PII and GDPR Learner Deletion

To allow you comply with PII or GDPR requests you may receive as a Realm owner, we’ve added API capability to destroy all learner information within an application.

Learner Deletion

Unlike the rest of the operations described in these docs, this endpoint is RESTful. It can be considered a preview of version 2 of the SCORM Cloud API.

  • Endpoint:

    /api/v2/learner/{{learnerId}}/delete-information?userEmail={{initiatorEmail}}
    
  • Semantics: This endpoint is used as a tool to comply with GDPR or general PII requests. This is an asynchronous operation which deletes all of a learner’s information within an application. It requires that an initiator email address be passed in which is linked to a SCORM Cloud account of sufficient privilege within the realm (either Owner or Administrator).

    Since it is a possibility that a learner may exist in multiple applications within a realm, this method may need to be applied to each application containing learner information. If it is detected that the learner is in other applications in the account, OR a learner’s email was used with multiple learner ids, an email will be sent to the given initiator email address describing an overview of this information. If you are aware ahead of time that a learner exists in multiple applications, and you want to remove them from the entire realm, you can use the realm-wide delete operation available on cloud.scorm.com.

    If the learner only exists in the requested application, you’ll receive an e-mail confirming its completion.

  • Required Arguments:

    • learnerId– The id of the learner requesting information removal. Goes in url path.
    • userEmail– This is the initiator’s email address which must be linked to an Owner or Administrator in the realm. This is also used to send an email of any information pertaining to the operation. This is a query parameter.
  • Security: This operation is secured by basic auth, where the username is your application id and the password is a secret key for that application. You’ll need to include this in the Authorization header.

  • Example Call:

    https://cloud.scorm.com/api/v2/learner/exampleLearnerId/delete-information?userEmail=exampleEmail@example.com
    
  • Example Response: 204 status code signifying that the job has been started

  • Notes: There are several possible ways to encounter a 403 Forbidden response when calling this endpoint. While most of them are fairly obvious (wrong auth credentials for instance), there are some others that are worth noting here. Specifically the following:

    • The userEmail paramenter MUST belong to a user in the SCORM Cloud account which is being requested
    • The userEmail paramenter MUST be a user of sufficient privilege within the account to perform the operation (either Owner or Administrator)
    • The application must have delete operations enabled to perform this operation (disabled by default). For more information on enabling delete operations, see API instructions or website instructions.