Privacy Policy – Open Courses

OpenCourses.ie Privacy Policy

Introduction

OpenCourses.ie is a Moodle-based virtual learning environment (VLE) provided by the National Forum for the Enhancement of Teaching & Learning in Higher Education (hereafter, “National Forum”). This privacy policy explains how we collect, use, and protect personal data on OpenCourses.ie. It is an extension of the National Forum’s main privacy statement and is tailored to the OpenCourses.ie platform. This policy applies to all users of OpenCourses.ie – including course participants (learners), course facilitators (instructors), and platform administrators. By using OpenCourses.ie, you agree to the terms of this privacy policy. We are committed to processing personal data in compliance with the EU General Data Protection Regulation (GDPR) and relevant Irish data protection laws.

Data Collection & Usage

We only collect personal information that is necessary to operate the OpenCourses.ie platform and support course participation, engagement, and professional development. The data we collect and how we use it include:

Account Information: When you register on OpenCourses.ie, we collect information such as your name, email address, username, and password. We use this information to create and manage your user account, authenticate you at login, and identify you within courses. For facilitators and administrators, we may also collect professional details like your role, title, or affiliation to manage course content and permissions.
Profile Data: You may choose to provide additional profile information (e.g. a brief bio, profile photo, city/country). Supplying this data is optional and is used to personalise your profile and enable networking or collaboration within the platform. You can edit or remove optional profile details at any time. Please note that your name and certain basic profile information (and for facilitators, possibly your affiliation or bio) will be visible to other participants in the same course to facilitate learning activities. Email addresses are not publicly visible by default to other participants (participants can adjust their email visibility in their profile settings), but facilitators and administrators will have access to participant email addresses for course communication purposes.
Course Participation Data: When you engage in courses, we collect data about your activities and contributions. This includes assignments or quiz submissions, forum posts, chat messages, grades/assessment results, completion status, and feedback. We use this information to deliver the course content, allow facilitators to evaluate progress, provide certificates or badges (if applicable), and improve the learning experience. Course facilitators can view participant submissions and interaction data for their course in order to fulfil their role as instructors. Other participants in a course may see limited data about you, such as forum discussions or group work contributions, but only as necessary for the collaborative learning environment.
Usage & Technical Data: Our system automatically collects certain technical data to ensure the platform operates securely and effectively. This includes information like your IP address, browser type, device information, and timestamps of when you access the platform or specific resources. We also keep logs of actions on the platform (e.g. when you join a course, post in a forum, or complete an activity). We use this data for security, maintenance, and improvement purposes – for example, to troubleshoot issues, protect against unauthorised access, and gather aggregated usage statistics to better understand how courses are used. This technical data is used only internally and only for legitimate administrative purposes.
Communication Data: If you contact us or a course facilitator through support emails or internal messaging on the platform, we will collect the information you provide (such as the content of your messages or any feedback). We use this information to respond to your enquiries, provide support, and improve our services. Additionally, the platform may send you automated emails (for example, notifications about forum posts, course announcements, or password resets). These emails include your name, email address, and relevant course information to keep you informed about your courses. You can manage certain notification preferences in your user settings.

Any data collected is processed in line with the original purposes stated and will not be further processed in a manner incompatible with those purposes.

Legal Basis for Processing

We process personal data on OpenCourses.ie only when we have a valid legal basis under GDPR. The legal bases we rely on include:

