then co-op stuff on Friday.


Image by Udo Rabe used under a Creative Commons BY-SA licence.

Moodling around with a Jetpack metaphor

I’m busy ideating, and talking to people around, Project MoodleNet. When you’re explaining something that doesn’t yet exist, you’ve got to use touchstones and metaphors, starting from where people are to help them understand where you want to go.

Project MoodleNet landscape

In these discussions I’ve been using three things to help me:

  1. A great ‘landscape’ image from Bryan Mathers (see above)
  2. The 3D printing social network Thingiverse (which I wrote about here)
  3. The Jetpack plugin for WordPress

It’s worth, I think, unpacking the third of these — if only so I’ve got a public URL to point people towards when I reference it elsewhere! It’s an imperfect metaphor, as it involves more technical understanding than we’ll require for Project MoodleNet.

Anyway, here goes…

WordPress and Moodle are similar

  • Free (as in freedom)
  • Open Source
  • Host your own version
  • Have it hosted for you
  • Partnership network

How Jetpack works

Jetpack is a meta-plugin, a ‘plugin of plugins’ that adds lots of functionality to self-hosted instances of WordPress. In fact, it’s pretty much a no-brainer to activate Jetpack if you’re self-hosting. It connects your instance to your wordpress.com account, giving you:

  • Faster page loading (via CDN)
  • Additional security
  • Detailed site stats
  • Faster logins
  • Payment integration

Install Jetpack

Where’s the value for the organisation behind WordPress?

So lots of value for users, but (you may think), what’s in it for Automattic, the organisation behind WordPress? Well…

  • Secure, fast WordPress sites maintain brand value
  • Better metrics around installation numbers
  • Ability to upsell to customers direct from dashboard

Jetpack dashboard

Why is this a good metaphor for what we’re doing?

Project MoodleNet will be a standalone social network for educators focused on professional development and open content. It can be supercharged, however, by using a similar model to what WordPress have done with Jetpack.

Imagine users logging into a institutionally-hosted Moodle instance using their Project MoodleNet credentials because the two are connected in a similar way to how Jetpack works for the WordPress ecosystem.

To be clear, I’m not proposing that Project MoodleNet offers the same services as Jetpack, I’m saying that it serves as an example where you can create value in two places and additional value by linking them together.

This would mean…

  • Teachers: professional social networking within their existing learning platform.
  • Instructional designers: faster access to curated open resources.
  • Sysadmins: better security and potentially reduced hosting costs.

(if you’re wondering about ‘reduced hosting costs’ it’s because we’re tentatively looking at how IPFS could be used in the wider Moodle ecosystem)

Finally…

This isn’t a perfect metaphor by any means, and so I’m looking for other ways to explain what we’re trying to achieve. However, the combination of Bryan’s image, referencing Thingiverse, and explaining JetPack is helping those I’m talking with to understand the kind of thing we’re trying to build.

What kind of metaphor would you use?


Main image CC BY-NC Fir0002/Flagstaffotos

Weeknote 09/2018

This week I’ve been:

  • Sending out Issue #293 of my Thought Shrapnel newsletter. This one was called ‘Making cheese grate again’ and featured curated links from the Thought Shrapnel blog (where you can also sign up if you don’t yet subscribe!)
  • Jet lagged. I thought I’d beaten it with Melatonin tablets, but it came back to bite me on Tuesday — three days after I got home! I took the day off to get back into the groove.
  • Recording an episode of the Today in Digital Education (TIDE) podcast with my co-host, Dai Barnes. Unfortunately, the recording didn’t work properly and only Dai’s side of the conversation was captured after the two-minute mark. It’s disappointing, as we’ve only just moved to a paid account on Cast after experiencing some issues with Zencastr. Not the best present for Dai, whose birthday it was this week!
  • Buying a Chromebox (Asus CN62) for my office, as I’m sick of having to connect and disconnect my laptop every morning. I just want something where I can turn it on and go straight into a video conference. It’s obviously not as powerful as my laptop, but does the job.
  • Snowed in. I don’t think I’ve ever seen so much snow in Northumberland, where I live!. The snow was lying 22cm deep outside our house, which meant no school for three days for the children, no travel, and most shops either shut or on reduced hours. I work from home, so the only way it affected me was reducing my options for exercise and having to do some childcare.
  • Booking travel for upcoming events in Berlin, Glasgow, and Bristol.
  • Working on Project MoodleNet:
    • Catching up with stuff I’d missed while away last week, including the recording of the all-hands meeting and (always!) emails.
    • Revisiting my notes from the leadership week in Australia and feeding them into my planning.
    • Adding new scenario images and tidying up the white paper.
    • Talking with lots of smart people, including: Jim Groom, Tom Salmon, Clint Lalonde, Grainne Hamilton, Nitin Parmar, Greg McVerry, and Ian O’Byrne. I very much appreciated their insights and have some more conversations lined up next week!
    • Scheduling the first community call (15:00 UTC, 4th April)
    • Putting together a milestones document for planning and resourcing.
    • Finishing off the Futurelearn GDPR course I’d started. It’s possibly the first online course, other than Learn Moodle Basics, that I’ve ever completed!
  • Participating in our monthly We Are Open Co-op day. We discussed and worked on a bunch of things, including our new website (coming soon!)
  • Writing:

Next week I’m working five days for Moodle as I took a day off this week. I’ll be digging into the Project MoodleNet milestones planning and overview document (initially for internal use) and talking to more smart people!


