Problems (user errors) related to user account deletion

We have a wonderful person who has been helping keep our directory up to date. Sadly, one of our teachers died recently. In response, our directory person wanted to remove her from the directory, so she deleted the teacher. This was not the right way to do it, because unbeknownst to our directory person, deleting someone from the directory also deletes their user account, which also deletes all the user’s posts—in this case, a dozen or so recorded talks among them. We actually did want to keep all this stuff posthumously, so I restored from a backup.

This is a matter of training on my part, and I guess I didn’t stress to our directory person enough that we almost never want to delete anyone. Instead, we could deactivate them or whatever. So, hopefully it won’t happen again. However, something different happened just a short while later.

I’m not sure exactly what was going on, but another user was trying to edit their address and ended up deleting their own account instead, using the front end directory editing block. I guess the confusion was not understanding that if he wanted to delete his address and replace it with a new one, he needed to edit the address, not delete the household (because that also deletes his account, so he is unable to add a new one). In any case, a dumb misunderstanding, but one with significant consequences.

All this is basically to preface an ask for reconsidering the way user accounts are handled relative to directory entries. I don’t think it’s unreasonable to sometimes have the directory delete a user account, particularly for GDPR reasons. If a user wants absolutely nothing to do with the church anymore, then an option to permanently delete their account and all their data is appropriate. But it seems like that needs to be more difficult to do, since (at least in my experience now) it happens accidentally far too often.

I see that when I click “Delete household” there’s an “Are you sure?” style popup, but there is no explanation of what this button actually does. At the very minimum, this “are you sure” should explain the severity and permanance of what is about to be deleted. e.g. list out “This will PERMANENTLY delete ALL information related to your household, including all the people in the household, even yourself! It will also delete any associated logins and passwords, any posts or comments that have ever been linked with those accounts, and any other permissions related to those logins.” Alternatively, or in addition, perhaps the process should require an administrator to verify and confirm that this is what is intended before it becomes permanent.

From the admin side, I wonder if deleting the associated user account shouldn’t be the default behavior. Or maybe there should be a check, like when a WordPress user is deleted using WordPress Core, asking what to do with the user’s content. Just as often as deleting it, it may be appropriate to reassign it to another user. There’s an option to make an account inactive, which seems like it might be a better way to remove a directory entry in most cases, and so perhaps that ought to be the prominent option in the directory listing (not delete) with the option to delete further into the details of the person. And when an admin does want to delete a person, it would be nice to have options along with it: delete associated user? Delete user’s data or reassign it?

There’s obviously no single way to improve the way this works, but I just wanted to bring this up to see what options might make sense.