Performance of a Contract (Article 6(1)(b) GDPR): When you sign up for an OpenCourses.ie account or enrol in a course, we process your personal data as necessary to provide you with the educational services. This includes managing your enrolment, enabling you to participate in courses, and allowing facilitators to deliver course content and assess your progress. In this context, the “contract” is the terms and conditions of participating in our courses – our processing of your data is required to fulfil our obligations to you as a learner or facilitator.
Legitimate Interests (Article 6(1)(f) GDPR): We process certain data to pursue our legitimate interests in maintaining and improving the platform, in a way that does not override your rights and freedoms. For example, collecting technical usage logs and analytics helps us ensure security, prevent misuse of the Moodle platform, and optimize user experience. We also have a legitimate interest in keeping participant records to issue certificates or verify course completion. When relying on this basis, we only process the minimum data necessary and we carefully consider your privacy rights. You have the right to object to processing based on our legitimate interests (see User Rights below).
Public Task (Article 6(1)(e) GDPR): The National Forum is a publicly-funded initiative aimed at enhancing teaching and learning in higher education. In some cases, the processing of personal data on OpenCourses.ie is carried out as part of our official duties in the public interest (for example, offering national open courses for professional development). This means that certain data processing is considered necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. Where this basis is used, we ensure the processing is proportional and limited to what is needed for these educational objectives.
Consent (Article 6(1)(a) GDPR): Generally, we do not rely on consent for core learning activities on OpenCourses.ie, since other bases usually cover these. However, if we ever ask for your consent for a specific optional use of your data (for instance, if you opt-in to receive newsletters or if we want to use a quote from your feedback for promotional purposes), you have the right to refuse or withdraw that consent at any time. We will make it clear when consent is requested, and we will also explain how you can withdraw consent as easily as giving it (withdrawal will not affect the legality of processing done before you withdrew).
Legal Obligation (Article 6(1)(c) GDPR): In rare cases, we may need to process or retain certain personal data to comply with a legal obligation. For example, if required by Irish law, court order, or regulatory requirement, we might have to provide information to authorities or retain data for a specified period. In such cases, we will only do so in accordance with the law and will inform you unless we are legally prevented from doing so.

In all cases, we adhere to core GDPR principles: we process your data lawfully, fairly, and transparently; we collect data for specified, legitimate purposes and not in ways incompatible with those purposes; we minimize the data we collect to what is necessary; we strive to maintain accurate data; we limit storage duration (see Data Retention below); and we ensure appropriate security of your personal data.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or to meet legal and administrative obligations. Our data retention practices for OpenCourses.ie are as follows:

User Account Data: If you have an active OpenCourses.ie account, we will retain your personal information to allow you to continue using the platform and accessing your course history. We review accounts after 12 months of inactivity. If your account has not been accessed or used in a 12-month period, it will be flagged as inactive. Inactive accounts are then scheduled for removal. This means that, after the 12-month review, accounts that remain inactive will have their personal data deleted from our systems. In practice, you can expect that an account with no login or course activity for one year will be permanently deleted shortly thereafter. We may send a notification to the registered email address before deletion, advising you of the pending removal, so you have an opportunity to log in and keep the account active if you wish. Once an inactive account is removed, the associated personal data (profile information, enrolments, etc.) is erased or anonymised in our database.
Course Data: Data related to your course participation (such as assignments, forum posts, and grades) is generally kept for as long as your account exists or as long as needed for the running of the course. If you delete your account or it becomes inactive and is removed, we will either delete or anonymise your personal contributions in courses. In many cases, when a participant account is deleted, their forum posts or other content may be retained in an anonymised form (for example, the post remains but the author is shown as “Deleted user” or similar) so as not to disrupt the learning resources for other users. However, such content will no longer be linked to you and cannot be used to identify you. Course facilitators’ contributions (like course materials or instructions) may be retained as part of the course content for future course runs or archival purposes, but if a facilitator account is removed, we will handle their personal data similarly to other users.
Backup and Log Data: Our system backups and logs may contain personal data. Backups are intended for disaster recovery and are kept securely for a limited time (typically, backups are retained for a short cycle such as several weeks) before being overwritten or deleted. System access logs and other technical logs are generally kept for a short period (e.g. a few weeks up to a few months) for security monitoring and then automatically purged. We do not retain detailed usage logs indefinitely. Any logs retained longer for analysis will be anonymised.
Legal Retention Requirements: If any personal data must be retained to comply with legal obligations or official guidelines (for example, audit requirements for publicly funded programs), we will retain that specific data as required by law, but we will not use it for any other purpose. Once the retention period mandated by law expires, the data will be deleted or anonymised.

