#5513 - Auto-delete certain data when an account is deleted
-
By PDStig
- Added
- 10 views
| Identifier | #5513 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Auto-delete certain data when an account is deleted |
| Status | Completed |
| Tags |
Roadmap: v11 (custom) Type: Legal compliance / Privacy (custom) |
| Handling member | PDStig |
| Addon | core_privacy |
| Description | The GDPR expects that when a user deletes their account, the website no longer maintains any data of that user except that which is absolutely necessary (and to disclose in the Privacy Policy which data persists).
Currently, Composr does not delete any user data when they delete their account. We expect members to separately contact staff for that. We shouldn't do that. Add a task (using the task queue when applicable) that fires in the background when a member deletes their account. It will run through every privacy hook and perform the removal_default_handle_method action on data that meets one or more of the following criteria: * Any member_id_fields contain the ID of the member who was deleted * Any ip_address_fields contain the most recent IP address of the member AND either has no member_id_fields defined, has the deleted member in at least one of the member_id_fields, or has nothing but the guest ID in member_id_fields * Any email_fields contain the e-mail of the deleted member Also anonymise all additional_anonymise_fields on the rows matching any of the above criteria. |
| Steps to reproduce | |
| Related to | #5512 - Secondary Privacy block detailing the data stored in the database |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
For regular email, from site email, to staff email, reply to member email. Always CC to the member.
Staff option:
* Never auto-delete user data on deletion
* Ask user via (above) tick box
* Always delete user data (not recommended because staff would have to customize the hooks to make absolutely sure it is what they want)
e.g. when a member requests to have their account deleted, it is put in the task queue, however:
* Their session is invalidated (logged out)
* Their password compat scheme is changed to "pending_deletion" which will prevent them from logging in while the account is pending deletion
* The password compat scheme will also trigger member does not exist when others try to view their profile
When a member requests their account to be deleted, it's all automatic. The new process is as follows:
* Their session is invalidated, and their password scheme is changed to a special one indicating it is pending deletion (so they cannot log in again even if it hasn't yet been actualised... and so no one can view their profile). The actual deletion is added to the task queue because it can be a resource-intensive operation depending on how much content there is to delete.
* On the delete page, they are also asked if they want their data to be purged as well. If ticked, a purge operation is also performed on their content in the queued task (before the member is actually deleted). It uses the default actions as specified in the privacy hooks.