- all hardware and devices of the University
- all University IT services and their use
- all the services and licences that have been made available or are licensed through the University
- legislation in force in Finland at each time
- the Information Security and Data Protection Policies of the University and any other policies that are applied to the use of the services
If a service is public and available for use on the Internet, all Internet users are authorised to use it. Other services are intended for a limited user group, and a duly granted user identification and authorisation is required in order to use them.
Authorisation means the right to use a certain IT service. The term “user right” is often used when talking about authorisation.
An authorisation can be granted for a fixed-term period.
An authorisation is personal.
The scope of an authorisation depends on the position and role of the user at the University.
A person can have several roles at a given time.
An authorisation is granted based on a University role that necessitates it. Such roles include
- a certain position or role at the University
- another type of connection to the University requiring authorisation (e.g. a contractual relationship)
It is possible to restrict a user’s authorisation if there is a good reason to suspect that compromised information security or abuse is taking place.
Authorisation begins when the criteria for obtaining authorisation are fulfilled and a username has been created and activated accordingly. A username is created three days before the beginning of an employment relationship.
The authorisation ends when its criteria no longer exist, i.e. when
- studies end
- employment ends
- the person’s role changes, and the new role does not make them eligible for authorisation to use IT Services
- there is some other type of relationship with the University, which has offered grounds for authorisation ends, or
- an authorisation granted for a fixed term expires
The username of employees expires seven (7) days after the expiry of the authorisation
The username of studensts expires fourteen (14) days after the expiry of the authorisation
The user must store any personal information they will need before their username for the service expires. A user who is a member of staff or who is in a role considered equal to a member of staff must agree with his/her supervisor on the person to whom he/she will delegate all the information relevant to his/her responsibilities. The same applies to such cases as a student who has worked as part of a research group.
All users must uninstall any software based on employee or student licences from their home computers when their employment or study right ends.
The time of deletion of the home indexes and mailboxes starts to run after the seven-day period recorded in section 2.5. After the seven-day or fourteen-day period, the account is closed for 92 days, during which time no e-mails are received and the home indexes are not available. After 92 days, the account is deleted.
More detailed actions by the University after the termination of the authorisation are determined in the service descriptions.
The username is used to identify and authenticate a user.
In order to carry out authorisation, each user must have an identifier with which they can be identified in the IT services that require authorisation.
A username is granted to everyone who is authorised to use one of the University’s IT services requiring identification.
A user bears liability for damages and criminal responsibility for any harm or damage resulting from the use of the username. The responsibility also applies to situations where the username is used by a party that received the necessary information and tools from the user, whether on purpose or by negligence.
It is prohibited to disclose one’s username to another person or to use someone else’s username.
A defined group of users may be granted a joint username, a group ID, which features the usage authorisations of the group members. Group IDs are used for the specific purpose they are granted for and they are valid for a fixed term.
Each group ID user is responsible for his/her actions when using the ID.
The group ID applicant is responsible for disclosing the ID to users and providing instructions for its use.
4 Rights and responsibilities of users of IT Services
IT Services of the University are designed as a tool for work related to the user’s studies, teaching, research or other tasks at the University.
Commercial use is only permitted for purposes that have been approved by the University.
It is only permitted to use the services for election campaigns or other political activities in connection with student elections, and activities of student organisations connected to the work of the Student Unions and student groups or trade union actions or similar that are connected to the operations of the University.
Small-scale private use is allowed Small-scale private use refers to such actions as private e-mail conversations and online service use. However, it is prohibited for private use that
- disrupts other use of the service, or
Storing, publishing, transmitting or distributing material that is unlawful or against good practice is prohibited.
Use for agitation of all types is prohibited.
Usage authorisations must never be used for any illegal or forbidden activities, such as searching for vulnerabilities in information security, unauthorised decryption of data, copying or modifying network communications, or unauthorised access to IT systems or preparations thereof.
Parts and features of IT systems that are not clearly made available for public use must not be used. Such parts and features include tools intended for administration or functions that have been disabled in the system settings.
Unnecessary usage and loading of resources are prohibited.
As a principle rule, all materials of employees and those in similar roles stored on University devices and services belong to the University. This does not, however, reflect the status of intellectual property rights (IPR). Staff members must clearly indicate their private materials as private and separate from work-related ones.
All materials that are in students’ possession are deemed to be private.
A report must be made immediately if a breach of information security or data protection is detected or suspected. The report must be submitted to: tietoturva [at] tuni.fi.
Everyone is obliged to maintain the secrecy of any confidential information that they become aware of.
Phishing, abuse, copying and distribution of other users' private information is forbidden.
Each user is under an obligation to keep their username and the connected password safe and use it in such a manner that they do not come to anyone else’s knowledge. You must never disclose your password to anyone.
It is prohibited to use the passwords used in the University services for any other service.
The University is entitled to restrict or revoke the right to use its IT services as a precaution.
Services may not be provided using the University’s network without the University’s permission.
The University can place restrictions on the possibility to connect devices to the University communications network.
5 Identification and appropriate processing of data
Everyone who processes data at the University must understand the principles laid down in the Information Security Policy of the University for the recognition of the different types of data and supplementary instructions, and to comply with these.
Each person who processes information at the University or on behalf of the University must act in the manner required by the type of data and in compliance with legislation, contracts and the instructions provided.
Everyone who processes personal data at the University must understand the principles laid down in the Information Security Policy of the University and the supplementary instructions, and to comply with these.
The processing and storage of special categories of personal data is only permitted in services that are instructed to be used for this purpose.
6 Other provisions
Substantial changes will be processed in a cooperation procedure.
The IT Administration will make decisions on the need for changes.
Information on the changes will be provided via the normal channels of communication, and not personally.
Permits for exceptions are granted by the IT Administration.
The permit may include additional terms and conditions, restrictions and responsibilities.
The Policy on Consequences of Breaches of IT Security will be applied to the breaches.