After the expiration of the retention period or when data is no longer needed, we ensure it is securely deleted. Please note that removal from our active databases may be followed by a short period in secure backups before complete erasure. We have procedures to ensure that deleted data is not inadvertently restored. If you choose to delete your account or withdraw from a course, we will also follow the above retention schedule. You can always contact us to request deletion of your account or data (see User Rights below), and we will process such requests in accordance with GDPR and our retention policy.

Third-Party Services

To provide the OpenCourses.ie service, we may rely on a small number of trusted third-party service providers. We only share personal data with third parties when necessary for the operation of the platform or as required by law. When we do share data with third-party providers, we ensure they are bound by confidentiality and data protection obligations consistent with GDPR. The key third-party services used by OpenCourses.ie are:

Email Delivery Services: OpenCourses.ie uses external email delivery services to send out system emails and notifications (for example, confirmation of registration, password reset emails, course announcements, and forum digest messages). This means that when the platform sends you an email, your name, email address, and the content of the message are processed through a third-party email service provider. We use these services to ensure emails are delivered reliably and securely. Our email service providers act as data processors on our behalf – they are only permitted to use your information to send emails as instructed by us, and not for their own purposes. We have Data Processing Agreements in place with such providers to safeguard your data. If our email provider stores or transfers data outside the European Economic Area (EEA), we will ensure that appropriate safeguards are in place (such as EU Standard Contractual Clauses or an adequacy decision) to protect your privacy. Using a third-party email service may also involve temporary processing of data like email content on their servers, but this is under strict security controls and retention limits per our contracts with them.
Hosting and IT Infrastructure: The Moodle platform and its data are hosted on secure servers, which may be operated by the National Forum’s parent organisation or a contracted cloud infrastructure provider. This means your data may be stored on hardware or cloud services provided by a third party (for example, a reputable data centre or hosting company). Any such provider is also a data processor for us and is required to maintain stringent security standards. All hosting providers for OpenCourses.ie are GDPR-compliant and, where possible, data is kept within Ireland or the EU. If data is ever processed in another jurisdiction (for instance, if we use a cloud backup service or support from a non-EU vendor), we will ensure compliance with GDPR transfer requirements and protect your information accordingly.
Plugins or Integrations: OpenCourses.ie may include certain Moodle plugins or external tool integrations to enhance learning (for example, integrations for video conferencing, surveys, or content from third-party educational providers). If any plugin or integration needs to collect or share your data with an external service, we will inform you within the platform (usually via a prompt or in the course description) and request consent if required. By default, we configure plugins to minimize data sharing. In cases where an external tool (such as a webinar platform for live sessions) is used, we will ensure you are aware of that third party’s involvement and direct you to their privacy information as needed. We do not send your personal data to any third-party tools without a clear need and your knowledge.

We do not share or disclose your personal information to third parties for marketing or advertising purposes. The third-party services we use are strictly for operating OpenCourses.ie and delivering the services you signed up for. All third parties are vetted for strong data protection practices. If we ever change or add new third-party service providers that process your personal data, we will update this policy and notify users if appropriate, ensuring you remain informed about who may handle your data.

User Rights

As a user of OpenCourses.ie, you have robust rights under the GDPR regarding your personal data. We are committed to facilitating your rights and responding to requests in a timely manner (generally within one month, as required by GDPR). Your principal rights are:

