Category: Moodle (page 1 of 2)

A quick dive into ALT’s journal with my MoodleNet hat on

One of the things I miss from my doctoral research is reading journal articles. So, with my MoodleNet hat on, I dived into ALT’s Research in Learning Technology today. I was on the lookout for things related to professional development and Open Educational Resources (OER).


Drumm, L. (2019). Folk pedagogies and pseudo-theories: how lecturers rationalise their digital teaching. Research in Learning Technology27. https://doi.org/10.25304/rlt.v27.2094

I admit that I was attracted to this article by its title, but it came up trumps:

Ideally, educators should critique and adapt ‘best practices’, taking charge of their own pathways of teaching. Indeed, as demonstrated in the data, many of these lecturers do this, but there is a block in articulating, reflecting and sharing these pathways. A solution could be to frame academic development and teaching qualifications as a medium for educators to explore their own voices and communicate about their teaching, without requiring them to fit into prescribed orthodoxies. Rather than setting folk pedagogies and pseudo-theories as ‘incorrect’, they could be acknowledged and used as starting points for conversations about teaching.


Macià, M., & García, I. (2018). Professional development of teachers acting as bridges in online social networks. Research in Learning Technology26. https://doi.org/10.25304/rlt.v26.2057

This is a particularly useful paper, where the author refers to ‘social networking sites’ as ‘SNSs’. It’s worth quoting at length:

SNSs used in education can promote socioconstructivist learning (Allen 2012; Manca and Ranieri 2017) by modifying the learners’ role and providing them with new educational understandings. The interconnected model of professional growth explains how teachers can benefit from the information acquired in online SNSs. This model takes several domains of the teaching situation into account (Clarke and Hollingsworth 2002): (1) the personal domain, including teachers’ ideas, knowledge and beliefs; (2) the external domain, represented by information or resources that teachers acquire while collaborating with other teachers or participating in training activities; (3) the domain of practice, related to action research activities developed in the classroom context; and (4) the domain of consequence, which includes students’ results and other consequences in the classroom climate or organisation. According to the interconnected model, an external source of information, which could be the consequence of participation in an online network or community, can generate change in teachers’ knowledge and foster new practices in their teaching. After experimenting in the classroom, teachers can evaluate the applied processes and student outcomes and, based on the results of this evaluation, make changes at a cognitive and behavioural level. In this context of participatory networking, teachers assume responsibility for the information that they exchange and the contributions they make to the educational networks in which they participate, as well as for the information they integrate and the connections they make, deciding by themselves what they need at every moment.

Recent research describes online teachers’ networks through the theories on social capital and social network analysis, which reveal how information flows between a group of network members (Ranieri, Manca, and Fini 2012; Schlager et al. 2009; Smith Risser 2013; Tseng and Kuo 2014). Bordieu’s ‘social capital theory’ (1986) asserts that:

the social capital possessed by a person depends on the size of the network of connections they can effectively mobilize and on the volume of the capital (economic, cultural or symbolic) possessed in their own right by each of those to whom they are connected. (p. 21)

Then, teachers’ social capital can increase when they connect to a larger number of colleagues who are highly skilled. According to Bordieu (1986), participants in a group have to make an effort to sustain the relations that ensure the continuity of the social formation through social exchanges. These social exchanges are identified as mutual recognition and recognition of the membership and also define the limits of the group. Members control new entries by defining occasions, places or practices to gather with other people who have similar interests. In this sense, maintaining and increasing social capital through exchanges requires continuous efforts of sociability, recognition and social competence, and this can result in the transformation of one’s own cultural capital (knowledge, principles and values).

Twitter is of special interest for this research because many teachers participate in this network and use it to share experiences and reflect on practice, to pose or ask questions, to share teaching materials and resources, to hold generic discussions and to provide emotional support (Davis 2015; Smith Risser 2013; Wesely 2013). In general, people tend to use Twitter to write posts about themselves, whereas educators tend to use it to share information (Forte, Humphreys, and Park 2012). For this reason, Twitter frequently plays the role of an aggregator of content or resources present in other social networks or virtual sites (Wesely 2013), as teachers tweet the link to such content and it can be recovered through the use of a hashtag (the method used on Twitter to categorise tweets into topics). Teachers also use Facebook, especially the ‘groups’ functionality, which is a closed environment that facilitates interchange around generic or specific topics (Ranieri, Manca, and Fini 2012). The use of both networks may have an impact on teachers’ professional growth by fostering their digital competence and helping to change their practice and educational perspectives (Manca and Ranieri 2017).

This quotation from an interview with a teacher is illuminating:

Starting to share in networks for me was a ‘before and after’. It was a complete change. I have evolved as teacher and I have a relationship with students which I never imagined. It has been much more than the knowledge, new tools or meeting people; it has generated a change in the way I work. After the project [a project about student talents] I started to take into account students’ emotions. I learned to respect students. (Interview, Teacher 6)

Also useful:

The teachers interviewed were all active members on SNS and preferred Twitter for dealing with educational issues. Twitter is a generic SNS that has been adopted by educators for multiple professional purposes such as communicating with others, increasing the visibility of classroom activities and sharing information, resources and materials (Carpenter and Krutka 20142015; Davis 2015; Veletsianos 2012; Wesely 2013). The asynchronous nature of online SNSs, the knowledge sharing and the immediacy of responses make Twitter and other SNS a suitable space for enhancing teacher professional development. Twitter was also praised for filtering valuable content for teachers, for facilitating searches on educational topics (Carpenter and Krutka 2015) and also for enabling serendipitous learning thanks to its condition of being a network (Wenger Trayner, and de Laat 2011). The participants in the study justified that they used Twitter because of the rapid flow of information, the ease of use of the platform, its open and participative nature and finally the high number of Twitter users who belong to the educational world. Indeed, involvement in online SNS helps teachers enlarge their professional community, share resources and reflect on teaching practices (Carpenter and Krutka 20142015; Wesely 2013).

Participant teachers also used instant messaging applications such as WhatsApp or Telegram to keep in touch with other teachers or to sustain active discussion groups. The use of these tools is very much related to mobile phones. These tools offer the same immediacy as Twitter in a closed and more controlled environment, where people can only join by invitation. The use of these instant messaging tools, and particularly their use in combination with other SNSs, has barely been studied for educational and training purposes but could be effective for maintaining informal communities of teachers (Bouhnik and Deshen 2014; Cansoy 2017).

The activities conducted openly in this SNS are mainly sharing information and socialising. In fact, we can consider that these two types of activities determine two different patterns of participation: (1) teachers who mainly use Twitter to share information, news, resources or media and who dedicate around two-thirds of their activity to this endeavour, and (2) teachers who mainly use Twitter for social purposes such as living a social life, live event participation and courtesy, with this social activity accounting for around 50% of their total activity. These two patterns, consisting of sharing information or being social, could be related to teachers’ interests and also to their personal and professional identity. Carpenter and Krutka (2014), in a study with 755 educators, found that the 96% of them used Twitter to share and acquire resources, 86% to collaborate with other teachers, 76% for networking and 73% for chatting. These results are consistent with the two main patterns of Twitter use identified in this study.

This explorative study into teachers who act as bridges reveals that they are active in SNSs and that they take advantage of this participation by introducing new practices into their classrooms and also by collaborating with other teachers to develop school practices. These teachers are highly motivated, enjoy their work and are eager to improve professionally, which could have triggered their participation in SNSs. Thus, it is not clear whether their participation in SNSs directly causes the improvement in their teaching practices or whether SNSs are just another tool used by teachers who are already interested. This question remains open and it is key to understanding the role that online networks and communities can play in teachers’ professional development. Our results show that there is certain interdependence between actively participating in an SNS and being involved in several communities. The results also highlight the relevance of lightweight peer production and peripheral participation in productive online social networks, which materialises in this bridging role that certain participants assume.


