The Journey Towards GDPR

Blog Post created by af0055432 on Mar 5, 2018
Ladies and Gents, this is being added to over time, it is still a work in progress.

This blog entry is just going to be a place to dump resources, lessons learned or actions undertaken to prepare myself and my employer for the inception of the GDPR (May, 2018).


Instead of re-inventing the wheel, link to a previous article: Ready or not, here the General Data Protection Regulation’s (GDPR)] come! A Fugees Remix!


As someone who was born in Australia, but now residing within the EU, I've started to think, what rights do I have with relation to the data collected about me back home, is information relating to me governed under local privacy laws (or lack of...), or are these local laws superseded by the GDPR?


Well, apparently my rights as a resident of the EU prevail!

Who does the GDPR affect?

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.



But thinking of myself aside, let's step into what do I need to do now as a Blackboard/VLE administrator to ensure that the rights of our users are preserved.



Personal Information

A lot of information about an individual is stored in one table, and this is the quickest and easiest place to find personal identifying information about staff, students or any visitors who have an account in Blackboard. This table contains fields for your names, title, log-in ID, a contact email address.


Some fields exist here though which aren't so apparent, it is possible for a user to put in their gender, their locale, the department they're in at the institution, but what about personal mobile numbers, business contact numbers, but now what about home addresses.


My Actions/Checklist:

  • Do I need to retain this information?
  • What use-cases are there for student contact numbers/addresses to exist in Blackboard?
    • This data is NOT brought in by any integration with SIS or other systems [for my employer], meaning all data has been input by the user.
      • Is there implicit consent from the user for this data to be retained because they added it?
      • Is implicit consent good enough? Do we need to make it more apparent for our users what they're actually doing when adding this data?
  • (Sorry to name them) TurnItIn [Direct] contains data about users, FirstName, LastName and Email records appear to be replicated and stored in its own table.
    • If we update those fields in the main user table, is this a cascaded update?



Data Retention Period(s)

My Actions/Checklist:

  • What is the legislative retention period in the Netherlands for data such as:
    • User Information
    • Submitted work
      • Quizzes/Assessment?
      • Bachelor, Masters and Doctorate level theses?
    • Activity within the application (Activity Accumulator/bb-access-log.txt)
  • Are these Dutch regulations superseded or reinforced by the GDPR?
  • What is the institutional implementation of the legal data retention policy?
    • How are these policies implemented in the various faculties? Do they differ from the University's policy?
      • The medical faculty (for example) is producing significantly different data to those in other faculties; is any of this data retained in the VLE?



(Suspected) Data Breach Response

How does the GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.




Non-Production Data

My Actions/Checklist:

  • How can we maintain data in Dev/Test/UAT environments?
  • For those environment(s) which are clones of production, how can we ensure real user data is anonymised? (reducing possible attack surface)
    • In changing this data, will we see different experiences in Production to Non-Production for other changes?




Blackboard is a complex piece of software, further enriched by bringing in connections to and from outside systems, there's not only the Building Block architecture, Blackboard is LTI compliant and there are both SOAP and REST based web services available.

Building Block Opportunity: Zabbix LLD Script - Building Block Permissions


My Actions/Checklist:

  • How do we ensure that we're sharing only just enough information for the tools to work?
    • Does 'ToolXYZ' actually require access to a piece of information about a student?
  • Can we set up an internal certification scheme, enabling us (ICTS) to disable or refuse non-compliant tools?
    • If yes, how can we systematically watch for breaches? Manually checking 1-n tools is a tedious task.
      [Selenium or Python feeding Zabbix/ELK?]
  • Can this be built into the change migration pipeline? Stopping those promiscuous tools from making their way into production, where real data is stored.




More to come, as time allows...