Right to Be Informed: You have the right to clear and transparent information about how we process your personal data. This privacy policy, along with any notices given at the point of data collection, is intended to keep you informed. If you have any questions about our data practices, you can contact us using the details below.
Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we use it. This is also known as a Subject Access Request. You can request access by contacting us (see Contact Information below). We will provide you with a copy of your data in a commonly used electronic form, unless you request a different format. Please note that you can also view and download much of your personal data directly by logging into your account (for example, viewing your profile information, grades, and activity logs).
Right to Rectification: If any of the personal information we hold about you is inaccurate or incomplete, you have the right to have it corrected. You can update some of your information directly in your OpenCourses.ie profile (such as correcting your name spelling or updating your email). For any details you cannot update yourself, you can contact us with the corrected information, and we will rectify our records. We may need to verify the accuracy of the new data you provide, but we will make the correction as soon as possible.
Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data when there is no compelling reason for us to continue processing it. You can request that we delete your OpenCourses.ie account and remove your data from the platform. If you make this request, we will erase your personal data (account information, profile, and identifiable course participation records), provided we do not have a specific legal obligation or overriding justification to keep it. As noted in Data Retention, some content you contributed to courses might be retained in anonymous form to preserve the integrity of course materials for other users, but it will no longer be associated with your identity. We will inform you once your data deletion request has been completed.
Right to Restrict Processing: In certain circumstances, you have the right to request that we suspend the processing of your personal data. You might exercise this right if you contest the accuracy of your data (until we verify or correct it), or if you have objected to processing and we are considering that objection, or if you need us to preserve data for a legal claim while we would otherwise delete it. When processing is restricted, your data will still be stored, but not actively used (apart from storing it) until the restriction is lifted. For example, if you contest a grade and request restriction, we would hold the data but perhaps not process it further until resolved.
Right to Data Portability: For any data you have provided to us and that we process by automated means under the legal basis of contract or consent, you have the right to obtain a copy in a structured, commonly used, machine-readable format (and to have it transmitted to another data controller, where technically feasible). In the context of OpenCourses.ie, this could include information like your profile details or course completion records that you might want to reuse elsewhere. If you need an export of your data, please let us know and we will provide it in a suitable format (for example, CSV or PDF reports of your activity).
Right to Object: You have the right to object to our processing of your personal data when that processing is based on legitimate interests or public interest (Articles 6(1)(e) or 6(1)(f)), or if we were to use your data for direct marketing (which we do not on OpenCourses.ie). If you object to processing, we will evaluate your request and stop the processing in question unless we have compelling legitimate grounds to continue that override your rights, or if the processing is needed for legal claims. For example, you can object to us using your usage data for analytics; unless we have an overriding need, we will cease processing your data for that purpose.
Right to Withdraw Consent: Where we rely on your consent to process your data (such as for an optional feature or communication), you have the right to withdraw that consent at any time. You can do so by changing your settings on the platform (if available) or by contacting us. Once consent is withdrawn, we will stop the processing that was based on consent. Withdrawal of consent will not affect the legality of any processing done before you withdrew consent. For instance, if you had consented to receive a newsletter, you can unsubscribe (withdraw consent) and we will stop sending it.
Right to Lodge a Complaint: If you believe your data protection rights have been violated or that we have not handled your personal data properly, you have the right to lodge a complaint with the supervisory authority. OpenCourses.ie and the National Forum are based in Ireland, so the relevant supervisory authority is the Irish Data Protection Commission (DPC). You can find more information on how to submit a complaint on the DPC’s website (https://www.dataprotection.ie) or contact them at: Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland; Phone: +353 578 684 800 or +353 761 104 800. We encourage you to contact us first with any concerns, and we will do our best to address them.

You may exercise your rights at any time by contacting us (see Contact Information below). We will respond to all legitimate requests and will ask you to verify your identity before fulfilling requests, to ensure we do not disclose data to the wrong person or make incorrect changes. There is no fee for making a request unless it is manifestly unfounded or excessive, in which case (as permitted by GDPR) we may charge a reasonable fee or refuse the request with explanation.