Atenas, J., & Havemann, L. (2014). Questions of quality in repositories of open educational resources: a literature review. Research in Learning Technology, 22. https://doi.org/10.3402/rlt.v22.20889

This paper is all about ‘quality indicators’ in Repositories of OER (ROER):

Drawing from our analysis of the literature, we would argue that the ethos underlying the creation of ROER can be said to comprise four key themes, which we refer to as SearchShareReuse, and Collaborate. The purpose of ROER is to support educators in searching for content, sharing their own resources, reusing and evaluating materials, and adapting materials made by or in collaboration with other members of the community.

The four themes can be understood in greater detail as follows:

  1. Search: As Google tends to be the first reference point for many people, it can be considered a ‘living index and repository for enormous content’ (Atkins, Brown, and Hammond 2007). Although the internet has among its archives billions of documents and multimedia materials that can be found by using search engines, it is a more complex task to ensure that the materials and documentation discovered in such searches are appropriate to a specific educational field and context. For Wang and Hwang (2004), it is difficult for educators to build and maintain personal collections and is ‘very time consuming to locate and retrieve distributed learning materials’. For Rolfe (2012), searching for OER in repositories facilitates the non-commercial reuse of content with minimal restrictions.
  2. Share: According to Hylén (2006) one of the possible positive effects of openly sharing educational resources is that free trade fosters the dissemination of knowledge more widely and quickly, so more people can access resources to solve their problems. For Windle et al. (2010) the quality assurance and good design of OER can enhance the reuse and sharing of OER, as ‘evidence suggests that those who feel empowered to reuse are more likely to themselves to share and vice versa’ (p. 16). According to Pegler (2012), if OER are not shared or reused, the main objective of the OER cannot be accomplished; also, the number of times in which a resource has been shared can be considered a measure of resource quality, as it provides an indication of the impact a particular resource has had.
  3. Reuse: A key concern of educators regarding the reuse of OER relates to the contextualisation of resources; to adapt, translate or reuse materials for use in different socio-cultural contexts could potentially be more difficult or costly than creating new resources. To alleviate these challenges, the main impetus must come not from technologies but from pedagogical communities where academics and teachers are both, content producers and users (Petrides and Nguyen 2008). The practice of reusing content has in the past been considered ‘a sign of weakness’ by the academic community, but this point of view has been changing as the OER movement is increasingly embraced by academics which are willing to share their content with others (Weller 2010).
  4. Collaborate: OER repositories, if well designed, can serve to facilitate different communities of users who collaborate in evaluating and reusing content and co-creating new materials by encouraging the discussion around improvement of resources (Petrides and Nguyen 2008). Though traditionally teaching materials were produced within the context of a classroom, OER can be created collaboratively in virtual spaces (McAndrew, Scanlon, and Clow 2012). ROER have potential as a framework in which ‘various types of stakeholders are able to interact, collaborate, create and use materials and processes’ (Butcher, Kanwar, and Uvalić-Trumbić 2011).


Whitworth, A., Garnett, F., & Pearson, D. (2012). Aggregate-then-Curate: how digital learning champions help communities nurture online content. Research in Learning Technology, 20. https://doi.org/10.3402/rlt.v20i0.18677

The authors refer to the ‘Aggregate-then-Curate’ model as ‘A/C’ and ‘Digital Learning Champions’ as ‘DLCs’

(1) Identification: The initial motivation for creating resources must come from the community participant (an individual, or a group), even if the motivation is in response to an external stimulus, e.g. a request to participate in a project. There will be at least one existing resource that the participant has in mind. This may be a physical object, a text (digital or otherwise), or tacit knowledge such as a skill, personal narrative, etc. The resource belongs to the participant and not to the project or to the partner institutions.

(2) Initial aggregation: This stage begins the process of connecting together resources by revealing links between them, suggesting appropriate groupings, potential learning pathways and so on. This is a social process and so must involve other members of the community, but not necessarily involve digital media. Often, it will take place very informally, as community members validate one another’s opinions about what information is useful, sometimes explicitly but often with reference to implicitly held, shared views – the sort of thing that binds people together in “communities” in the first place. However, it may also involve more organised and/or formal processes. What this stage entails is the intersubjective validation of initial, subjective ideas by members of the community.

(3) Digital creation: Once resources and connections between them have been identified by the community, some form of digital representation can be created. Even where some existing resources, first identified then aggregated in Stages 1–2, are already in digital form, the connections between them may need expressing as digital content in their own right.

A DLC would help here if they were at a different “developmental phase” in their work with, and experience of ICT, and could thereby provide technical assistance to the creation of digital artefacts. A particular resource might be very relevant and timely. However, its usefulness will be diminished if it is, for example, an inaudible recording. Is metadata in place, can the resource therefore be found by others? Is the appropriate format, or medium, being exploited? Is the material legal? These are more objective filtering criteria than apply at earlier stages.

(4) Digital aggregation: At this stage, resources are informally aggregated in a community-driven way. Digital aggregation involves using social links that either already exist (and may, or may not, have played a role in the initial aggregation at Stage 2), or which are discovered at the digital creation stage. Once again, this process may be supported by a DLC.

(5) Sequencing and curation: Sequencing is when the aggregation process takes on a more structured form. The collection of resources begins to demonstrate its potential to solve problems or drive learning outcomes both within and outside the community. Learning pathways or other broader narratives begin to be addressed through the aggregation process in a coherent way.

This is the stage at which curation comes into play. The subjective and intersubjective values assigned to the community informational resources by individuals and other community members, are validated here by interests that are partly external. This is a significant moment for the collection. If “curator” is broadly defined as “a person in charge of something … a guardian” (from Chambers English Dictionary), curation can therefore be defined as the management of a collection of resources at a fundamental level. As Simon (2010) recognises, and as our background discussion concluded, it is the level of participation in curation that is significant. Sequencing is the stage at which the resources’ quality begins to be judged by institutions that may still be familiar with the general context from which they emerged, but which are essentially external to the community. The role of a DLC here would be to facilitate the interaction across the boundary for mutual benefit, helping the community members reflect on, and thereby learn from, the interaction: but also helping the institution learn from the community.

(6) Social media aggregation: Their quality validated by a wide range of interests that remain local, resources that reach a certain standard – judged either by technical quality, informational quality, or widespread relevance and appeal – are then widely disseminated. The resources “go viral” in some form or another. The community that is now validating them and assigning them value is now much wider in scope and may exist in contexts that are quite distinct from that in which the resources initially emerged.

The effective use of a social media aggregator, such as a blog or a wiki or a more dedicated social media aggregator offered by a provider, would represent a shift in the participants’ mastery of a range of social media. This would indicate that they have a range of effective digital skills to use to curate digital content, as well as to negotiate with a number of third parties including groups, such as local history groups, as well as cultural and educational institutions.

(7) Accreditation: Collections of resources may be recognised as definitive, publishable, in need of protection, or other such formal recognition of their value (quality, distinctiveness, relevance). Individuals and communities may have their work on the resources recognised by the formal award of credit from an educational provider, or some other mark of status or achievement, perhaps an exhibition, further commissions, etc.

It must be stressed that this model is an ideal. In reality, later stages are often never reached, and some may be bypassed, or take place without the participation of effective learning champions, adequate levels of community participation, and so on. 


Di Blas, N., Fiore, A., Mainetti, L., Vergallo, R., & Paolini, P. (2014). A portal of educational resources: providing evidence for matching pedagogy with technology. Research in Learning Technology22. https://doi.org/10.3402/rlt.v22.22906

Learning object repositories can be difficult to navigate, and the educational material difficult to integrate into online courses. Schoonenboom, Sligte, and Kliphuis (2009) observe that the literature on the reuse of learning materials has largely focused on the development of materials. The authors developed guidelines that support staff and/or management in cases of (un)successful reuse of existing digital materials and provided methods for teachers in higher education in such cases. 

The authors observe that the tendency of current repositories is to retain content in the form of a broad mix of text documents, videos, audio files and graphics (EDRENE 2009). It also emerges that a few repositories include non-digital materials (e.g. text books). A little less than a third of repositories surveyed have a mix between free and commercial material. What is relatively clear is that educational repositories are mainly created to share learning objects, often characterised by metadata or ready-made courses, intended as an organised set of learning resources related to a specific discipline. However, they largely fail to provide a whole, fully described and reproducible learning experience that can clarify when, where and how materials, digital or not, were used; how the learning process was organised; what educational goals were planned; which educational benefits were generated and what the role of the technology was.


