Moodle is a B-Corp and a purpose-first organisation driven by our mission, open source philosophy and implementing practices that consider the impact on students, learners, educators, employees, customers, society, and the environment. 

We remain, as ever, committed to Moodle LMS as an open source platform. A defining characteristic of our open source values and practices is our pledge to build a secure learning management system that protects the privacy and security of learners’ and employees’ data.

Hundreds of thousands of educational institutions, organisations, governments, and hundreds of millions of learners use Moodle daily. We provide them with the tools to ensure that their data, information and operations are secure and protected.

Full data control and transparency

At Moodle, we never have and will not collect, use or monetise any student data or anyone’s personal information from any of the thousands of Moodle sites that exist worldwide. 

As an open source platform, an organisation or education institution’s choice to use Moodle LMS as its learning management system is separate from its choice of a service provider. This means anyone using Moodle LMS can use their own or other resources for hosting and support or obtain assistance from a Certified Moodle Partner or Service Provider. This freedom gives them complete control over their users’ data, including how and where they run their Moodle sites. 

The report published by Human Rights Watch suggests that Moodle App collects learners’ location data and uses Google Firebase Analytics. This is simply not accurate. The Moodle App does not use any user-tracking or analytics tool and only accesses user location when the user requests it for a particular reason. It doesn’t track the user location at any other time. 

In Moodle, educators can use an optional activity called “Database” that allows input of latitude and longitude coordinates. When the learner fills in the form, they can optionally click a button to auto-fill the coordinates using their current location (and the platform will notify them that they have done so). This activity is beneficial in ubiquitous learning environments and is widely used in field activities such as geo-location and cartography games.

Equally, the microphone and camera are only used when the learner requests them. For example, the learner may want to record an audio or video file and upload it to Moodle as part of an assessment. Again, the mobile operating system or Moodle App alerts the student in this instance.

Privacy by design

We take data privacy into account every step of the way. With each new development for our software, we consider how user data is captured, stored and can be retrieved or removed as required to comply with the law. 

To help organisations ensure that their privacy compliance extends to installed plugins external to Moodle, we’ve created a Privacy API that plugin developers need to implement to make their add-ons GDPR compliant.

Security by design

Moodle’s development practices include security by design. This means that we embed a security mindset right from the outset in all software development to ensure the delivery of a secure platform. 

Unlike proprietary software, where the code is hidden and bugs might be exploited, the Moodle community constantly monitors the source code and collaborates to make it more secure through public, well-established processes. Any bugs are detected and fixed quickly, reducing the impact of vulnerabilities and security breaches. To protect all of our users, we practise responsible disclosure, which means we publicly announce issues that come to our attention only when fixes are available, and after registered Moodle sites have had time to upgrade or patch their installations. (This is distinct from our GDPR obligations which we adhere to separately.) 

Moodle is used widely in the military, banking, and other high-security environments. These organisations frequently conduct penetration testing and share their findings with our core team. 

Our fixes are reported globally through the global CVE network and applied to past supported releases to ensure they reach as many sites as possible.

We’ve also set up a security program with Bugcrowd that enables global security researchers to test our platform continuously, easily submitting any security issue through our Vulnerability Disclosure Program.

Plus, our network of Moodle Certified Partners and Service Providers can help organisations  build scalable, reliable and resilient Moodle instances with enhanced security and data protection.

Tools and features to support GDPR compliance

Our leading privacy features ensure that Moodle is GDPR compliant and adheres to local privacy legislation requirements. However, some responsibility for compliance and safety rests with the organisation that controls each Moodle installation. We encourage institutions and organisations to implement security measures for their Moodle installation and: 

  • write multiple policy documents (including site policy for guests) so that they can be completely transparent with their learners, educators and anyone who visits their site on how they collect, use or disclose their data;
  • protect digital minors with age-of-consent checks and manage access for minors who require parental agreement to access their learning management system;
  • handle all data requests from learners and keep track of retention periods in a centralised place; and
  • enable users to easily request access or download their data, to see the policies they’ve agreed to and appoint a Privacy officer role to manage subject access/deletion requests from such users centrally.
  • seek support from a vetted Moodle Certified Partner or Service Provider to deliver a scalable, reliable, secure and resilient Moodle site.

 

Learn more about Moodle.

For further information, please contact us.