22.1. Privacy


It is the responsibility of each institution to check what it needs to do to be compliant with the privacy laws in its jurisdiction.

Disclaimer: The information provided here does not constitute legal advice but is provided for information purposes only. If you need legal advice, please consult your own lawyer.

22.1.1. GDPR compliance

Starting in Mahara 18.04, Mahara includes a number of extra privacy-related features to support institutions to be compliant with the GDPR (General Data Protection Regulation), the new EU privacy regulation, effective 25 May 2018. It requires organizations to be stricter in protecting the personal privacy of EU residents.

This does mean though that the software can cover all areas of compliance. Each institution will still need to provide a number of extra information as well as infrastructure to adhere to the GDPR. These include, but may not be limited to the following, depending on your use of personal data of the people who use your site:

  • Up-to-date privacy statement and terms and conditions;

  • Data protection officer and work flow for responding to inquiries;

  • Internal documentation around data protection.

Features in Mahara that cater to the GDPR compliance:

  1. Everyone can be required to consent to the terms and conditions and the privacy statement of the site: This is the strict privacy mode.


    Currently, the strict privacy mode requires that it is not possible for people to be in multiple institutions.

  2. If an institution has additional terms and conditions or privacy regulations to which its members need to consent when using the site, they can be dealt with on the institution level and members need to consent to them.

  3. Whenever changes are made to the legal statements (terms and conditions and privacy statement), everyone affected by them needs to consent to the changed statement(s) when they log into the site the next time.

  4. People can revoke their consent to any legal statement. That will result in a notification to the site or institution administrator for further communication. Additionally, the account will be suspended automatically.

  5. A history of the legal statements is kept on the site level and the institution level and tracked who made the changes.

  6. Everyone can delete their account or request the deletion of their account if an institution requires a review. In the GDPR, this is known as ‚the right to be forgotten‘. All personal content is deleted. The content a person created outside of their personal space is not affected by the account deletion as it is tied to shared content rather than personal content. These include:

    • group discussion posts;

    • journal entries on the group, institution, or site level;

    • uploaded files to a group, institution, or site;

    • portfolios in groups, on the institution or site level.

  7. A report detailing when people consented to which legal statement.

  8. Names and email addresses of deleted accounts are not kept in the system but replaced. Typically, a record of them needs to stay in Mahara because they could have contributed to groups or left comments on other people’s portfolios. However, their name is not displayed. Instead, the generic name ‚Deleted account‘ is displayed.

22.1.2. Data storage

You can install Mahara on your own server infrastructure or use an existing (cloud) data center. It is up to your institution to make that decision based on your technical, financial, and legal requirements and obligations.

Mahara does not prevent you from installing the site anywhere you see fit and does increasingly support cloud storage.