It’s not an in-depth analysis, just a quick look at one particular journal. However, I’m pleased with what I came away with. If you’re reading this and know related stuff I should be aware of, please share in the comments below!

Open source community calls in the wake of GDPR

I am a supporter of the intentions and sentiment behind the General Data Protection Regulation (GDPR) that came into force last month. However, it comes with some side effects.

Take community calls for the open source community, for example. Here’s how they often work:

  • Agenda — someone with a level of responsibility within the project creates an agenda using a service you don’t have to login to access and to which everyone can contribute (e.g. Etherpad)
  • Synchronous call — at the appointed time, those wishing to participate connect to some kind of audio and/or video conferencing services (e.g. Zoom)
  • Recordings — those who are interested in the project but couldn’t participate at the time catch up via the agenda and recording.

I’ve been running community calls using this kind of approach for the last five years or so. It’s an effective method and a process I do so automatically, I didn’t even think about the GDPR implications.

Yesterday, however, I was informed (very nicely!) by Carlo Polizzi, Moodle’s DPO and Legal Counsel, that I needed to delete the data I’d collected in this way and find a new way to do this.

GDPR requires that (unless community members contribute anonymously) we must, at the very least:

  1. Gain consent from each individual that we can store their personal data and that they agree to our privacy policy.
  2. Inform individuals what that data will be used for and how long we will be storing it.
  3. Give them the option of withdrawing that consent at any time and having their data deleted.

This means, of course, that community members are going to have to register and then log in to a system that tracks them over time. I’ve written before about creating an architecture of participation for episodic volunteering. This certainly prevents more of a challenge for the ‘easy onboarding’ part of that.


So, not sure what to do, put up the Bat-Signal and asked my network. Out of that came suggestions to use:

  • An encrypted etherpad solution that auto-deletes after a specified amount of time (e.g. CryptPad)
  • Forum software that feels quite ‘realtime’ (e.g. Discourse)
  • A Moodle course with guest access open (e.g. MoodleCloud)

On a more meta level, I also had some feedback that synchronous communication discriminates users for whom English isn’t their first language and/or who are disabled.


For now, given the above feedback, we’re going to end community calls in their current guise. I’ve met with Mary Cooch, Moodle’s community educator to discuss a few options for how we could do things differently, and we’re going to explore using the existing MoodleNet discussion forum at moodle.org along with BigBlueButton.

If you’ve got any questions, comments, or suggestions, I’d love to hear them, as this is something that many other open source projects are going to have to grapple with, as well!


Image CC BY-SA opensource.com

Winnowing the MoodleNet project down to MVP size

Note: this post refers to the MoodleNet project that I’m leading. More on that can be found here: moodle.com/moodlenet

Context

As a knowledge worker, you can’t win. If you do your job well, then the outputs you produce are simple and easy to understand. It’s your job to deal with complexity and unhelpful ambiguity so that what’s left can comprehended and digested.

In a way, it’s very much like the process of writing for an audience. We’ve all read someone’s stream-of-consciousness email that said much but conveyed little. Good writing, on the other hand, takes time, effort, and editing.

The problem is that high-quality knowledge work looks easy. Long hours of thinking, discussing, and experimenting are boiled down to their essentials. You just see the outputs.

Perhaps the most obvious example would be brand redesign: almost no matter what’s produced, the response is usually that the process resulted in money wasted. That’s even more true when there’s public money involved.

Belfast 2008

The City of Belfast spent around £200k on this logo in 2008. It’s a heart-shaped B conveying love. I quite like it..

As a result, logo designers tend to share the process which got to that point. They share iterations towards the final idea, any rejected ideas, and the conversations with people who had some input into the process.

Likewise, all knowledge workers should show their work, as Austin Kleon puts it.  This not only proves the value of the work being done, but invites commentary and constructive criticism at a time when it can be useful — before the final version is settled upon.

Process

A Minimum Viable Product, or MVP, is “a product with just enough features to satisfy early customers, and to provide feedback for future product development.” However, in my experience, there’s a few stages before that:

  1. Research: whoever’s in charge of the project (in this case, me!) situates themselves in the landscape, talks to lots of people and does a bunch of reading.
  2. Hypothesise: the same individual, or by this point potentially a small team, comes up with some hypotheses for the product being designed. A direction of travel is set, but at this stage it’s only as granular as north, south, east, or west.
  3. Design: a small team, including a designer and developer, take a week to ‘sprint’ towards something that can be mocked-up put in front of users. The result is the smallest possible thing that can be built and tested.
  4. Prototype: developers and designers come up with a working prototype that can be put in front of test users within a controlled environment. Sometimes this uses software like Framer, sometimes it’s custom development, and sometimes it’s powered by nothing more than Google Sheets.
  5. Build: the team creates something that can be tested with a subset of the wider (potential) user base. The focus is on testing a range of hypotheses that have been refined through the previous four processes.

Following this, of course, is a lot of iteration. It may be that the hypotheses were shown to be invalid, in which case it’s (quite literally) back to the drawing board.

Where we’re at with MoodleNet

Right now, I’m working with colleagues at Moodle around a job ‘landscape’ for a Technical Architect to join us in the next few months. In the meantime, we’re looking to work with a design and development consultancy to take us through steps 3-5.

It gets to the stage where you just need to build something and put it in front of people. They either find it useful and ‘get’ what problem you’re helping them solve, or they don’t.

You can’t be too wedded to your hypotheses. As project lead, I was sure that a federated approach based on an instance of Mastodon was the place to start, until I spoke with some people and did some thinking and realised that perhaps it wasn’t.

And, of course, it’s worth reminding myself that there’s currently the equivalent of 0.8 FTE on this project (I work four days per week for Moodle). Rome, as they say, wasn’t built in a day.


Image: HEAVENLY CROP by American Center Mumbai used under a  CC BY-ND license

Moodling around with a Jetpack metaphor

I’m busy ideating, and talking to people around, Project MoodleNet. When you’re explaining something that doesn’t yet exist, you’ve got to use touchstones and metaphors, starting from where people are to help them understand where you want to go.

Project MoodleNet landscape

In these discussions I’ve been using three things to help me:

  1. A great ‘landscape’ image from Bryan Mathers (see above)
  2. The 3D printing social network Thingiverse (which I wrote about here)
  3. The Jetpack plugin for WordPress

It’s worth, I think, unpacking the third of these — if only so I’ve got a public URL to point people towards when I reference it elsewhere! It’s an imperfect metaphor, as it involves more technical understanding than we’ll require for Project MoodleNet.

Anyway, here goes…

WordPress and Moodle are similar

  • Free (as in freedom)
  • Open Source
  • Host your own version
  • Have it hosted for you
  • Partnership network

How Jetpack works

Jetpack is a meta-plugin, a ‘plugin of plugins’ that adds lots of functionality to self-hosted instances of WordPress. In fact, it’s pretty much a no-brainer to activate Jetpack if you’re self-hosting. It connects your instance to your wordpress.com account, giving you:

  • Faster page loading (via CDN)
  • Additional security
  • Detailed site stats
  • Faster logins
  • Payment integration

Install Jetpack

Where’s the value for the organisation behind WordPress?

So lots of value for users, but (you may think), what’s in it for Automattic, the organisation behind WordPress? Well…

  • Secure, fast WordPress sites maintain brand value
  • Better metrics around installation numbers
  • Ability to upsell to customers direct from dashboard

Jetpack dashboard

Why is this a good metaphor for what we’re doing?

Project MoodleNet will be a standalone social network for educators focused on professional development and open content. It can be supercharged, however, by using a similar model to what WordPress have done with Jetpack.

Imagine users logging into a institutionally-hosted Moodle instance using their Project MoodleNet credentials because the two are connected in a similar way to how Jetpack works for the WordPress ecosystem.

To be clear, I’m not proposing that Project MoodleNet offers the same services as Jetpack, I’m saying that it serves as an example where you can create value in two places and additional value by linking them together.

