From 32ddf2a93772df1bf5b3c305ee1bef26a0100827 Mon Sep 17 00:00:00 2001 From: Jillian Vogel Date: Thu, 18 Jan 2024 15:19:28 +1030 Subject: [PATCH] docs: adds ADR 9. Personally Identifying Information --- docs/decisions/0009_pii.rst | 71 +++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 docs/decisions/0009_pii.rst diff --git a/docs/decisions/0009_pii.rst b/docs/decisions/0009_pii.rst new file mode 100644 index 0000000..653cf57 --- /dev/null +++ b/docs/decisions/0009_pii.rst @@ -0,0 +1,71 @@ +9. Personally-identifying information (PII) +########################################### + +Status +****** + +Accepted + +Context +******* + +The vast majority of event data processed by Aspects is anonymized to protect user privacy. Most events have an "actor", +and that actor is uniquely identified by an anonymous user ID. + +But some of the community's analytics use cases call for the use of Personally Identifying Information (PII) that is +stored in Open edX. For example, to identify and intercede with learners that are struggling in a course, we need to see +the contact details for that learner. Or if we want to use use demographic data in recruitment campaigns to improve the +diversity of a student group, we need access to user profile fields like country, state, gender, and age group. + +Storing and displaying PII must be done with care, so this document describes the steps needed to protect this data and +help institutions to use it responsibly. + +Decision +******** + +**Opt-in Aspects PII** + +If operators opt-in, Aspects will store PII from Open edX, including User Profiles and a mapping between users and the +anonymous user IDs used in event data. + +Aspects will also construct PII-specific dashboards, charts, and datasources when PII is in use. Access to all event +data in Aspects is restricted to users with a "staff" or "instructor" role on the course, and the PII dashboards will +also carry these restrictions. + +**Removing PII after opting-in** + +If operators choose to opt-out after opting-in to Aspects PII, they are responsible for removing the relevant PII tables, +datasources, dashboards, and charts. + +**Aspects supports user retirement** + +Aspects will integrate with the user retirement pipeline (if it is enabled on the LMS) allowing users to retire their +user accounts and have their PII automatically removed from Aspects. + +However, the retired user's event data will not be removed from Aspects, as they remain anonymized. + +Consequences +************ + +#. Operators must opt-in to storing PII in Aspects by enabling the `ASPECTS_ENABLE_PII` configuration flag. +#. Operators who opt-in and then opt-out of storing PII can remove any PII from Aspects by clearing the + `EVENT_SINK_PII_MODELS` tables in Clickhouse. +#. Aspects will use the standard Open edX annotations for code that references PII. +#. User retirement events in the LMS will trigger removal of PII for retired users. +#. How-to documentation will be created for operators enabling and managing PII. + +Rejected Alternatives +********************* + +**Don't use PII in Aspects** + +Following the Open edX policy of storing and sharing the minimum personal data necessary, Aspects Instructor and +Operator dashboards do not use PII. + +However the community use cases were too compelling to ignore, and so we were not able to keep PII out of Aspects. + +References +********** + +- `OEP-30: PII Markup and Auditing `_ +- `Enabling the User Retirement Feature `_