The information that the LTI tool receives about each user depends on
how you configure the LTI link. The LTI consumer must at least send a
unique ID for the user, which might or might not correspond to their
username on the consumer.
There are a few other optional fields that the consumer can send; there's a good list of these at https://www.edu-apps.org/code.html
. The potentially
personally identifiying fields are the email address, and the name fields: given, family and full. The
field is a unique identifier that the consumer can understand, and might be readable on its own or might need to be linked
to the consumer's database to make sense.
The LTI launch data is saved in the temporary session table; this is
deleted when the session expires. The username, email address and full
name are stored permanently in the Numbas LTI provider's
auth_user table. For each resource launched by
a user, an
LTIUserData record is created. This stores: the
lis_result_sourcedid, a unique identifier generated by the consumer linking the user and resource; the
above; and whether the user is an instructor.
Finally, everything the student does inside a Numbas exam, such as submitted answers, is stored in the SCORM data model, in the
I think that's everything that could be personally-identifying.