This would mean…

  • Teachers: professional social networking within their existing learning platform.
  • Instructional designers: faster access to curated open resources.
  • Sysadmins: better security and potentially reduced hosting costs.

(if you’re wondering about ‘reduced hosting costs’ it’s because we’re tentatively looking at how IPFS could be used in the wider Moodle ecosystem)

Finally…

This isn’t a perfect metaphor by any means, and so I’m looking for other ways to explain what we’re trying to achieve. However, the combination of Bryan’s image, referencing Thingiverse, and explaining JetPack is helping those I’m talking with to understand the kind of thing we’re trying to build.

What kind of metaphor would you use?


Main image CC BY-NC Fir0002/Flagstaffotos

Final steps in my GDPR journey

After being away for a couple of weeks in Australia and the USA, I’m back home. It’s time, therefore, to finish off the Futurelearn course I started around Understanding the General Data Protection Regulation (GDPR).

It’s a four-week course, and I’ve written about what I’ve learned over the past three weeks’ worth of material in the following posts:

What follows, therefore, is about the final week — entitled ‘Responsibilities, liabilities and penalties’. I’m digging into in this area because I’m leading the  MoodleNet project. However, I’m writing here instead of on the project blog as I’m still coming to grips with all that GDPR means in practice.


I like the way that the course organisers frame the final section of this course:

As individuals or natural persons, you should know that most of the activities that you daily perform, all the forms that you are asked to fill in and most of the technology that you use on a daily basis leave a trail of personal data behind. Collecting data, analysing and linking different databases create the possibility to learn very personal information about you and obtain details about your life and life of those who you care about. More than you would have ever thought. More than you even remember. To give but one example: 4 pictures of you placed on the Internet allow facial recognition programs to find you again when crossing the street. Given this situation, you need protection.

Supervisory bodies

As per the title of this week’s course title, the focus is all about how GDPR will be enforced:

These enforcement mechanisms include a number of measures and instruments:

  • The establishment of national supervisory authorities (and the Lead Supervisory Authority in case of cross-border data transfers) and of the European Data Protection Board (Chapter 6);
  • Arrangements to streamline legal compliance, including codes of conduct (Article 40), data protection certifications (Article 42), binding corporate rules (Article 47) and standard (contractual) data protection clauses (Article 46);
  • Rights of data subjects, including the right to lodge a complaint and the right to an effective judicial remedy (Chapter VIII);
  • A multi-layered mechanism to protect the transfer of personal data of EU citizens outside the EU (Chapter V);
  • Liabilities and sanctions for violation of laws (Chapter VIII);
  • The role of Member States in compliance and implementation.

The EU provides a way to ensure local colour and context is respected, while enforcing a European-wide framework. The aim is to prevent safe havens for bad actors:

Each national supervisory authority is empowered to monitor any data processing activity that takes place within its territory (jurisdiction). It is also charged with the task to monitor any data processing activities that target data subjects residing in its territory, even in those situations where the activities are carried out by non-EU data controllers or processors. However, since in an online environment data does not always respect borders, the territorial jurisdiction of a national supervisory authority is not always clear cut.

As a result:

For avoiding situations in which more than one national supervisory authority are competent, the GDPR has introduced the legal concept of the lead supervisory authority or LSA.

When national supervisory authorities realise that a case brought before them has a cross-border dimension… they refer the case to the LSA which decides if it will handle the case or not within three weeks. Article 56 GDPR provides that the lead supervisory authority for cross-border processing of data will be the authority that is competent to supervise the entity engaged in data processing of individuals in different countries or, the authority competent to supervise the main establishment of the data controller or processor in case this has different establishments in several Member States.

So taking the example of the UK (where I live) there’s a national supervisory authority which is then subject to the lead supervisory authority. That, in turn, is subject to the European Data Protection Board:

To ensure the consistent application of the GDPR throughout the EU an important role will be played by the European Data Protection Board (the Board).

Even though the denomination looks new, the Board in itself is the continuation of the existing Article 29 Working Party which was established under the old Data Protection Directive 95/46/EC.

[…]

The old Article 29 Working Party was often criticised for not adequately consulting stakeholders before taking decisions. In reaction to this criticism, the Board is required to consult interested parties where appropriate. This would of course benefit data controllers or processors that might be affected by the decisions adopted.

So it sounds like the EU have learned their lesson:

Similarly with the Article 29 Working Party, the Board is composed of the heads of national supervisory authorities and the European Data Protection Supervisor (EDPS), or their representatives. The EDPS’s voting powers are restricted to those decisions that would be applicable to the EU institutions.

The Board also includes a representative of the European Commission who, however, does not have a right to vote so as to ensure the independence of the Board. There seems to be an implicit suggestion that the European Commission has exercised too much influence over the Article 29 Working Party in the past and the GDPR wants to ensure that this will not be the case in the future.

There’s some great provisions in the GDPR but I have to wonder just how quickly some of the decisions and actions will be taken:

Together with the establishment of the Lead Supervisory Authority presented in the previous step, the consistency mechanism is intended to avoid such situations. When it is clear that the decision of a supervisory authority will have an EU-wide impact, or when a request comes from a national supervisory authority, the Chair of the European Data Protection Board or from the European Commission, the Board issues a non-binding decision on a specific case. The national supervisory authority dealing with the case shall take utmost account of the decision of the Board or shall inform the Board in the case in which it does not intend to follow its opinion.

Codes of conduct

Part of any compliance system involves self-regulation, and the GDPR is no different. I like the ‘code of conduct’ approach in this regard:

For controllers and processors, codes of conduct are an important tool for achieving legal compliance and creating evidence to support this. Member states’ supervisory authorities, the board, and the commission encourage drafting codes of conduct. Such codes of conduct can be prepared, amended, or extended by associations and other bodies representing categories of controllers and processors. Codes of conduct need to include measures specifying the application of the GDPR, This includes, for example, the collection and pseudonymisation of personal data, exercise of data subjects’ rights, and notification of a data breach. Codes of conduct contain mechanisms that enable supervisory authorities to carry out mandatory monitoring of compliance. Drafts, amendments, or extensions of codes of conduct need to be submitted to the supervisory authority for approval.

Companies and other organisations have to ‘walk the walk’, though, and not just have their documentation in place:

Apart from supervisory authorities, other competent bodies with an appropriate level of expertise and accreditation can also monitor compliance with codes of conduct. Drafting codes of conduct is one thing. Committing to them is another. It is important in the sense that it can provide evidence that controllers and processors comply with the GDPR. This not only counts for controllers and processors within the EU, but also for those who are not subject to the GDPR in order to provide appropriate data protection safeguards.

Binding corporate rules

One way of moving beyond a code of conduct is for large, multi-national organisations to implement ‘binding corporate rules’:

Binding corporate rules (BCRs) are internal rules adopted by multinational groups of companies. They define the group’s global policy with regard to the international transfers of personal data to companies within the same group that are located in countries which do not provide an adequate level of protection. They are legally binding and approved by the competent supervisory authority in accordance with the consistency mechanism.

These rules are beneficial for the organisation (efficiency / consistency), for the EU (compliance) and for the end user (transparency).

The GDPR allows for personal data to be transferred outside the EU, but not just anywhere:

As a general rule, transfers of personal data to countries outside the European Economic Area may take place if these countries are deemed to ensure an adequate level of data protection.

Article 45 GDPR provides that the third countries’ level of personal data protection is assessed by the European Commission. According to the GDPR, the Commission’s adequacy decision may be limited also to specific territories or to more specific sectors within a country. A current list of countries that have been evaluated as having an adequate level of data protection can be found here.

The example given in the course is of Japan, which isn’t currently listed as having adequate protections. However:

Personal data can be transferred to a third country even in the absence of an adequacy decision:

(i) if the controller or processor exporting the data has himself provided for appropriate safeguards; and

(ii) on the condition that enforceable data subject rights and effective legal remedies are available in the given country.