Image by John Johnston used under a Creative Commons license

Final steps in my GDPR journey

After being away for a couple of weeks in Australia and the USA, I’m back home. It’s time, therefore, to finish off the Futurelearn course I started around Understanding the General Data Protection Regulation (GDPR).

It’s a four-week course, and I’ve written about what I’ve learned over the past three weeks’ worth of material in the following posts:

What follows, therefore, is about the final week — entitled ‘Responsibilities, liabilities and penalties’. I’m digging into in this area because I’m leading the  MoodleNet project. However, I’m writing here instead of on the project blog as I’m still coming to grips with all that GDPR means in practice.


I like the way that the course organisers frame the final section of this course:

As individuals or natural persons, you should know that most of the activities that you daily perform, all the forms that you are asked to fill in and most of the technology that you use on a daily basis leave a trail of personal data behind. Collecting data, analysing and linking different databases create the possibility to learn very personal information about you and obtain details about your life and life of those who you care about. More than you would have ever thought. More than you even remember. To give but one example: 4 pictures of you placed on the Internet allow facial recognition programs to find you again when crossing the street. Given this situation, you need protection.

Supervisory bodies

As per the title of this week’s course title, the focus is all about how GDPR will be enforced:

These enforcement mechanisms include a number of measures and instruments:

  • The establishment of national supervisory authorities (and the Lead Supervisory Authority in case of cross-border data transfers) and of the European Data Protection Board (Chapter 6);
  • Arrangements to streamline legal compliance, including codes of conduct (Article 40), data protection certifications (Article 42), binding corporate rules (Article 47) and standard (contractual) data protection clauses (Article 46);
  • Rights of data subjects, including the right to lodge a complaint and the right to an effective judicial remedy (Chapter VIII);
  • A multi-layered mechanism to protect the transfer of personal data of EU citizens outside the EU (Chapter V);
  • Liabilities and sanctions for violation of laws (Chapter VIII);
  • The role of Member States in compliance and implementation.

The EU provides a way to ensure local colour and context is respected, while enforcing a European-wide framework. The aim is to prevent safe havens for bad actors:

Each national supervisory authority is empowered to monitor any data processing activity that takes place within its territory (jurisdiction). It is also charged with the task to monitor any data processing activities that target data subjects residing in its territory, even in those situations where the activities are carried out by non-EU data controllers or processors. However, since in an online environment data does not always respect borders, the territorial jurisdiction of a national supervisory authority is not always clear cut.

As a result:

For avoiding situations in which more than one national supervisory authority are competent, the GDPR has introduced the legal concept of the lead supervisory authority or LSA.

When national supervisory authorities realise that a case brought before them has a cross-border dimension… they refer the case to the LSA which decides if it will handle the case or not within three weeks. Article 56 GDPR provides that the lead supervisory authority for cross-border processing of data will be the authority that is competent to supervise the entity engaged in data processing of individuals in different countries or, the authority competent to supervise the main establishment of the data controller or processor in case this has different establishments in several Member States.

So taking the example of the UK (where I live) there’s a national supervisory authority which is then subject to the lead supervisory authority. That, in turn, is subject to the European Data Protection Board:

To ensure the consistent application of the GDPR throughout the EU an important role will be played by the European Data Protection Board (the Board).

Even though the denomination looks new, the Board in itself is the continuation of the existing Article 29 Working Party which was established under the old Data Protection Directive 95/46/EC.

[…]

The old Article 29 Working Party was often criticised for not adequately consulting stakeholders before taking decisions. In reaction to this criticism, the Board is required to consult interested parties where appropriate. This would of course benefit data controllers or processors that might be affected by the decisions adopted.

So it sounds like the EU have learned their lesson:

Similarly with the Article 29 Working Party, the Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS), or their representatives. The EDPS’s voting powers are restricted to those decisions that would be applicable to the EU institutions.

The Board also includes a representative of the European Commission who, however, does not have a right to vote so as to ensure the independence of the Board. There seems to be an implicit suggestion that the European Commission has exercised too much influence over the Article 29 Working Party in the past and the GDPR wants to ensure that this will not be the case in the future.

