Due to the recent requirements of GDPR, we have enabled a new feature in SCORM Cloud. You can now choose to make all user names and IDs obfuscated in the database and in all reports with a one-way hash. This feature can be enabled on new or existing Dispatches and is set at the Destination or Dispatch levels.
When dispatch PII hashing is enabled, the learner's PII (learner ID, first name, last name) are hashed in the client browser before being sent to the SCORM Cloud servers. During the launch process, our client-side code retrieves the ID and name from the client LMS using the relevant learning standard API, and the client-side code uses CryptoJS's SHA-256 function to hash that PII.
To be explicit, when PII hashing is enabled for dispatch, SCORM Cloud is sent the following data:
- The secret launch token associated with that dispatched package (which authenticates/authorizes the launch of the content in the first place)
- The learner's IP address and user agent (these are part of web request logs)
- SHA256-hashed versions of the client LMS learner ID, learner first name, learner last name
- Any relevant learning standards information: completion, pass/fail status, score, interaction (Q&A) data, and timing of the learning standard API calls
The last point is particularly important. It is very unusual for course training to ask the user to input PII, in our experience, but if your dispatched courseware did ask personally identifying questions, because the supported learning standards are blind to the questions themselves, that data would indeed be sent to and stored in SCORM Cloud.
This feature makes it easy to create a new Destination with this setting enabled so that when you create new Dispatches using this Destination, the user information will be obfuscated.
You can also set this enabled at the Dispatch level by creating a new Dispatch with the checkbox enabled.
Note that once set, all launches of the Dispatch will be affected and it cannot be reversed once recorded in the database. Even if you disable it on a Dispatch, those users that launched it during the time it was enabled will be obfuscated in all reports.
Example:
LearnerID = destination name_280116f51d487926b4fabad9c5a0e7d7e0207a1b12abcdde565024f
First Name = 48d14f2c95d124710121a0c69a6fa3e9ceed2bfad9a4ea0c5f17398ae69fbb64
Last Name = 2d1e830624b2572adc05351a7cbee2d3aa3f6a52b34fa38a260c9c78f96fcd07
Note: Hashing PII is not available will LTI Dispatches. This should be configured on the Platform / Tool Consumers end.
If you have any questions, please send a message to support@rusticisoftware.com