At the end of the day, it’s the organisation’s responsibility as the data controller to comply wih the GDPR:

In accordance with the provisions in Chapter VIII, controllers and processors are legally liable for damages caused by data processing activities which infringe the GDPR. A controller is liable for all damages caused by processing activities. A processor is liable for not complying with its obligations or for acting outside or contrary to lawful instructions of a controller. A data subject who has suffered material or non-material damages as a result of a violation of the GDPR has the right to receive compensation for damages…

Fines

So now we get to the interesting part. What can the EU actually do about GDPR infringement?

According to Article 83 GDPR, the fines may, depending on the infringed provision of the GDPR, amount to a maximum of 20 million Euros, or, if this is a higher amount, to 4% of the total worldwide annual turnover of an undertaking. For example, a failure to implement the data protection by design and by default is subject to a maximum fine of only 10 million Euros or 2% of the total worldwide annual turnover of an undertaking. On the other hand, violating the basic principles of data processing, including the conditions for obtaining a valid consent as well as non-compliance with a supervisory authority’s order may result in the highest fine of 20 million Euros or 4% of the total worldwide annual turnover.

That’s obviously a lot of money, but it’s a sliding scale:

What the amount of a fine will be at the end will depend on the nature, gravity and duration of the infringement as well as on its character – if there was intention or negligence from the undertaking. The supervisory authority must ensure that the administrative fines would be in each specific case proportionate to the infringement and at the same time also effective and dissuasive. As a result, not all infringements of the GDPR will lead to those serious fines mentioned above.

The good thing, however, is that the fines are calculated on global revenues, rather than just the amount the organisation makes in the EU:

Once the GDPR becomes applicable, the impact of a fine on data controllers and processors, even if not reaching the maximum amount established in Article 83 GDPR, could be significant. Also, in those situations in which a global organisation has only a small establishment in the territory of the European Union, or is completely based in third countries but it targets the processing of personal data of EU citizens, the fine would be based on the total worldwide annual turnover. Thus, following the data protection rules as established by the GDPR should be taken seriously both by EU and foreign organisations.

Conclusion

I’m hopeful that the GDPR is going to help the legal system catch up with some of the technology that’s permeated our lives over the last couple of decades. Time will tell, of course…


Image by the Latvian State Chancellery used under a Creative Commons Attribution-NonCommercial-NoDerivs 2.0 Generic license

Experimenting with a channel-based approach for online resource sharing

I’ve already posted about our experiments with Mastodon as part of the work going into Project MoodleNet. Again, I’m posting this here instead of on the project blog as we’re just testing…


ActivtyPub is a protocol that allows for decentralised, federated social networks. We’re experimenting with it as potentially the base on which we can build Project MoodleNet, “a new open social media platform for educators, focused on professional development and open content”.

Mastodon is great, but purposely limited in features to keep things easy for users, moderators, and administrators. Hubzilla, on the other hand, gives users plenty of options.

Hubzilla is a free and open source set of web applications and services running on a special kind of web server, called a “hub”, that can connect to other hubs in a decentralised network we like to call “the grid”, providing sophisticated communications, identity, and access control services which work together seamlessly across domains and independent websites. It allows anybody to publicly or privately publish content via “channels”, which are the fundamental, cryptographically secured identities that provide authentication independently of the hubs which host them. This revolutionary liberation of online identity from individual servers and domains is called “nomadic identity”, and it is powered by the Zot protocol, a new framework for decentralised access control with fine-grained, extensible permissions.

What does that mean in practice?

From the practical perspective of hub members who use the software, Hubzilla offers a variety of familiar, integrated web apps and services, including:

  • social networking discussion threads
  • cloud file storage
  • calendar and contacts (with CalDAV and CardDAV support)
  • webpage hosting with a content management system
  • wiki
  • and more…

While all of these apps and services can be found in other software packages, only Hubzilla allows you to set permissions for groups and individuals who may not even have accounts on your hub! In typical web apps, if you want to share things privately on the internet, the people you share with must have accounts on the server hosting your data; otherwise, there is no robust way for your server to authenticate visitors to the site to know whether to grant them access. Hubzilla solves this problem with an advanced system of remote authentication that validates the identity of visitors by employing techniques that include public key cryptography.

In this post, I want to outline some of Hubzilla’s features and discuss how they may be useful to Project MoodleNet. This is not meant to be comprehensive, by any means, just my first impressions.

1. Configurable UX depending on user technical knowledge

Hubzilla: privacy sharing optionsWhen you set up your account in Hubzilla, you’re presented with this drop-down menu asking you to indicate your technical skill level. The lower you set this, the simpler the user interface becomes. I like this because, as with any kind of community, there are more and less technical educators who will be using Project MoodleNet.

2. WebDAV integration

Hubzilla: configure WebDAV

Although not strictly accurate, I set my technical skill level as ‘Wizard’ to see all of the options available in Hubzilla. This box appeared informing me of my WebDAV address:

Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations.

[…]

The WebDAV protocol provides a framework for users to create, change and move documents on a server. The most important features of the WebDAV protocol include the maintenance of properties about an author or modification date, namespace management, collections, and overwrite protection. Maintenance of properties includes such things as the creation, removal, and querying of file information. Namespace management deals with the ability to copy and move web pages within a server’s namespace. Collections deal with the creation, removal, and listing of various resources. Lastly, overwrite protection handles aspects related to locking of files.

Many modern operating systems provide built-in client-side support for WebDAV.

This is handy stuff, especially given that NextCloud, which is a great service for files, calendars, contacts, and other applications, also supports ActivityPub and WebDAV!

3. Inbuilt calendar

Hubzilla: CalendarTalking of calendars, Hubzilla has one built-in under ‘Events’. It’s  pretty basic, but it’s easy to create entries and import/export existing calendars. I assume that there’s a way to link this up with WebDAV, but it wasn’t obvious in the time I spent tinkering.

4. Other apps

Hubzilla: add appsOther apps can be added and removed by users in a range of categories. All the basic things you’d want are there, and new apps can be developed and added in a straightforward way.

5. Multiple profiles

Hubzilla: profiles

One thing I immediately liked about Hubzilla was the ability to create multiple profiles, should the channel owner allow. This permits users to create profiles that demonstrate different facets of their personality, and perhaps share information with certain groups that they wouldn’t share publicly.

Hubzilla: multiple profilesThe only current downside to this was that I couldn’t find a way to have different images for different profiles. I guess these are sub-profiles, but it would be nice with Project MoodleNet to have different avatars for different facets of your identity within the system. Something to test out, for sure.

6. Channels

Hubzilla: installed apps

Hubzilla is built around ‘channels’ that you can discover and add via any compatible instance. So, just as with Mastodon, people can find and add you no matter which server they’re using.

7. Adding content

Hubzilla: share resourcesI tested out adding content into a channel by posting a link to a resource I found on OER Commons. There’s no visual editor, but the channel owner does get to choose between wiki markup or Markdown. There are buttons which generate the necessary code for users, as Mediawiki does by default.

8. Responding to posts

Hubzilla: respond with emoji Hubzilla: post menu

As you’d expect, because it’s 2018, you can respond to posts not only with a Facebook-inspired ‘thumbs up’ but also with a range of emojis. In addition, there are a range of options, including ‘Poke’, ‘Share This’ and starring the post to come back to.

9. Mastodon vs. Hubzilla?

Hubzilla: comment

I asked people, ironically enough on Mastodon, what they thought about Hubzilla. I some quick responses, and you can see the thread here. It seems like Hubzilla is a lot more flexible than Mastodon, but it’s by default relatively complex, which can put less technical people off a bit.

10. Sustainability

Hubzilla: GitHub Pulse

We’d obviously do a deeper dive if and when we decide to experiment further, but Hubzilla’s code is on GitHub and the repository seems to be pretty active. They’re on v3.0 and, according to some quick digging, the first release was in August 2015. There’s only 47 nodes with 847 users at present, however, compared with over 1 million users of Mastodon across almost 1,500 instances (source).

Conclusion

Hubzilla has some very nice features which we would definitely want to implement with Project MoodleNet. Whether or not it’s the best base to start from is a decision we’ll have to make as a team, but I’ve enjoyed experimenting!


