The integration of LTI (Learning Tools Interoperability) interfaces into Moodle opens up a wide range of educational possibilities. The External Tool activity allows external learning tools—such as media and content libraries, interactive learning content, publisher materials, or interfaces to other Moodle platforms—to be seamlessly integrated into courses. At the same time, however, personal data is regularly transferred in the process. This is precisely where the institution’s responsibility under data protection law begins.
Invisible redirects – a privacy issue
Many LTI integrations are technically designed in such a way that users do not even notice when they leave Moodle and are redirected to an external platform. From a user experience perspective, this may be an advantage—but from a data protection standpoint, it is problematic.
This is because every person has the right to know by whom, for what purpose, for how long, and where their personal data is being processed. Platform operators, in turn, are required to provide transparent information on exactly these points. If users are redirected to a third-party platform outside of Moodle without their knowledge and without being informed about the data transfer, this constitutes a clear violation of the GDPR.
Steps Toward Greater Data Protection
1. Clarify responsibilities
First, determine who is acting in which role under data protection law: Is the external service provider a data processor or an independent data controller?
Data processors process personal data solely on behalf of a data controller. If the external service provider is a data processor, a data processing agreement is required.
If the external service is an independent controller, it must transparently disclose which data is being transferred, where it is being transferred, and for what purposes.
2. Ensure transparency for users
In accordance with Article 13 of the GDPR, users must be informed by the controller about:
- the type of data transmitted
- the recipients of the data
- the storage location and retention period
- your rights (right to access, erasure, objection, etc.)
This information should be available in the privacy policy of the Moodle instance and, where applicable, directly within the course.
3. Implement technical and organizational measures
In addition to the legal review, technical security must also be ensured. The following measures are recommended:
- Use of LTI 1.3 / Advantage, as it employs modern security standards (e.g., OAuth 2.0, signed tokens)
- Restrict data sharing in the tool configuration under "Privacy" (here, for example, you can specify that the username and email address should not be shared with the tool)
- Regular monitoring of active interfaces
- Disabling unused tools
Conclusion
Setting up LTI interfaces in Moodle is therefore not merely a technical process, but always involves a decision regarding data protection. Anyone wishing to integrate external tools should involve data protection officers early on, document data flows, and configure the system to minimize data collection as much as possible. This allows for a meaningful combination of innovative learning opportunities and GDPR compliance.
To get a quick overview, visit our free self-study resources:
Navigating the Data Jungle Safely: Running Moodle in Compliance with Data Protection Regulations
For a deeper look into the topic of data protection, we are offering a three-part live webinar. Learn more at:
eLeDia.academy – Additional Modules: Legal Matters and Reports
What is LTI?
Learning Tools Interoperability (LTI) is a technical standard developed by the 1EdTech Consortium (www.1edtech.org, formerly IMS Global) that integrates external learning tools (such as e-learning courses, apps, and virtual labs) seamlessly, securely, and without the need to log in again (single sign-on) into learning management systems such as Moodle.
