The information that the LTI tool receives about each user depends on
how you configure the LTI link. The LTI consumer must at least send a
unique ID for the user, which might or might not correspond to their
username on the consumer.
There are a few other optional fields that the consumer can send; there's a good list of these at
https://www.edu-apps.org/code.html. The potentially
personally identifiying fields are the email address, and the name fields: given, family and full. The
lis_person_sourcedid
field is a unique identifier that the consumer can understand, and might be readable on its own or might need to be linked
to the consumer's database to make sense.
The LTI launch data is saved in the temporary session table; this is
deleted when the session expires. The username, email address and full
name are stored permanently in the Numbas LTI provider's auth_user
table. For each resource launched by
a user, an LTIUserData
record is created. This stores: the lis_result_sourcedid
, a unique identifier generated by the consumer linking the user and resource; the lis_person_sourcedid
and user_id
described
above; and whether the user is an instructor.
Finally, everything the student does inside a Numbas exam, such as submitted answers, is stored in the SCORM data model, in the numbas_lti_scormelement
table.
I think that's everything that could be personally-identifying.