Main image by Fahrul Azmi used under a CC0 license

Continuing my GDPR journey

I’ve already written a couple of blog posts to reflect on my learning during the first two weeks of a Futurelearn course I’m taking on the General Data Protection Regulation (GDPR):

It’s a surprisingly interesting subject, so much so that I’m in danger of, for the first time ever, actually completing an online course that I’m taking voluntarily!

Although it’s my choice, I’m pursuing knowledge in this area because I’m leading Project MoodleNet. However, I’m writing here instead of on the project blog as I’m still coming to grips with all that GDPR means in practice.


Week 3 of the course is all about data controllers and data processors. The quotations I use throughout this post are taken from the course, which I highly recommend (you can sign up for free!)

In brief, data controllers are those who determine the purposes and means of processing personal data. When two or more controllers do so jointly, they are joint controllers. Processors, on the other hand, are those engaged in processing personal data on behalf of controllers. They will follow instructions given by controllers and cannot make decisions on the choice of purposes and means in data processing.

Here’s a more homely metaphor:

To make this more clear: if you visualise a ship and imagine that it is processing data, the controller is the captain and the processors are the sailors. A controller manages and controls the processing of the data (the ship), he determines the purpose (the destination), and the means (or the course of the voyage). A processor is contracted by the controller to carry out data processing for the purpose and with the means determined by the controller. Processors (sailors) act under captain’s instruction and report issues to the controller.

So from a Project MoodleNet perspective, Moodle (the company) is the ship, providing both the purpose and the means. The processor is the Project MoodleNet team which is processing the data. To the end user, the data controller and data processor are effectively one and the same.

Data Controllers

The interesting thing about the GDPR is that you can’t just respect users’ privacy and security, you have to prove that you’re doing so:

First of all, to demonstrate legal compliance is in itself a GDPR obligation. Being able to demonstrate that your organisation is taking compliance measures, both technical and organisational, may save you from potential hazards, such as heavy fines or sanctions. Controllers have to implement appropriate technical as well as organisational measures to make sure that processing of data complies with the GDPR. They have to implement these measures to ensure data protection by design and by default.

One method of doing so is ‘privacy by design’, something covered in a previous week, and which allows you to demonstrate that user-respectiving privacy safeguards are built into your products and services.

However, things can and do go wrong. GDPR therefore mandates what must happen in the event of a data breach:

In the event of a data breach, controllers have the obligation to notify the supervisory authority of that breach.

The supervisory authority in the UK is, I believe, the Information Commissioner’s Office. Moodle is an Australian company that is setting up an office in Barcelona. Until that’s set up, Moodle is processing EU members’ data without a legal presence in the EU. I wasn’t sure what that meant in terms of supervisory authority, so looked it up. Basically, it means that instead of a ‘one-stop shop’ approach, in the event of a data breach, Moodle would have to inform each member state individually.

The data controller has a responsibility to help users exercise their GDPR rights:

Finally, a very important obligation for a data controller is the duty to assist data subjects with exercising their rights to privacy and data protection under the GDPR. For example, a controller has the duty to provide data subject with sufficient information when collecting personal data.

Handily, the Futurelearn course (which is put together by the Universiy of Groningen) has a list of the obligations for data controllers:

Controllers’ obligations may include:

• To maintain records of all processing activities (Article 30 GDPR);

• To cooperate and consult with supervisory authorities (Article 31 GDPR);

• To ensure a level of security (Article 32 GDPR);

• To notify the supervisory authorities in the event of a data breach (Article 33 GDPR);

• To conduct a data protection impact assessment (Article 35 GDPR);

• To appoint a data protection officer (Article 37 GDPR);

• Specific obligations as regards transfer of data outside the EU (Chapter V GDPR);

• To assist data subjects with exercising their rights to privacy and data protection (Chapter III GDPR).

In other words, there’s a lot of companies that are going to have to get a whole lot more transparent about user data very quickly. I feel that we’re in a pretty good position with Project MoodleNet, as we can design all this in from the outset.

Data protection by default

Just as the GDPR advocates privacy by design, it also specifies ‘data protection by default’:

Data protection by default means that, by default, technical and organisational measures need to be taken to ensure that only personal data which are necessary for a specific purpose are processed. This obligation covers the amount of data collected, extent of processing, storage period and accessibility. This means that, by default, the less personal data that are processed, the better. This obligation includes that, by default, personal data are not accessible without the data subject’s intervention.

So, for example, I use an app called FullContact to manage my contacts across various accounts and to automatically update their details. It’s great, and I’m a paying subscriber to their service. When I install it on my Android smartphone, I get a screen which prompts me to give the app access to my contacts:

Full Contact

Given the job I’ve asked the app to do, giving it access to my contacts seems reasonable. I’ve seen other apps, however, request access to my microphone, location, and other ways of gaining potentially sensitive information about me, without any obvious reason why they would need to do so. GDPR compliance prevents this.

One thing we’ve been discussing with Project MoodleNet is pseudonymisation. Sometimes on a social network, for a whole variety of reasons, you may want to avoid posting with your ‘regular’ account. In this case, token-based pseudonymisation can help:

An example of an effective measure as mentioned in Article 25 is pseudonymisation. Pseudonymisation substitutes the identity of the data subject in such a way that additional information is required to re-identify a data subject. Such measures may also include anonymisation, which irreversibly destroys any way of identifying the data subject.

So, for example, you might be able to generate a finite number of pseudonymous accounts with your login details every month. This would mask your identity when it matters but, if you decided to do something illegal, or troll other members of the network, it would be possible to figure out who you are.

All of this is fascinating as, instead of organisations making it all up as they go along, they have to figure a lot of things out in advance. in order to satisfy their legal requirements and inform the user

When collecting personal data directly from data subjects, the controller has to provide the following information to data subjects at the moment of the obtaining the data:

  • The controller’s identity and contact details;
  • The contact details of the data protection officer (if applicable);
  • The purposes and legal basis for data processing;
  • The recipients of the personal data;
  • The fact that the controller intends to transfer personal data outside the EU (if applicable).

Furthermore, to ensure fair and transparent processing, the controller needs to provide the following information:

  • The reason why the data subject needs to provide personal data (this could be a statutory or contractual requirement or a requirement to enter into a contract), if the data subject is obliged to do so and what the consequences are for not not providing the data;
  • Data storage period;
  • The rights of data subjects (right to access, rectification, erasure, restriction of processing, objection to processing, data portability, the right to withdraw consent; the right to lodge a complaint with a supervisory authority);
  • The existence of automated decision making (including profiling);
  • Any other purposes (if the controller intends to further process the personal data for a purpose other than that for which the data was originally collected).

Over and above this, organisations have to be lot more secure in their data storage and processing procedures.

Under Article 32, controllers have the obligation to take technical and organisational measures to achieve a level of security appropriate to potential risk. When taking these measures, they need to consider the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Examples of such measures include:

  • Pseudonymisation and encryption;
  • Ensuring the ongoing confidentiality, integrity, availability and resilience of processing system and services;
  • The ability to restore the availability and access to personal data in a timely manner in case of physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.

Data breaches

Returning to what happens when and if things go wrong, and user data is compromised, the GDPR makes very specific provisions:

When a data breach occurs, a controller has the obligation under Article 33 to notify the competent supervisory authority within 72 hours after becoming aware of the data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the supervisory authority is not notified within 72 hours, the controller needs to provide reasons for the delay.

Note the ‘unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons’. In other words, if there’s a data breach but the data is encrypted (as in the case of the LastPass hack) then, as far as I’m aware, while the organisation may choose to notify the supervisory authority, they are not required to do so. Obviously, if personally identifiable information was accessed, then the organisation would need to notify the relevant supervisory authority within 72 hours.

If there’s an elevated risk, then the notification should be immediate. The ‘data subject’ (i.e. user) also needs to be informed, in ways that they can understand:

Furthermore, the controller has the obligation to communicate without undue delay the personal data breach to the data subject under Article 34 if the breach is likely to result in a high risk to the rights and freedoms of natural persons. The communication to the data subject needs to be described in clear, plain and understandable language.

