Understanding and engaging with legislation (General Data Protection Regulation, GDPR)
In this second section you can either explore a second area of legislation (see above) or give examples of policy issues you may address include:
✓ Policies and strategies (national or institutional)
✓ Technical standards
✓ Professional codes of practice
You might also be expected to engage with institutional policies and, where appropriate, national policies and evidence of some of this should be provided. The kinds of evidence that would support this would include minutes of meetings with legal advisers, documentation showing how legal issues have influenced work (such as reports or data protection forms), justifications for modifications to a course to reflect new policies or a record of how technical standards have been taken into account during system development.
CMALT Guidance 2019
Description
A key aspect of my role involves ensuring that the use of digital learning platforms complies with data protection legislation, particularly the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. One common risk area within Moodle is the incorrect enrolment of students with inappropriate permissions—such as being enrolled as a faculty support or editing teacher—which can unintentionally expose sensitive student data or give access to information they are not authorised to view 🔴CP1.
When a data breach occurs, the process begins with notifying the Information Governance Officer and the module leader for the Moodle site. I then go into Moodle to create detailed logs from the affected course, tracking what the individual(s) with heightened permissions have accessed. These logs are downloaded as a spreadsheet, which documents all relevant actions and times. I also revoke the permissions that were incorrectly granted to the student(s) involved in the breach.
These incidents often occur when a student hasn’t fully completed their registration and hasn’t been made live in the student records system. As a result, staff cannot see the student and manually add them to the course—sometimes inadvertently giving them inappropriate access. Once the issue is identified, I work to ensure it is rectified and help prevent similar incidents in the future 🔴CP1.
While I do not deliver formal training specifically on GDPR, I support academic and support staff in understanding how data protection legislation applies to their use of learning platforms like Moodle. This includes raising awareness of what can happen when data breaches occur, highlighting reporting procedures, and advising on the importance of correct enrolment practices. I often use anonymised breach examples from our context to help staff understand the practical implications of improper permissions and access control 🔵CP4.
This awareness-raising is complemented by ongoing collaboration with the Legal and Compliance Team, the IT Department, and the Digital Education team to ensure that our digital learning environments are technically aligned with GDPR principles—particularly in areas such as data security, appropriate retention, and role-based access 🟢CP3. I also ensure my own understanding remains current by completing institutional GDPR mandatory training every two years and engaging with relevant internal guidance. This continuous professional development helps me to confidently support others and to align my practice with the university’s broader data governance framework 🟡CP2.
Reflection
Working within the constraints of GDPR has significantly shaped my practice and deepened my understanding of the responsibilities institutions have in handling learner data securely and transparently. The potential opportunities for data breaches that I’ve handled have revealed how data governance directly affects the student experience—whether through the inappropriate exposure of personal information, disrupted access to learning resources, or the potential access to other students’ work 🔴CP1.
By identifying patterns in these incidents and communicating them back to academic and support teams, I’ve helped others better understand the real-world consequences of data mismanagement 🔵CP4. These experiences have made me more proactive in embedding data protection considerations into digital practice and platform design—reinforcing not just what staff should do, but why it matters 🔴CP1.
The evolution of my work—from reactive troubleshooting to preventative awareness and strategic collaboration—reflects how data protection considerations are becoming increasingly central to digital education. While I do not hold legal qualifications, I have developed the confidence and practical knowledge to engage effectively with legislation and compliance professionals, ensuring that our learning technologies remain safe, inclusive, and compliant 🟢CP3. As part of this, I have also raised the importance of correct enrolment practices and their link to data protection at Teaching, Learning and Quality Committees (TLQCs), helping ensure that data security is recognised and addressed at a strategic level across the institution🔵CP4.
Evidence
GDPR & Information Security – Training
Lorem ipsum dolor sit amet, at mei dolore tritani repudiandae. In his nemore temporibus consequuntur, vim ad prima vivendum consetetur. Viderer feugiat at pro, mea aperiam
University of Plymouth – GDPR Policy
Lorem ipsum dolor sit amet, at mei dolore tritani repudiandae. In his nemore temporibus consequuntur, vim ad prima vivendum consetetur. Viderer feugiat at pro, mea aperiam
Raised Potential Data Breaches – Emails
Core Principle Values
🔴CP1: A commitment to exploring and understanding the interplay between technology and learning.
🟡CP2: A commitment to keep up to date with new technologies.
🟢CP3: An empathy with and willingness to learn from colleagues from different backgrounds and specialist areas.
🔵CP4: A commitment to communicate and disseminate effective practice.