GDPR Tools

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and applies to data stored in the Maytas database, as well as data contained in associated learner files (e.g. evidence files for Maytas Hub). To help you comply with the GDPR, two features are available:

• GDPR learner data extract – This is a report which can be exported to a .csv file to produce all a learner's data from the Maytas database upon request.
• GDPR learner data deletion – This is a tool to delete all a learner's data from the Maytas database upon request (as per the 'right to be forgotten').

There are some exceptions to how these work, detailed below.

It is YOUR responsibility to ensure that Maytas data is GDPR compliant, and these tools are provided only to assist with that. If you are in any doubt as to your compliance with the GDPR, we recommend seeking proper legal advice.

GDPR Learner Data Extract

The GDPR learner data extract is a report which retrieves all a learner's data from the database and presents it in five columns, showing the table name, column name, row number, the data as stored in the database and the lookup value (if applicable). The row number is used to distinguish between rows when a learner has multiple rows in the same table; for example, if a learner has two rows in TRAINEEPOT then you would see the data for each column in row 1, followed by the data for each column in row 2.

The report is intended to be exported to a .csv file, as this is compliant with the format required by the GDPR. This is why the report has minimal formatting.

The report must first be imported:

1. Go to Home on the toolbar and click Import on the Reports panel of the ribbon.
2. Click Add Files.
3. Browse to the Maytas 5\Extras\Module Reports folder of the upgrade, select GDPR Learner Extract.m5rep and click Open.
4. Click Finish. When the report has imported, click Finish again.

The report can be run by going to GDPR | GDPR Learner Extract in the Reports Library. You will be presented with the following parameters:

Enter a search term for the learner (this can be a full or partial name or the Trainee ID) and press tab on the keyboard. You can then select the learner from the list in the Learner parameter. Click View to run the report.

Click Export | CSV (comma delimited) to export the report to .csv.

The list of tables included is generated as follows:

• Tables which have a TRAINEEID column;
• Tables which have a USERNAME column;
• Tables which have a LearnerReferenceNumber or LearnRefNumber column;
• PLANEVENTS, if the learner has rows in TRPLANEVENT;
• VISTS, if the learner has rows in TRVISIT.

Note that for PLANEVENTS and VISITS, rows are only included if the learner is the only learner assigned to the event / visit. If multiple learners are assigned to an event / visit then it is excluded from the results, as it would have the potential to include data regarding other individuals. The GDPR makes allowances for excluding requested data if it would compromise data privacy or security.

While we have designed the learner data extract so that it should produce all the required data and only the required data, the scope and complexity of the data in question and the possibility of bespoke tables/columns means it is possible for some data not to be identified automatically, or for erroneous data to be included. Therefore, it is essential that you review the extract before sending it to the learner to ensure that:

• it contains all required data relating to the learner;
• it does not contain any data which would compromise the privacy of other individuals or the security of your system;
• it does not contain any business-sensitive data which the learner should not have access to;
• it does not contain any data which you otherwise believe should not be included.

Special Cases

There are several special cases in how learner data is identified or handled:

• Any column where the value is null or blank is excluded.
• The PFR tables, QSR tables and FM25 funding tables use learner reference number to identify the learner, taken from TRAINEEPOT.SERIALNUMBER. If a learner has multiple learner ref numbers associated with them, all of them will be taken into account.
• Tables which have a USERNAME column but no TRAINEEID column will use USERNAME, providing the learner has a row in M32$_WEBUSERS.
• M32$_WEB_USERCHANGES checks for where KEYVALUES begins with the TRAINEEID.
• COMMUNITYTOPIC and COMMUNITYPOST use CREATEDUSERNAME compared against M32$_WEBUSERS.USERNAME.
• COMMUNITYUSERTASK uses COMMUNITYUSER compared against M32$_WEBUSERS.USERNAME.
• LETTERS checks for the TRAINEEID value stored in LETTERS.EVENTKEY1.
• LLWRLEARNERAWARD_DELETE, LLWRLEARNERPROGACTIVITY_DELETE, LLWRLEARNERPROGRAMME_DELETE and LLWRLEARNERS_DELETE use LEARN_ID compared against TRAINEE.LLWR_LEARNID.
• DESTINATIONS_SURVEY_ATTEMPT uses EMAILEDUSED compared against TRAINEE.EMAIL.
• WEBJOURNALS uses OWNERTRAINEEID compared against TRAINEEID.
• M5$_PROFILE_MEASUREMENT_ITEM_DETAILS checks for the TRAINEEID in ITEMKEY1, 3, 4, 5 or 6 (not ITEMKEY2, as that is an integer column).

GDPR Learner Data Deletion

The GDPR learner data deletion tool deletes all data in the database associated with the learner (with some exceptions, detailed below). This must first be enabled in the permissions editor:

1. Go to Tools | Edit Permissions.
2. Select the user or group which requires permission.
3. Go to the Commands tab.
4. Expand the GDPRDelete section.
5. Set the permission GDPR Delete to Visible.
6. Click Apply and restart Maytas for the permission to take effect.

To use the GDPR deletion tool:

1. Open a learner record.

2. Go to Delete | GDPR Delete.

   

3. You will be prompted to confirm deletion of the learner. Click Yes to continue.

   

4. Before the deletion is performed, it is essential to review the data which will be deleted. To do this, click Show Data. Please be aware that this may take a while.

   

   The list of data to be deleted is produced using the same methods used to produce the GDPR learner data extract (see above for details).

5. By default, the Delete Attached Files checkbox at the top-right is ticked, which will delete any files from the learner’s contact log, journal, Maytas Hub messages, Maytas Hub portfolio, objectives, file store and visits. If you want to keep these files, un-tick the box.

   Before continuing, ensure that the listed data is safe to delete, as the deletion is irreversible.

6. Once you are satisfied that the data can be deleted, click Delete.
7. You will be asked to confirm a final time. Click Yes to proceed with deletion.
8. Once the learner has been deleted, restart Maytas. Continuing without restarting Maytas may result in errors in certain parts of the system.

It is possible for the list of data to be deleted to not automatically identify learner data in bespoke tables / columns (e.g. if they do not have TRAINEEID or USERNAME columns). If you identify data not included in the generated list which also requires deletion, this must be performed manually.

Exceptions

The following data is not included in the list for deletion:

• Visits or events where other learners are also assigned. This data should not be deleted as it still pertains to the other learners. However, the TRVISIT or TRPLANEVENT record for the learner in question will be deleted.
• Any learner data which cannot be automatically identified using the learner’s TRAINEEID, USERNAME or SERIALNUMBER. All relevant data from standard tables is taken into account, so this should only apply to bespoke tables.

Difference Between Delete and GDPR Delete

There is an existing Delete tool on the learner ribbon which is different to the GDPR Delete tool.

The existing Delete tool ONLY removes date from a fixed set of core tables relating to the learner or POT record, but other data associated with the learner will remain (e.g. data from the ILR or LLWR export tables). This means it is not GDPR compliant in terms of deleting an individual's data on request.

The GDPR Delete tool removes ALL a learner's data, minus the exceptions detailed above. Please note that it is your responsibility to ensure that this is GDPR compliant.

Also, please note that if a learner record has previously been deleted using the existing tool, the GDPR Delete tool cannot be used to remove any remaining data. Please contact Maytas Support if you require assistance with deleting data for learners in this situation, as this can be done via scripts providing the correct TRAINEEID can be identified.

Note on Profiling

It is possible that deleting a learner may result in incorrect profiling totals in existing profile measurements where the learner is included. In these circumstances, running a new profile measurement should resolve the issue.