Data Protection Impact Assessment (DPIA)

Interestingly, the GDPR makes provision for new kinds of technologies that may put ‘data subjects’ (i.e. users) at risk. Organisations using new technologies to obtain personally identifiable information are required to carry out a Data Protection Impact Assessment (DPIA):

If there is a chance that a new type of processing (especially when using new technologies) may cause a high risk to the rights and freedoms of natural persons, the data controller needs to carry out a DPIA.

The example in the course is something like using ultrasound to ‘fingerprint’ people. This won’t be a concern for Project MoodleNet, as we’re using pre-existing technologies.

Data Protection Officer (DPO)

Apparently, in earlier drafts of the GDPR, the appointment of a Data Protection Officer (DPO) was mandatory for all organisations that had over 250 employees. However, as I’m sure someone pointed out, when Instagram was purchased by Facebook, it had 27 million users on iOS alone… and only 13 employees.

The final version of GDPR makes no mention of the number of employees an organisation must have before having a DPO is mandatory. Instead, it focuses on the type and scope of the data being processed.

Appointing a DPO is mandatory under certain conditions. Based on Article 37 a controller and processor need to designate a DPO if:

  • The processing is carried out by a public authority or body (with the exception of courts acting in their judicial capacity);
  • The core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale;
  • The core activities consist of processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions and offences (Article 10).

Data Processors

As we have already seen, data controllers and data processors are different. Data controllers, using the nautical metaphor introduced earlier, are like the ship’s captain, whereas the data processors are like the crew.

Processors process data on behalf of controllers and under controller’s instructions. Processing has to be governed by a contract or other legal act under EU or national law that is binding on the processor. This contract or legal act, among other things, determines certain obligations for processors and how they assist data controllers in fulfilling their GDPR obligations. Some of these obligations are similar to the obligations of data controllers.

Not only are some of the obligations the same, but as with the case of Moodle and Project MoodleNet, the data controller and data processor are one and the same.

Again, data processors have to be able to demonstrate that they are acting within the terms of GDPR:

The most important obligation for both controllers and processors is to demonstrate legal compliance. Concrete technical and organisational measures (such as documentation, records, Data Protection by Design and by Default, etc.) may provide good evidence to demonstrate compliance with the GDPR.

Applying my learning to Project MoodleNet

Finally, the third week of this course asks a few questions:

  1. How will you demonstrate compliance? Do you keep records? Do you have a privacy policy? Does your personnel have clear privacy instructions? Do you have clear agreements between controllers and processors?
  2. Do you need to carry out a DPIA?
  3. Do you need to appoint a DPO or a representative?

The second and third questions are the easiest to answer. As Project MoodleNet does not involve new technologies that access personally identifiable information, we won’t need to carry out a DPIA. In terms of the DPO, Moodle is currently interviewing for a DPO to be based in the new Barcelona office.

Returning to the first question, Moodle has blogged about how the organisation’s approach to GDPR in terms of its open source learning platform. With Project MoodleNet, however, the answer to the sub-questions around record-keeping, privacy policies, etc. is “we will have”. As I mentioned earlier, one of the benefits of developing this project as GDPR comes into force is that we can build it from the ground with these in place!


Image by jesse orrico available under a CC0 license

Creating the world’s smallest social network (for testing purposes)

Note: I’m writing this post on my personal blog as this isn’t an official Moodle pronouncement, just some experimentation.


I’m leading Project MoodleNet, which will be “a new open social media platform for educators, focused on professional development and open content”. There are decisions I have to make, and these need to be based on criteria, prioritisation, etc.

One of the things I’m keen to do with the professional social networking component of Project MoodleNet is to ensure that it’s decentralised. By this I mean that, unlike Twitter and Facebook and Instagram, it won’t be a ‘silo’ of information.

Instead, Project MoodleNet will be federated in a way which allows information to flow between instances. It’s well explained in this article, which includes the following diagram which outlines the technical protocols on which a number of options are based:

Venn diagram of the Fediverse

As you can see, the ActivityPub protocol is definitely a candidate for the professional social network aspect of Project MoodleNet. Last week it became a W3C recommended standard.

For less technical readers, the upshot of this is that users can send messages, files, and (most importantly) emojis to anyone on any server that uses the ActivityPub protocol. Products and services built upon this protocol may look and feel very different, but all of the data is interoperable.

ActivityPub diagram

The W3C specification, which includes these diagrams, is surprisingly readable!

Mastodon is a social network which was originally built on the OStatus protocol, but which is now also compatible with ActivityPub. I’m a member of the social.coop instance, although there’s no limit on the number of different accounts you can hold on different instances.

Although they have a common basis, you find differences between Mastodon instances. For example, some have a particular focus, meaning that the stream of updates you get from your own instance might be focused on gaming, or education, or LGBT rights. There’s also differences between the kind of languages and content allowed by instances.

No matter which instance you’re on, however, you can follow anyone from any instance. You can see this in the screenshot below.

Mastodon screenshot

From left to right:

  • My ‘Home’ stream is populated with updates from the people and accounts I follow.
  • The ‘Notifications’ stream works the same as Twitter (replies, favourites, boosts)
  • ‘Local timeline’ is everyone on the same instance as me.
  • ‘Federated timeline’ is everyone’s updates in the Fediverse.

In practice, it’s a lot like TweetDeck (I think on purpose).

I wanted to have access to a testing version of Mastodon to look at the administration and moderation functionality. Paul Greidanus was kind enough to spin up an instance which, for obvious reasons, isn’t federated to the rest of the network.

Mastodon - Moodle

I closed self-registration and invited some Moodle staff to create an account via a special link. As you can see, it was pretty quiet. That’s OK, however, as I’m really just interested in the moderation and admin functionality.

To access the additional options available as a moderator and/or admin exist in the same place as user settings. It’s a nice touch, and the way that it’s presented makes it easy to focus on what you want to achieve, rather than getting sidetracked with technical stuff.

Mastodon moderation audit

The audit log shown in the screenshot above is useful, particularly for GDPR compliance, and reporting reasons.

Mastodon moderation - invitations

This is also the place where you can generate invitations, which can have a maximum number of uses and/or expire after a certain time. There’s also functionality around blocking email addresses from certain domains from registering.

On the admin side of things, this is where you can configure the public description of the instance, add contact details, and specify the rules and other guidelines.

Mastodon admin

The thing that interested me most, however, was CUSTOM EMOJIS:

Mastodon - custom emojis

Finally, there’s various technical reports, and queries you can run from a technical point of view.

I have to say that I wasn’t expecting the moderation and admin side of Mastodon to be so… user-friendly. It’s incredibly easy and intuitive to use, although it does mean delving into the code if, say, you want to change the default background colour to orange!

The next thing to do is to experiment with Hubzilla, which is also mentioned on the Venn diagram earlier in this post. It’s important to experiment both technically and with users, and weigh all of these things against the principles that underpin Project MoodleNet.

Exciting times!


Main image by Slava Bowman used under a CC0 license

More on the mechanics of GDPR

Note: I’m writing this post on my personal blog as I’m still learning about GDPR. This is me thinking out loud, rather than making official Moodle pronouncements.


‘Enjoyment’ and ‘compliance-focused courses’ are rarely uttered in the same breath. I have, however, enjoyed my second week of learning from Futurelearn’s course on Understanding the General Data Protection Regulation. This post summarises some of my learning and builds upon my previous post.

This week, the focus was on the rights of data subjects, and started with a discussion about the ‘modalities’ by which communication between the data controller and processor, and the data subject take place:

By modalities, we mean different mechanisms that are used to facilitate the exercise of data subjects’ rights under the GDPR, such as those relating to different forms of information provision (in writing, spoken, electronically) and other actions to be taken when data subjects invoke their rights.

Although the videos could be improved (I just use the transcripts) the mix of real-world examples, quizzes, and reflection is great and suits the way I learn best.

I discovered that the GDPR not only makes provision for what should be communicated by data controllers but how this should be done:

In the first place, measures must be taken by data controllers to provide any information or any communication relating to the processing to these individuals in a concise, transparent, intelligible and easily accessible form, using the language that is clear and plain. For instance, it should be done when personal data are collected from data subjects or when the latter exercise their rights, such as the right of access. This requirement of transparent information and communication is especially important when children are data subjects.