Security Measures

We take the security of your personal data seriously. OpenCourses.ie implements a range of technical and organisational security measures to protect against unauthorised access, alteration, disclosure, or destruction of personal information. These measures include:

Secure Hosting: Our Moodle platform is hosted on secure servers with robust firewalls and monitoring. The servers are maintained by trusted providers who follow industry best practices for security. Data centres hosting our platform have physical security controls in place (e.g. restricted access, surveillance) to prevent unauthorised physical access to the servers.
Data Encryption: All web traffic between your device and OpenCourses.ie is encrypted using HTTPS/TLS. This means that any personal data you transmit (such as when logging in or submitting coursework) is encrypted in transit and protected from eavesdropping. We also encrypt sensitive data at rest where applicable. Passwords are stored in hashed form (not in plain text) in our database, in line with security best practices, so that even in the unlikely event of a breach, your password would not be exposed in usable form.
Access Control and Authorisation: Access to personal data on the platform is role-based and limited. Course facilitators can only access the information of participants in their own courses and only as needed for teaching (for example, viewing submissions or contacting participants). Administrators who manage the platform have higher access but are limited to what is necessary to perform maintenance, support users, or fulfil legal responsibilities. All administrators and staff with access to personal data are trained in data protection and bound by confidentiality obligations. We log administrative access and actions to maintain accountability.
Regular Updates and Patching: We keep the OpenCourses.ie Moodle software and all plugins up-to-date with the latest security patches. Regular maintenance is performed to apply updates and address potential vulnerabilities promptly. We also utilize security tools and audits to detect and remediate any vulnerabilities in the system.
Monitoring and Intrusion Detection: Our technical team monitors the platform for unusual activities or potential intrusion attempts. We employ tools that can detect multiple failed logins or other signs of misuse and take steps (like blocking an IP address or alerting an admin) if suspicious activity is detected. We also use secure coding practices and periodic code reviews for customisations to ensure the platform’s integrity.
Data Minimisation and Protection: We collect only the data that is needed for the platform to function. Any exports or transfers of data (for example, backups, or data given to a service provider for support) are handled securely. Backups are encrypted and stored separately with strict access controls. When data is no longer needed, we dispose of it safely (as outlined in the Data Retention section). Paper records (if any) are kept to a minimum and secured or shredded as appropriate.
Incident Response: In the unlikely event of a security breach that poses a risk to your rights and freedoms, we will notify the affected users and the Data Protection Commission within the timelines required by law. We will also take immediate steps to contain and investigate the breach, mitigate any harm, and prevent future incidents.

While we strive to protect your personal information with these measures, it’s important to note that no system can be guaranteed 100% secure. We therefore also rely on you to help keep your data safe: please use a strong, unique password for your OpenCourses.ie account and do not share it with others. If you suspect any unauthorised access to your account or any security vulnerabilities, please notify us immediately so we can assist and take appropriate action.

Contact Information

OpenCourses.ie (operated by the National Forum for the Enhancement of Teaching & Learning in Higher Education) is committed to respecting your privacy rights. If you have any questions, concerns, or requests regarding this privacy policy or your personal data, please contact us using the details below. You can also reach out to exercise any of your GDPR rights as described above.

Data Protection Contact:
Email: dataprotection@hea.ie
Postal Address: Data Protection Officer, Higher Education Authority, 3 Shelbourne Buildings, Crampton Avenue, Shelbourne Road, Ballsbridge, Dublin 4, D04 C2Y6, Ireland
Telephone: +353 1 231 7100 (Please request to speak with the Data Protection Officer)

You may also contact the OpenCourses.ie support team for general platform queries at admin@teachingandlearning.ie. However, for specific privacy-related matters or formal data protection requests, it is best to use the Data Protection Officer contact above so your query can be handled with the appropriate priority and care.

We will respond to enquiries as promptly as possible. If you contact us by email regarding your data, please include a clear subject line (e.g. “GDPR Data Request – OpenCourses.ie”) and include details of your request, so we can assist you efficiently. For your security, we may need to verify your identity before releasing or modifying any personal data.

Updates to this Policy:
We may update this OpenCourses.ie Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes, we will notify users via email or through a prominent notice on the platform. The “last updated” date below indicates when this policy was last revised. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

Last updated: [20 April 2022]