There’s some great provisions in the GDPR but I have to wonder just how quickly some of the decisions and actions will be taken:

Together with the establishment of the Lead Supervisory Authority presented in the previous step, the consistency mechanism is intended to avoid such situations. When it is clear that the decision of a supervisory authority will have an EU-wide impact, or when a request comes from a national supervisory authority, the Chair of the European Data Protection Board or from the European Commission, the Board issues a non-binding decision on a specific case. The national supervisory authority dealing with the case shall take utmost account of the decision of the Board or shall inform the Board in the case in which it does not intend to follow its opinion.

Codes of conduct

Part of any compliance system involves self-regulation, and the GDPR is no different. I like the ‘code of conduct’ approach in this regard:

For controllers and processors, codes of conduct are an important tool for achieving legal compliance and creating evidence to support this. Member states’ supervisory authorities, the board, and the commission encourage drafting codes of conduct. Such codes of conduct can be prepared, amended, or extended by associations and other bodies representing categories of controllers and processors. Codes of conduct need to include measures specifying the application of the GDPR, This includes, for example, the collection and pseudonymisation of personal data, exercise of data subjects’ rights, and notification of a data breach. Codes of conduct contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments, or extensions of codes of conduct need to be submitted to the supervisory authority for approval.

Companies and other organisations have to ‘walk the walk’, though, and not just have their documentation in place:

Apart from supervisory authorities, other competent bodies with an appropriate level of expertise and accreditation can also monitor compliance with codes of conduct. Drafting codes of conduct is one thing. Committing to them is another. It is important in the sense that it can provide evidence that controllers and processors comply with the GDPR. This not only counts for controllers and processors within the EU, but also for those who are not subject to the GDPR in order to provide appropriate data protection safeguards.

Binding corporate rules

One way of moving beyond a code of conduct is for large, multi-national organisations to implement ‘binding corporate rules’:

Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies. They define the group’s global policy with regard to the international transfers of personal data to companies within the same group that are located in countries which do not provide an adequate level of protection. They are legally binding and approved by the competent supervisory authority in accordance with the consistency mechanism.

These rules are beneficial for the organisation (efficiency / consistency), for the EU (compliance) and for the end user (transparency).

The GDPR allows for personal data to be transferred outside the EU, but not just anywhere:

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. A current list of countries that have been evaluated as having an adequate level of data protection can be found here.

The example given in the course is of Japan, which isn’t currently listed as having adequate protections. However:

Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

At the end of the day, it’s the organisation’s responsibility as the data controller to comply wih the GDPR:

In accordance with the provisions in Chapter VIII, controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor is liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller. A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages…

Fines

So now we get to the interesting part. What can the EU actually do about GDPR infringement?

According to Article 83 GDPR, the fines may, depending on the infringed provision of the GDPR, amount to a maximum of 20 million Euros, or, if this is a higher amount, to 4% of the total worldwide annual turnover of an undertaking. For example, a failure to implement the data protection by design and by default is subject to a maximum fine of only 10 million Euros or 2% of the total worldwide annual turnover of an undertaking. On the other hand, violating the basic principles of data processing, including the conditions for obtaining a valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of 20 million Euros or 4% of the total worldwide annual turnover.

That’s obviously a lot of money, but it’s a sliding scale:

What the amount of a fine will be at the end will depend on the nature, gravity and duration of the infringement as well as on its character – if there was intention or negligence from the undertaking. The supervisory authority must ensure that the administrative fines would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive. As a result, not all infringements of the GDPR will lead to those serious fines mentioned above.

The good thing, however, is that the fines are calculated on global revenues, rather than just the amount the organisation makes in the EU:

Once the GDPR becomes applicable, the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

Conclusion

I’m hopeful that the GDPR is going to help the legal system catch up with some of the technology that’s permeated our lives over the last couple of decades. Time will tell, of course…


Image by the Latvian State Chancellery used under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 Generic license

Weeknote 08/2018

This week I’ve been:

I’m heading back to the UK this evening then will be at home for the next couple of weeks working on Project MoodleNet and wrapping up some consultancy work. After that I’ve got a bit of travel to events in Europe from mid-March onwards.

Weeknote 07/2018

This week I’ve been:

  • Sending out Issue #291 of my Thought Shrapnel newsletter. This one was called ‘ Necessary koalafications 🐨’ and featured curated links from the Thought Shrapnel blog (where you can also sign up if you don’t yet subscribe!)
  • Working in Perth and Mandurah, Australia at a Moodle team leads workweek. It was great to hang out in person with my colleagues, some of which I’d never met in person. We got lots done, and it was my pleasure to help facilitate some of that.
  • Putting the finishing touches to plans with Bryan Mathers for next weeks’ work in Washington DC with the Inter-American Development Bank around Open Badges.
  • Writing:

Next week I’m in Washington DC from Monday to Saturday. Over and above the work we’re doing there, I’m looking forward to hanging out with Bryan and a few people I’m planning to catch up with.

Weeknote 06/2018

This week I’ve been:

Next week I’ll be splitting my time between Mandurah and Perth in Australia, before flying home on Friday (and arriving Saturday).

css.php