Totara Learn GDPR approach statement

Totara is a GDPR-compliant LMS - you can read more on our website. 

1) Background

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. Upon the UK leaving the EU, GDPR was retained in UK domestic law as the UK GDPR.

The internet is awash with information on GDPR. We have found the UK Information Commissioner's Office website to be a good source of accessible information with a good overview of GDPR.

2) Compliance enabled through our platform

A software platform on its own doesn't ensure GDPR compliance.

Compliance is a result of:

  • Robust processes

  • Clearly articulated policies and information given to users informing them of their rights and how you use their data

  • Enabling technology to deal with requests from individuals that arise from their increased rights under GDPR

While we recognise that our platform is only part of your overall drive for your organisation to be GDPR compliant, we have taken steps to ensure that Totara Learn is capable of fully supporting GDPR requirements as detailed below.

3) Improvements to Totara Learn

While Totara Learn previously supported many of the existing rights under current legislation, we identified and implemented further improvements to the platform to support subscribing organisations and partners in becoming GDPR compliant.

Site policies

The ability for administrators to track the version of a site policy and any opt-ins that a user has agreed to.

The ability for individual users to visit the site policy pages they have signed up to and amend their agreements to the policy or opt-ins.

Data access

The ability for an individual user to export of all data linked to them. Note, the format of each item of exported date is equivalent to how it as stored in the application's database (e.g., numerical values that represent status).

This data complements the user's ability to see what type of processing is happening in the system and should align with the data policies the user has signed up to in the site policy. For example, they will be able to tell from the output that the platform is processing items like: quiz answers; appraisal completions; 360 feedback responses; course enrolments, progress and completion; site logins etc.

Data portability

While the data export improvement above provides all data in a consistent output that may be useful for porting data, our view is that there are key data items that somebody is likely to want to "port" to another platform and this needs to be in a more human readable format.

In Totara Learn this was and continues to be available through existing capabilities in the application (e.g. Report Builder, Record of Learning). This approach can be useful for an individual wanting, for example, to take their completion data (courses, competencies, certifications) with them to a new employer.

Data deletion

In order to comply with data retention policies and the right to erasure, we added the ability to manage "Purge Types". For each "Purge Type" configuration, administrators are able to configure what happens to corresponding data throughout the system for users who have that "Purge Type" applied to them.

As an example, administrators can configure these three types:

  1. A type that: 

    1. keeps a user's certification completions - perhaps because they represent compliance course completions, and

    2. deletes the forum posts that they made when collaborating with other learners in courses. 

  2. A type that: 

    1. anonymises the user profile information - so you cannot identify the the user anywhere in the system where user details would normally be displayed or tracked, and

    2. deletes the performance management data - appraisals, 360 feedback, goals, and

    3. keeps the course completion information - so you could still track content usage statistics for electronic content and physical training event fill-rates (seminars).

  3. A type that deletes all the data related to a user.

To adhere to your data retention policy period and the requirement to only keep the data you need for as long as you need it, you may choose to apply a type when a person leaves the organisation, the second type after 5 years and the 3rd after 7 years.

Administrators are able to configure these "purge types" and therefore what they mean for data in a different areas across the platform.

4) Where is it available?

We delivered the improvements described above in an interim major release, Totara Learn 11, in February 2018. Organisations running on earlier major releases of the platform need to upgrade to Totara Learn 11 in order to utilise these improvements for achieving GDPR compliance.

5) Extending for complex requirements

We have provided a robust set of features that should apply to the vast majority of subscribers and the data policies that they implement. However, some organisations have a very specific scenario that requires a specific set of system output or some other tweak to the platform's core functionality.

Since our software is open source and we built these improvements specifically to be extensible, our partners are empowered to extend these capabilities further in order to fully meet a wider set of requirements.