Lack of interest Make User Account deletion reversible

[Harpers Tate]

For any deletion - including those requested under GDPR - I suggest that these should be made reversible (undoable) for a limited time after deletion.
The limited time would be determined by the legal requirement defined by GDPR when it is a GDPR request being actioned.

Possible/suggested method: by giving a status "Deleted" to the account, (associated permissions set to = those of a guest/unregistered) but leaving it present and complete on the database (= "soft deleted") until hard delete is performed automatically on expiry of the limited time. Thus the user account could still be found eg in the AdminCP while still only soft deleted, and "undo" would simply revert its status.

Bearing in mind
a) there may be some elapsed time between a GDPR request being received and it being actioned, and
b) a non GDPR deletion isn't bound by any limited time requirement
it may be appropriate for the date scheduled for the hard delete to be manually entered at the time of the soft delete, perhaps with an amendable default equal to the GDPR timescale.

 

[Kirby]

I am not totally opposed to this suggestion, but I'd like to understand why you would want to have such a feature?
To me it seems like it would just complicate things.

 

[Harpers Tate]

Mainly for
a) Undo in case of a mistake or
b) Undo in case the deleted user has second thoughts
In either case, it's preferable to any kind of manual reconstruction as it would retain all the history, notes, Warnings, IPs etc etc.....

Yes, I did delete a user account a while back in error. We did restore it - by copying data from a nightly db backup - but that was (I gather) a PITA to do.

It's probably worth adding that ideally an account that's soft deleted (pending deletion) should be wholly concealed from the front end - preferably subject to a separate view permission; unable to log on, not seen by members etc.

 

[Walter]

Or the user grows up and faces the consequences of his decision.

What a nightmare this feature would be for the developer and a performance penalty...

 

[Harpers Tate]

Whilst I have no expertise in coding, it doesn't seem to me to be a difficult thing to do - to keep an account intact in the live database (but with changed permissions etc) and schedule a job to fully remove it at a defined later time.

 

[Kirby]

Keeping an account in the DB with a different state is a no-brainer; in fact XenForo already does have a Disabled state.
Deleting accounts in state Disabled X days after their last activity is also already possible (though needs to be done manually, there is no automatic job to do this).
However confining those accounts to be virtually invisible, eg. make them look like they do not exist is pretty hard - Id'd even say impossible if you want this to be 100% waterproof.

 

[Harpers Tate]

Totally invisible is probably a "nice to have". Even a GDPR deletion has a timescale attached and as long as that is met, there is no legal "fault" in keeping it visible. I guess if the account were kept visible, some status (= "Pending Deletion" or similar) would suffice.

The Disabled state may well be probably sufficient. To make it GDPR watertight, a scheduled job to either delete, or at least alert suitable staff that deletion is required on or just prior to the due date, would be a benefit.