Moreover, unless the data subject is somehow attempting to abuse the GDPR’s provisions, the data controller must provide the requested information free of charge.

The number of times my surname is spelled incorrectly (often ‘Bellshaw’) or companies have other details incorrect, is astounding. It’s good to know, therefore, that the GDPR focuses on rectification of individuals’ personal data:

In addition, the GDPR contains another essential right that cannot be disregarded. This is the right to rectification. If controllers store personal data of individuals, the latter are further entitled to the right to rectify, without any undue delay, inaccurate information concerning them. Considering the purpose of the processing, any data subject has the right to have his or her personal data completed such as, for instance, by providing a supplementary statement.

So far, I’ve focused on me as a user of technologies — and, indeed, the course uses Google’s services as an example. However, as lead for Project MoodleNet, the reason I’m doing this course is as the representative of Moodle, an organisation that would be both data controller and processor.

There are specific things that must be built into any system that collects personal data:

At the time of the first communication with data subjects, the existence of the right to object– as addressed earlier– must be indicated to data subjects in a clear manner and separately from other information. This right can be exercised by data subjects when we deal with the use of information society services by automated means using technical specifications. Importantly, the right to object also exists when individuals’ personal data are processed for scientific or historical research or statistical purposes. This is, however, not the case if the processing is carried out for reasons of public interest.

Project MoodleNet will be a valuable service, but not from a scientific, historical, or statistical point of view. Nor will the data processing be carrierd out for reasons of public interest. As such, the ‘right to object’ should be set out clearly when users sign up for the service.

In addition, users need to be able to move their data out of the service and erase what was previously there:

The right to erasure is sometimes known as the right to be forgotten, though this denomination is not entirely correct. Data subjects have the right to obtain from data controllers the erasure of personal data concerning them without undue delay.

I’m not entirely clear what ‘undue delay’ means in practice, but when building systems, we should build it with these things in mind. Being able to add, modify, and delete information is a key part of a social network. I wonder what happens when blockchain is involved, given it’s immutable?

The thing that concerns most organisations when it comes to GDPR is Article 79, which states that data subjects have legal recourse if they’re not happy with the response they receive:

Furthermore, we should mention the right to an effective judicial remedy against a controller or processor laid down in Article 79. It allows data subjects to initiate proceedings against data controllers or processors before a court of the Member State of the establishment of controllers or processors or in the Member State where they have their habitual residence unless controllers or processors are public authorities of the Member States and exercise their public powers. Thus, data subjects can directly complain before a judicial institution against controllers and processors, such as Google or others.

I’m particularly interested in what effect data subjects having the right “not to be subjected to automated individual decision-making” will have. I can’t help but think that (as Google has already started to do through granular opt-in questions) organisations will find ways to make users feel like it’s in their best interests. They already do that with ‘personalised advertising’.

There’s a certain amount of automation that can be useful, the standard example being Amazon’s recommendations system. However, I think the GDPR focuses more on things like decisions about whether or not to give you insurance based on your social media profile:

There are three additional rights of data subjects laid down in the General Data Protection Regulation, and we will cover them here. These rights are – the right not to be subjected to automated individual decision-making, the right to be represented by organisations and others, and the right to compensation. Given that we live in a technologically advanced society, many decisions can be taken by the systems in an automatic manner. The GDPR grants to all of us a right not to be subjected to a decision that is based only on an automated processing, which includes profiling. This decision must significantly affect an individual, for example, by creating certain legal effects.

Thankfully, when it comes to challenging organisations on the provisions of the GDPR, data subjects can delegate their representation to a non-profit organisation. This is a sensible step, and prevents lawyers become rich from GDPR challenges. Otherwise, I can imagine data sovereignty becoming the next personal injury industry.

If an individual feels that he or she can better give away his or her representation to somebody else, this individual has the right to contact a not-for-profit association– such as European Digital Rights – in order to be represented by it in filing complaints, exercising some of his or her rights, and receiving compensation. This might be useful if an action is to be taken against such a tech giant as Google or any other person or entity. Finally, persons who have suffered material or non-material damage as a result of an infringement of the GDPR have the right to receive compensation from the controller or processor in question.

Finally, and given that the GDPR applies not only across European countries, but to any organisation that processes EU citizen data, the following is interesting:

The European Union and its Member States cannot simply impose restrictions addressed in Article 23 GDPR when they wish to. These restrictions must respect the essence of the fundamental rights and freedoms and be in line with the requirements of the EU Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. In addition, they are required to constitute necessary and proportionate measures in a democratic society meaning that there must be a pressing social need to adopt these legal instruments and that they must be proportionate to the pursued legitimate aim. Also, they must be aiming to safeguard certain important interests. So, laws adopted by the EU of its Members States that seek to restrict the scope of data subjects’ rights are required to be necessary and proportionate and must protect various interests discussed below.

I learned a lot this week which will stand me in good stead as we design Project MoodleNet. I’m looking forward to putting all this into practice!


Image by Erol Ahmed available under a CC0 license

Social networking and GDPR

Note: I’m writing this post on my personal blog as I’m still learning about GDPR. This is me thinking out loud, rather than making official Moodle pronouncements.


I have to admit to EU directive fatigue when it comes to technology (remember the ‘cookie law‘?) so when I heard about the General Data Protect Regulation (GDPR), I didn’t give it the attention it deserved.

The GDPR is actually pretty awesome, and exactly the kind of thing we need in this technologically-mediated world. It has wide-ranging impact, even beyond Europe. In fact, it’s likely to set the standard for the processing of user information, privacy, and security from May 2018 onwards.

So, on the advice of Gavin Henrick, I’m in the midst of Futurelearn’s course on Understanding the General Data Protection Regulation. The content is great but, unlike Mary Cooch‘s excellent videos for the Learn Moodle Basics 3.4 course (which I’m also doing at the moment) I don’t find the videos helpful. They don’t add anything, so it’s a more efficient use of my time to read the transcripts.

All of this is prologue to say that GDPR affects the work I’m leading at the moment with Project MoodleNet. It may be in its early stages, but privacy by design (PDF) means that we need to anticipate potential issues:

The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

Project MoodleNet is a social network for educators focused on professional development and the sharing of open content. As such, it’s a prime example of where GDPR can protect and empower users.

Article 5(1) from the official document states:

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

We’re kicking off Project MoodleNet by looking at all of the different components we’ll be building, and really zeroing-in on user control. A key part of that is the way(s) in which users can authenticate and are authorised to access different parts of the system. We’re exploring open source approaches such as gluu (which has been GDPR-ready since November) that make it both easy for the user while protecting their privacy.

In addition, and as I’ve touched on while writing at the project blog, we’re going to need to ensure that users can, at the very least:

  • see what data is held on them
  • choose whether to revoke consent around storage and processing of that data
  • request a data export
  • ask for any of their personal data to be securely destroyed.

I actually think Google do a pretty good job with most of this with Download your data in your account settings (formerly ‘Google Takeout’).

One challenge, I think, is going to be global search functionality. To make searching across people, resources, and news reasonably fast, there’s going to be some pre-caching involved. We need to explore to what extent that’s compatible with purpose limitation, data minimisation, and storage limitation. It may be that, as with the authentication/authorisation example above, it may already be somewhat of a solved problem.

A related issue is that different functionality may be used to a greater or lesser extent by users. Some (e.g. crowdfunding) may not be used by some educators at all. As such, we need to ensure that, perhaps through an approach that leans on microservices and APIs, we ensure integrity and confidentiality of user data, while again adhering to the principle of data minimisation.

I’m delighted to be working on this project at such an exciting time for user control and privacy. Organisations that have been wilfully neglecting controls and safeguards around user data, or monetising it in unethical ways, are going to be in for a rough ride. Those, however, that have a commitment to openness and follow the principles of privacy by design are going to find that it’s a competitive advantage!


Image by Sanwal Deen available under a CC0 license

css.php